19: Stuxnet | The Computer Virus that prevented and started the next world war
23:14 Share

Plug in a Hyundai EV and the extraordinary happens.

From the charge time and range in the Ioniq 5 and 6 to the adventurous spirit of the Kona Electric to the 601 horsepower Ioniq 5N, Hyundai EVs make the extraordinary electrifying. There's joy in every journey. EPA estimated 303 mile driving range for 2024 Ioniq 5 SE SEL Limited Rear Wheel Drive and 361 mile driving range for 2024 Ioniq 6 SE Long Range Rear Wheel Drive with fully charged battery. Actual range may vary. Visit HyundaiUSA.com or call 562-314-4603 for more details.

Hey, it's your buddy AJ from the Y-Files. And Hecklefish. Right, and Hecklefish. We just wanted to tell you that if you want to start a podcast, Spotify makes it easy. It'd have to be easy for humans to understand it. Will you stop that? I'm just saying. Spotify for Podcasters lets you record and edit podcasts from your computer. I don't have a computer. Do you have a phone? Of course I have a phone. I'm not a savage. Well, with Spotify, you can record podcasts from your phone, too.

Spotify makes it easy to distribute your podcast to every platform and you can even earn money. I do need money. What do you need money for? You kidding? I'm getting killed on guppy support payments. These 3X wives are expensive. You don't want to support your kids? What are you, my wife's lawyer now? Never mind. And I don't know if you noticed, but all Y-Files episodes are video too. And there's a ton of other features, but... But we can't be here all day. Will you settle down? I need...

you to hurry up with this stupid commercial. I got a packed calendar today. I'm sorry about him. Anyway, check out Spotify for Podcasters. It's free, no catch, and you can start today. Are we done? We're done, but you need to check your attitude. Excuse me, but I don't have all day to sit here and talk about Spotify. Look, this would go a lot faster if you would just let me get through it without...

In 2010, a computer virus was discovered in thousands of the control systems that operate factories, power plants and nuclear reactors around the world. This virus was 20 times more sophisticated than any malware ever recorded. It could halt oil pipelines, destroy water treatment plants and bring down entire power grids. This virus was called Stuxnet, and we should all be concerned. Let's find out why.

In January 2010, inspectors from the International Atomic Energy Agency were visiting the Natanz uranium enrichment plant in Iran. They noticed that the centrifuges, which are used to enrich uranium gas, were tearing themselves apart, one after another.

Hundreds of them. Nobody could figure out why. Not the inspectors, not the Iranian technicians who worked on site, not even the engineers who built the system. Meanwhile, a computer security firm in Belarus got a strange request from a client in Iran. Their machines were rebooting over and over again. Even completely wiping the hard drives and reinstalling the operating systems didn't help. Again, the problem was a mystery.

But when the technicians pulled apart the operating systems, they found a new and very unusual virus. They called it Stuxnet. Stuxnet was infecting computers all over the world and spreading fast. Now, these events seemed unrelated at the time.

But they were very much connected. Cybersecurity experts knew Stuxnet wasn't ordinary malware thrown together by some basement hacker. The first clue was the size of the code base. Most viruses are 10, maybe 20 kilobytes. Stuxnet was 500 kilobytes and uncompressed. It was 1.2 megabytes. That's a pretty large piece of code to go undetected.

Then analysts transferred Stuxnet to a new computer just to see what would happen. Now, the test computer was not your grandma's old compact laptop from 1997. The machine was a state of the art, highly protected workstation designed for cybersecurity threat detection. All the bells and whistles. But as soon as the Stuxnet files were copied over, the new computer was immediately infected without anybody doing anything and without triggering a single alert.

And that's very unusual. When you install software in your computer, it needs to be digitally signed with a trusted certificate. And the developer supplies a certificate that your computer checks against trusted manufacturers, Apple, Logitech, whatever. A lot of viruses tamper with the signature of the certificate to try to trick your operating system into allowing it to install. And luckily, virus protection usually catches this. And you've probably seen that warning when you're trying to install software that's not from a trusted source.

This catches a lot of nasties. But Stuxnet didn't have altered certificates. It had valid certificates stolen from two trusted sources, Jmicron and Realtek. Now these companies make all kinds of drivers for hard drives, USB sticks, sound cards, tons of stuff. You probably have their software on your computer right now. I definitely do. And when the creators of the Stuxnet worm signed their files with a stolen cert,

They wanted to make sure that Windows would install it very quietly without any warning. And if anyone bothered to look at the cert, they wouldn't care because it was valid. Stealing a valid digital signature is like trying to rob a bank vault that's locked inside another bank vault. The security around them is sci-fi spy movie level stuff. They had to physically steal the certificate from inside these companies. That really doesn't happen.

