Kim Zetter - Countdown to Zero Day: Stuxnet and the Launch of the Worlds First Digital Weapon

Copyright 2014 by Kim Zetter

All rights reserved.

Published in the United States by Crown Publishers, an imprint of the Crown Publishing Group, a division of Random House LLC, a Penguin Random House Company, New York.

www.crownpublishing.com

CROWN and the Crown colophon are registered trademarks of Random House LLC.

Portions of this work were originally published in different form in How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History copyright Wired.com. Used with permission. First published July 2011.

Cataloging-in-Publication data is on file with the Library of Congress.

ISBN 978-0-7704-3617-9

eBook ISBN 978-0-7704-3618-6

P RINTED IN THE U NITED S TATES OF A MERICA

Jacket design by Oliver Munday

Jacket photograph: DigitalGlobe/Getty Images

v3.1

For SC and for my parentswith love and great gratitude, though gratitude is insufficient for all that youve done.

It was January 2010 when officials with the International Atomic Energy Agency (IAEA), the United Nations body charged with monitoring Irans nuclear program, first began to notice something unusual happening at the uranium enrichment plant outside Natanz in central Iran.

Inside the facilitys large centrifuge hall, buried like a bunker more than fifty feet beneath the desert surface, thousands of gleaming aluminum centrifuges were spinning at supersonic speed, enriching uranium hexafluoride gas as they had been for nearly two years. But over the last weeks, workers at the plant had been removing batches of centrifuges and replacing them with new ones. And they were doing so at a startling rate.

At Natanz each centrifuge, known as an IR-1, has a life expectancy of about ten years. But the devices are fragile and prone to break easily. Even under normal conditions, Iran has to replace up to 10 percent of the centrifuges each year due to material defects, maintenance issues, and worker accidents.

In November 2009, Iran had about 8,700 centrifuges installed at Natanz, so it would have been perfectly normal to see technicians decommission about 800 of them over the course of the year as the devices failed for one reason or another. But as IAEA officials added up the centrifuges removed over several weeks in December 2009 and early January, they realized that Iran was plowing through them at an unusual rate.

Inspectors with the IAEAs Department of Safeguards visited Natanz an average of twice a monthsometimes by appointment, sometimes unannouncedto track Irans enrichment activity and progress. Anytime workers at the plant decommissioned damaged or otherwise unusable centrifuges, they were required to line them up in a control area just inside the door of the centrifuge rooms until IAEA inspectors arrived at their next visit to examine them. The inspectors would run a handheld gamma spectrometer around each centrifuge to ensure that no nuclear material was being smuggled out in them, then approve the centrifuges for removal, making note in reports sent back to IAEA headquarters in Vienna of the number that were decommissioned each time.

IAEA digital surveillance cameras, installed outside the door of each centrifuge room to monitor Irans enrichment activity, captured the technicians scurrying about in their white lab coats, blue plastic booties on their feet, as they trotted out the shiny cylinders one by one, each about six feet long and about half a foot in diameter. The workers, by agreement with the IAEA, had to cradle the delicate devices in their arms, wrapped in plastic sleeves or in open boxes, so the cameras could register each item as it was removed from the room.

The surveillance cameras, which werent allowed inside the centrifuge rooms, stored the images for later perusal. Each time inspectors visited Natanz, they examined the recorded images to ensure that Iran hadnt removed additional centrifuges or done anything else prohibited during their absence.

Officially, the IAEA wont say how many centrifuges Iran replaced during this period. But news reports quoting European diplomats put the number at 900 to 1,000. A former top IAEA official, however, thinks the actual number was much higher. My educated guess is that 2,000 were damaged, says Olli Heinonen, who was deputy director of the Safeguards Division until he resigned in October 2010.

Whatever the number, it was clear that something was wrong with the devices. Unfortunately, Iran wasnt required to tell inspectors why they had replaced them, and, officially, the IAEA inspectors had no right to ask. The agencys mandate was to monitor what happened to uranium at the enrichment plant, not keep track of failed equipment.

What the inspectors didnt know was that the answer to their question was right beneath their noses, buried in the bits and memory of the computers in Natanzs industrial control room. Months earlier, in June 2009, someone had quietly unleashed a destructive digital warhead on computers in Iran, where it had silently slithered its way into critical systems at Natanz, all with a single goal in mindto sabotage Irans uranium enrichment program and prevent President Mahmoud Ahmadinejad from building a nuclear bomb.

The answer was there at Natanz, but it would be nearly a year before the inspectors would obtain it, and even then it would come only after more than a dozen computer security experts around the world spent months deconstructing what would ultimately become known as one of the most sophisticated viruses ever discovereda piece of software so unique it would make history as the worlds first digital weapon and the first shot across the bow announcing the age of digital warfare.

The number of inspection visits to Natanz has increased since this period. Beginning in 2010, inspections increased to once a week, and after a new agreement with Iran in late 2013, inspectors are now on-site at Natanz every day.

IAEA inspectors are not allowed to remove the recorded images from Natanz and can only view them on-site, where they are stored.

Inspectors visiting Natanz and other nuclear facilities around the world rotate on a regular basis, so the same IAEA inspectors dont visit every time. This is why the large number of decommissioned centrifuges didnt get noticed until after several reports of changing numbers arrived in Vienna and got viewed in the aggregate by analysts and officials there.

Sergey Ulasen is not the sort of person youd expect to find at the center of an international incident. The thirty-one-year-old Belarusian has close-cropped blond hair, a lean boyish frame, and the open face and affable demeanor of someone who goes through life attracting few enemies and even fewer controversies. One of his favorite pastimes is spending the weekend at his grandmothers country house outside Minsk, where he decompresses from weekday stresses, far from the reach of cell phones and the internet. But in June 2010, Ulasen encountered something unusual that soon propelled him into the international spotlight and into a world of new stress.

It was a warm Thursday afternoon, and Ulasen, who headed the antivirus division of a small computer security firm in Belarus called Virus-BlokAda, was seated with his colleague Oleg Kupreev in their lab in downtown Minsk inside a drab, Soviet-era building about a block from the Svisloch River. They were sifting methodically through suspicious computer files they had recently found on a machine in Iran when something striking leapt out at Kupreev. He sat back in his chair and called Ulasen over to take a look. Ulasen scrolled through the code once, then again, to make sure he was seeing what he thought he saw. A tiny gasp escaped his throat. The code they had been inspecting the past few days, something they had until now considered a mildly interesting but nonetheless run-of-the-mill virus, had just revealed itself to be a work of quiet and diabolical genius.