Cybersecurity

Stuxnet Used an Old Movie Trick to Fool Iran's Nuclear Program

An Iranian technician works at the Uranium Conversion Facility just outside the city of Isfahan, Iran.

An Iranian technician works at the Uranium Conversion Facility just outside the city of Isfahan, Iran. // Vahid Salemi/AP File Photo

In a fascinating new read, Foreign Policy's Ralph Langer explored the deep history of Stuxnet, the super computer virus jointly authored, allegedly, by American and Israeli intelligence services to attack Iranian nuclear facilities. In doing so , he learned the real story involves not one, but two viruses, including an early, previously unreported version of the virus that relied on the cyber-attack equivalent of the camera trick from the movie Speed.

Langer's impressive three-year investigation into the virus's effects on the Iranian nuclear program shows how it effectively tore the system limb-from limb. It reportedly destroyed 1,000 out of 5,000 nuclear centrifuges and, by Langer's estimates, set the program back by two full years. Langer also discovered that a much more complicated and lesser-known gambit than the one we're most familiar with, was already being carried out years earlier. 

Stuxnet was allegedly jointly created by U.S. and Israeli military forces to infiltrate and then damage Iran's nuclear program from the inside. It became public knowledge after it malfunctioned — or worked a little too well — and infected millions of non-Iranian computers worldwide in the summer of 2010. 

But years before the Stuxnet we know and love went to work, an early variant targeted Iran's Natanz nuclear facility. Natanz employs a complicated, cascading system of safeguards to prevent centrifuges used for uranium enrichment from overheating and malfunctioning in order to overcome the country's outdated and dubious nuclear technology. Stuxnet's genius was in its ability to override those safety systems, by infecting computers that weren't connected to the outside world, and without anyone realizing it was being done until it was too late.

What the very early Stuxnet virus was designed to do is "so far-out, it leads one to wonder whether its creators might have been on drugs," Langer says. But in reality, they may have got the idea from a brilliant 1994 action flick starring Reeves and Sandra Bullock. 

A controller infected with the first Stuxnet variant actually becomes decoupled from physical reality. Legitimate control logic only "sees" what Stuxnet wants it to see. Before the attack sequence executes (which is approximately once per month), the malicious code is kind enough to show operators in the control room the physical reality of the plant floor. But that changes during attack execution.

One of the first things this Stuxnet variant does is take steps to hide its tracks, using a trick straight out of Hollywood. Stuxnet records the cascade protection system's sensor values for a period of 21 seconds. Then it replays those 21 seconds in a constant loop during the execution of the attack. In the control room, all appears to be normal, both to human operators and any software-implemented alarm routines.

In you're too young (or old) to remember Speed, a terrorist installs a bomb on a Los Angeles bus and holds the passengers, including a cop played by Reeves, hostage by watching them through a closed circuit camera. The cops win by intercepting the video feed, and replacing it with looped footage of bus; making it appear to the villain that everything was normal, while the hostages escaped unnoticed. There was a big explosion at the end, too. 

Anyway, once the Iranian system was blinded to the threat, American hackers remotely messed with the safety systems, routinely destroying Iranian centrifuges through coordinated attacks that would do significant damage without revealing the virus's existence. The version of Stuxnet that came later was much more abrasive, and did more damage in a shorter time. Staying hidden was no longer a goal, Langer posits, because once the damage was done, the creators wanted the world to know what they were capable of in the realm of cyberwarfare. It was time to reveal the secret.

Threatwatch Alert

Network intrusion / Software vulnerability

Walled-off corporate network hacked using Heartbleed

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
// April 19