But it happened. Some more digging around, the code showed that as soon as Stuxnet infected a computer, it started probing the system, looking for flash drives, USB sticks, and other storage devices. And because of the signing certificates, Windows happily allowed it to do so. What security experts had discovered is one of the rarest and most dangerous kinds of software vulnerabilities. And it was at this time that they went from curious and amazed to fearing for their lives. Look,

I'm not suicidal if I show up dead on Monday. You know, it wasn't me. What security experts had discovered is called a zero-day exploit. And it's called this because when a vulnerability is unknown to the software developer and Microsoft and the antivirus community and the rest of the world, that means there are zero days of protection against it. Nobody knows about a zero-day vulnerability except the attacker exploiting it.

A zero day is so rare and valuable that you can actually sell it on the dark net for hundreds of thousands of dollars. Not a good idea. It's not. Think about this. Cybersecurity companies research over 12 million viruses a year. And in that time, they might find maybe 10 or 12 zero day exploits. It's a once in a million occurrence. But Stuxnet contained 4%.

for zero-day exploits. This is unheard of. It never happened before, and it hasn't happened since. Eventually, it was discovered that Stuxnet wasn't trying to steal passwords or data. It was actually targeting the software on Siemens' programmable logic controllers called PLCs. Now, PLCs are small computers used in factories and industry that control pretty much everything. Assembly lines, water pumps, power plants, and nuclear refining.

Critical infrastructure runs on PLCs. If you can hack a PLC, you can take down an entire country without firing a single shot. Now, this had people very nervous because industries all over the world were reporting their PLCs were infected with Stuxnet, but it was just sitting there. Nobody knew what it was going to do or when. Was the power grid just going to turn off? Was water or gas going to stop flowing? Nobody knew. It felt like a ticking time bomb.

Because it was. Even though the virus was spreading all over the world to thousands of computers per day, it was primarily targeting one country: Iran. More specifically, it was targeting the Iranian nuclear facility in Natanz. That doesn't sound like an accident.

It wasn't. A virus this complex and this dangerous requires millions of dollars to create. It takes time, the best programming talent in the world, and absolute secrecy. Experts at first suspected, and then they were positive, that Stuxnet could only have been designed by a country looking to cripple or wage war against another country. This was a state-sponsored attack. To design and deploy a cyber weapon like Stuxnet, you need experts.

immense financial resources a military intelligence infrastructure and a motive to wreak havoc on an enemy nation do we know what country created it we do but they won't admit it so who made this thing ah you're not gonna like it oh an intelligence agency probably who has an interest in uh

Setting back the Iranian nuclear program. Yes. Stuxnet was aggressive, but very quiet. If Stuxnet is on your computer and you plug in a USB thumb drive, boom, the USB drive is immediately and quietly infected. You don't have to run a program, open a web page, or click anything. You then plug that USB drive into a different computer on a different network.

Boom. Every machine on that network is infected. And this is exactly what happened in Iran. The nuclear centrifuges at Natanz were air gapped, meaning they weren't connected to any outside network. And this is usually a good way to keep a network secure. The only way to infect a clean air gap network is user error. Yep. User error.

Outside contractors who were brought in to work on the Iranian nuclear facility in the Tans had also brought Stuxnet in through infected USB drives. And once Stuxnet was in, it deliberately targeted the Siemens PLCs, which operated uranium enrichment equipment. So these PLCs control the rate of spin in a nuclear centrifuge. Spin too fast or too slow, the entire thing tears itself apart. So Stuxnet got into the centrifuges and then... Yeah, and then what? And then it did nothing.

It just looked around and kept logs of everything happening in the equipment. But after 13 days, Stuxnet started changing the speed of the centrifuges every 15 minutes, sometimes faster, sometimes slower. Normally, this is something a technician would spot immediately. But Stuxnet was using the data it collected earlier to report back that everything was fine. But everything wasn't fine, was it?

It was not. Because Stuxnet changes the rate of spin every 15 minutes, the equipment weakens and eventually tears itself apart. Stuxnet was also disrupting power feeds, causing centrifuges to explode. And once the equipment started to fail, there was no way to stop it. Even those big red buttons you see on machines that you hit in case of emergency, those were disabled too. Somehow Stuxnet thought of everything.

Not only was this virus created by highly talented programmers, there was obviously input from experts in nuclear enrichment technology, reactor operations, safety protocols. That is a dangerous virus. Over a thousand uranium centrifuges were destroyed by Stuxnet. This set Iran's nuclear enrichment program back months, maybe years. Why? Well... Iran's nuclear ambitions must be stopped. They have to be stopped.

In the early 2000s, Iran was ramping up its nuclear energy and enrichment program. This was in violation of international agreements, so a lot of the work was done in secret.

Also a violation. Now, Iran argued that it had a right to pursue nuclear energy. But U.S. and Israeli intelligence agencies suspected Iran of using its civilian nuclear program as cover for weapons development. So the U.S. imposed sanctions and all sorts of other things to try to pressure Iran to slow down its nuclear program and deal. But even with Stuxnet and other setbacks, Iran kept enriching uranium.

They said that they needed nuclear power to provide energy to the population. Energy? Don't they make oil over there? Look, I'm just telling you what happened. I'm not taking sides. This isn't a political channel. Fine, fine, fine. Go ahead. So every time Iran agreed to suspend its enrichment program, diplomatic talks would break down and they would go back to work. Then they would stop again and start again, and it went on like this for a while. But...

Then the CIA received thousands of pages of documents indicating that Iran was modifying the nose cone of a missile to carry a nuclear warhead. Oh, no. Oh, yes. Then it was discovered that Iran had acquired and hidden from inspectors blueprints for more advanced centrifuge tech. Iran claimed that these documents were forged.

but later admitted that they had secretly imported equipment from a foreign source. Now, by this time, Israel was getting fed up and threatening military action. Now, bombing Iranian nuclear facilities might have been a short term solution, but almost certainly would have led to war in the region and perhaps globally. Oy vey, not another war. Yep, another war.

So the US's intelligence community, including NSA, CIA and the newly formed US Cyber Command, got to work on what they called Operation Olympic Games. Olympic Games was a campaign of cyber intrusion, disruption and sabotage of Iranian... Wait, wait, wait, wait. The US government created Stuxnet? What, I haven't given you enough clues? Well, I was just so enthralled with the stories. I appreciate that. Now, officially...

No country has acknowledged developing Stuxnet, but through leaks at NSA and CIA, and using common sense, it's generally believed that Stuxnet was developed by the United States with help from Israel, the UK, and their allies. Dumb question. Go ahead. When you destroy something with a bomb or with a virus, isn't it the same thing? Well, funny you should ask that. It's an act of war. Please, let's be frank here. Okay.

Countries are constantly hacking each other and spying on each other looking for information. And most countries have agencies and protocols to protect against this. It's a game of intelligence cat and mouse that's been going on forever. But Stuxnet was the first time a nation-state developed proactive offensive weaponized code that could do actual physical damage to another country. If a nuclear reactor could be destroyed from the inside,

What other real-world damage could Stuxnet or other malicious code do? If you attack a power grid or a water supply, lots of people are going to die. So Iran felt like this was not a simple covert act of espionage, but a blatant act of war committed by the U.S. and its allies. What did they do about it? Well, what would you do? Fight back.

And that's exactly what they did. Iran sent out a virtual call to arms and quickly built one of the largest state-sponsored hacker groups in the world. They got to work. They attacked Saudi Aramco, the largest oil company in the world, and destroyed every computer they had. 30,000 machines' hard drives were wiped clean.

Clean phone lines were down email offline. It was a nightmare. No, no. Then they went for America's financial infrastructure and levied attacks against Wells Fargo, PNC and Bank of America, taking down banking systems all over the world. And there were other attacks. Now, Iran didn't officially take credit for these attacks, but

Then again, they didn't really have to. The message was clear. Come for us, we'll come for you. Now, PLC attacks did happen before Stuxnet. Viruses have destroyed power generators, dumped raw sewage on cities, disrupted railways. There was even an attack in the '90s against Worcester Airport in Massachusetts that grounded flights for a day.

But those attacks were done by single hackers and disgruntled employees. When you have the resources of an entire country deployed for state-sponsored attacks, the world becomes a much more dangerous place. But now that we know about it, we're safe from Stuxnet, right? Oh, no.

For years, cyber attacks on our nation have been met with indecision and inaction. The internet has been a great equalizer. Any information available online is available to everyone, everywhere, forever. Now, you can't buy a tank or a bomb online. Hello, dark net. Okay, the dark net is different, and we have an episode coming up on that, so while you're waiting for it, hit the like and subscribe, all the buttons, but...

Don't try to buy a tank on the dark net. What you can find online are plans and blueprints to make all kinds of scary things. Still, if you try to put together some doomsday device in your garage, you're going to raise some eyebrows. I mean, my wife can't spray paint a flower pot in the driveway without our nosy neighbor coming over. I can only imagine what he'd do if I started welding together pieces for an EMP device. That would make a good DIY video. It

I'd watch that. But Stuxnet isn't a thing. It's lines of code. But it's lines of code that can damage actual property and hurt actual people. And the Stuxnet code is just out there now. If you know what you're doing, you can take the code apart, make a few changes, and now you've got a really sophisticated weapon. You can even do this if you don't know what you're doing, which is probably more dangerous. Now, as we speak...

Thousands of people around the world have this Stuxnet code and they're tinkering with it, seeing what different pieces can be used in their own attacks. There have already been a few viruses inspired by its engineering. The Dooku virus attacked industrial facilities in 2011. Flame in 2012 also attacked facilities in Iran. And Flame could record audio, Skype calls, take screenshots, log keystrokes.

All kinds of stuff. InDestroyer attacked power facilities in Ukraine in 2016, and there's tons of others. Stuxnet is the best cyber weapon the United States has ever developed, and it gave it to the world for free. Now, for perspective,

Natanz in Iran was a brand new nuclear facility with an air-gapped network and a team of security professionals working around the clock. And it was taken down easily. But a lot of industrial control systems are not as sophisticated. Some are connected to the internet without default passwords. And many systems crucial to a country's infrastructure are running software that's 30, even 40 years old. Not just at Iran. Here in the US, in the UK, everywhere.

How vulnerable are those systems to attack? Iran has already said that cyber attacks will be answered with cyber attacks. And I think we can assume that every country in the world has this policy. I mean, it's national defense. Well, remember how I said the Internet is a great equalizer? Well, think about this for a second. Throughout world history, global powers maintain their status through wealth and military might.

But today, you don't need a trillion dollar defense budget in order to impose your political will on the world. Now all you need is a dozen smart programmers and lots of Mountain Dew. Now that the world's richest and poorest nations all employ skilled hackers, is cyber warfare like the nuclear arms race? Where mutually assured destruction means that no country would dare attack another? I mean, surely no country would risk retaliation by unleashing further chaos on the world.

Right? Your sarcasm is palpable. The link between the outage in Mumbai in October last year and the suspected role of Chinese hackers. Chinese hackers backed by the Chinese state.

targeted to Indian vaccine makers. Tonight, as researchers race to develop a vaccine for the coronavirus, hackers from China and other countries are working just as furiously to steal that research to create their own. Operation Olympic Games gave us Stuxnet, the most advanced and destructive cyber weapon ever used. When it was unleashed on Iran, it was an Hiroshima moment. And like Hiroshima, Stuxnet was only the beginning. A

A test case for more advanced, more devastating cyber weapons. And one of those weapons has already been deployed. That weapon is Nitro Zeus. Yeah, that sounds like the name of a Greek energy drink. You're really throwing ice water on my drama here, pal. I'm sorry. I make jokes when I'm nervous.

Okay, back to Iran. After coming pretty close to war, cooler heads prevailed and Iran, along with several world powers, signed a nuclear peace agreement. That was the ideal outcome, but that outcome wasn't always certain. So in case diplomacy failed and war broke out, the United States had, and

and has a cyber contingency plan. The plan, codenamed Nitro Zeus, is a virus far more complex than Stuxnet and was developed by thousands of people at a cost of hundreds of millions of dollars. Nitro Zeus, or NZ, was designed to infect Iranian infrastructure and...

await orders. In case of war, NZ would disable Iran's air defenses, disrupt military command and control, take down parts of the power grid. It would attack domestic communications, transportation, banks, financial systems. Now, I don't have to point out that these aren't just military targets.

millions of civilians would be harmed if Nitro Zeus or a virus like that was used on anyone. Now, according to former intelligence operatives, Nitro Zeus has already been deployed and is living in Iranian infrastructure right now, just awaiting instructions. Now, that's pretty scary. But what scares me more about Nitro Zeus is what happens when that code gets out.

It's inevitable that more countries will acquire the capacity to use cyber both for espionage and for destructive activities. You'll hear people say that the next world war will be fought in cyberspace. They're wrong about that.

The United States, Iran, China, the UK, Russia, North Korea, they're not preparing for cyber war. They're already fighting it. And I'm being completely honest now, off script, researching this episode was stressful and I'm left with more questions than answers. Like how can citizens who are threatened by cyber attacks have an honest conversation about these dangers when our own governments don't acknowledge they participate?

How can one country ask another to disarm when it won't disarm itself? But the biggest question of all: How can the global community ensure that destructive cyberweapons like Stuxnet and Nitro Zeus don't fall into the wrong hands? Don't create them in the first place. That would be a good start. Until there's a global effort to address this threat, all we can hope for is that our governments can keep us safe and hope our leaders can avoid another international crisis.

That's a lot to hope for. The cyber war is here. And now I find myself longing for the days of the Cold War, when a concrete wall ran through Berlin, when proxy wars were fought on every continent, when global superpowers had thousands of nuclear weapons aimed at each other, just one decision away from Armageddon. I long for those days because back then the world was a much safer place.

Thanks for hanging out with us today. My name is AJ. That's Hecklefish. This has been the Y-Files. If you had fun or learned anything today, do me a favor. Comment, like, subscribe, share, do all that stuff. The algorithm is a she-wolf with sharp claws and teeth, but with your help, we can defeat her. Defeat the she-wolf. Until next time, be safe, be kind, and know that you are appreciated.