Stuxnet: Computer worm opens new era of warfare
(CBS News) The most pernicious computer virus ever known wasn't out to steal your money, identity, or passwords. So what was the intricate Stuxnet virus after? Its target appears to have been the centrifuges in a top secret Iranian nuclear facility. Stuxnet showed, for the first time, that a cyber attack could cause significant physical damage to a facility. Does this mean that future malware, modeled on Stuxnet, could target other critical infrastructure -- such as nuclear power plants or water systems? What kind of risk do we face in this country? Steve Kroft reports.
The following script is from "Stuxnet" which aired on March 4, 2012. Steve Kroft is the correspondent. Graham Messick, producer.
For the past few months now, the nation's top military, intelligence and law enforcement officials have been warning Congress and the country about a coming cyberattack against critical infrastructure in the United States that could affect everything from the heat in your home to the money in your bank account. The warnings have been raised before, but never with such urgency, because this new era of warfare has already begun.
The first attack, using a computer virus called Stuxnet was launched several years ago against an Iranian nuclear facility, almost certainly with some U.S. involvement. But the implications and the possible consequences are only now coming to light.
FBI Director Robert Mueller: I do believe that the cyberthreat will equal or surpass the threat from counterterrorism in the foreseeable future.
Defense Secretary Leon Panetta: There's a strong likelihood that the next Pearl Harbor that we confront could very well be a cyberattack.
House Intelligence Committee Chairman Mike Rogers: We will suffer a catastrophic cyberattack. The clock is ticking.
And there is reason for concern. For more than a decade, the U.S. military establishment has treated cyberspace as a domain of conflict, where it would need the capability to fend off attack, or launch its own. That time is here. Because someone sabotaged a top secret nuclear installation in Iran with nothing more than a long string of computer code.
Ret. Gen. Mike Hayden: We have entered into a new phase of conflict in which we use a cyberweapon to create physical destruction, and in this case, physical destruction in someone else's critical infrastructure.
Few people know more about the dark military art of cyberwar than Retired General Michael Hayden. He's a former head of the National Security Agency and was CIA director under George W. Bush. He knows a lot more about the attack on Iran than he can say here.
Hayden: This was a good idea, alright? But I also admit this was a really big idea too. The rest of the world is looking at this and saying, "Clearly someone has legitimated this kind of activity as acceptable international conduct." The whole world is watching.
The story of what we know about the Stuxnet virus begins in June of 2010, when it was first detected and isolated by a tiny company in Belarus after one of its clients in Iran complained about a software glitch. Within a month, a copy of the computer bug was being analyzed within a tight knit community of computer security experts, and it immediately grabbed the attention of Liam O Murchu, an operations manager for Symantec, one of the largest antivirus companies in the world.
Liam O Murchu: As soon as we saw it, we knew it was something completely different. And red flags started to go up straightaway.
To begin with Stuxnet was incredibly complicated and sophisticated, beyond the cutting edge. It had been out in the wild for a year without drawing anyone's attention, and seemed to spread by way of USB thumb drives, not over the Internet. O Murchu's job was to try and unlock its secrets and assess the threat for Symantec's clients by figuring out what the malicious software was engineered to do and who was behind it.
Steve Kroft: How long was the Stuxnet code?
O Murchu: You're talking tens of thousands of lines of code, a very, very long project, very well written, very professionally written and very difficult to analyze.
Unlike the millions of worms and viruses that turn up on the Internet every year, this one was not trying to steal passwords, identities or money. Stuxnet appeared to be crawling around the world, computer by computer, looking for some sort of industrial operation that was using a specific piece of equipment, a Siemens S7-300 programmable logic controller.
O Murchu: This gray box here is essentially what runs factory floors. And you program this box to control your equipment. And you say, turn on the conveyor belt. Turn on the heater, turn on the cooler, shut the plant down. It's all contained in that box. And that's what Stuxnet was looking for. It wanted to get its malicious code onto that box.
The programmable logic controller, or PLC, is one of the most critical pieces of technology you've never heard of. They contain circuitry and software essential for modern life and control the machines that run traffic lights, assembly lines, oil and gas pipelines, not to mention water treatment facilities, electric companies and nuclear power plants.
O Murchu: And that was very worrying to us because we thought it could've been a water treatment facility here in the U.S. or it could've been trying to take down electricity plants here in the U.S.
The first breakthrough came when O Murchu and his five man team discovered that Stuxnet was programmed to collect information every time it infected a computer and to send it on to two websites in Denmark and Malaysia. Both had been registered with a stolen credit card, and the operators were nowhere to be found. But O Murchu was able to monitor the communications.
O Murchu: Well the first thing we did is we looked at where the infections were occurring in the world and we mapped them out. And that's what we see here. We saw that 70% of the infections occur in Iran and that's very unusual for malware that we see. We don't normally see high infections in Iran.
[Ralph Langner: Please learn from Stuxnet...]
Two months later, Ralph Langner, a German expert on industrial control systems, added another piece of important information: Stuxnet didn't attack every computer it infected.
Langner: This whole virus is designed only to hit one specific target in the world.
Kroft: How could you tell that?
Langner: It goes through a sequence of checks to actually determine if this is the right target. It's kind of a fingerprinting process, a process of probing if this is the target I'm looking for, and if not, it just leaves the controller alone.
Stuxnet wasn't just looking for a Siemens controller that ran a factory floor, it was looking for a specific factory floor, with a specific type and configuration of equipment including Iranian components that weren't used anywhere else in the world, and variable speed motors that might be used to regulate spinning centrifuges; a fragile piece of equipment essential to the enrichment of uranium. And Langner speculated publicly that Stuxnet was out to sabotage Iran's nuclear program.
Langner: We knew at this time that the highest number of infections had been reported in Iran. And second, it was pretty clear, just by looking at the sophistication, that there would be at least one nation state behind this. You know, you just add one and one together.
By the fall of 2010, the consensus was that Iran's top secret uranium enrichment plant at Natanz was the target and that Stuxnet was a carefully constructed weapon designed to be carried into the plant on a corrupted laptop or thumb drive, then infect the system, disguise its presence, move through the network, changing computer code and subtly alter the speed of the centrifuges without the Iranians ever noticing. Sabotage by software.
O Murchu: Stuxnet's entire purpose is to control centrifuges. To make centrifuges speed up past what they're meant to spin at and to damage them. Certainly it would damage the uranium enrichment facility and they would need to be replaced.
Kroft: If the centrifuges were spinning too fast, wouldn't the operators at the plant know that?
O Murchu: Stuxnet was able to prevent the operators from seeing that on their screen. The operators would look at the screen to see what's happening with centrifuges and they wouldn't see that anything bad was happening.
It now seems likely that by the time O Murchu and Langner finally unraveled the mystery in November of 2010, Stuxnet had already accomplished at least part of its mission. Months before the virus was first detected, inspectors from the International Atomic Energy Agency had begun to notice that Iran was having serious problems with its centrifuges at Natanz.
O Murchu: What we know is that an IAEA report said that 1,000 to 2,000 centrifuges were removed from Natanz for unknown reasons. And we know that Stuxnet targets 1,000 centrifuges. So from that, people are drawn to the conclusion well Stuxnet got in and succeeded. That's the only evidence that we have.
Kroft: The only information that's not classified?
O Murchu: Yes.
And there are lots of things about Stuxnet that are still top secret.
Kroft: Who was behind it?
O Murchu: What we do know is that this was a very large operation. You're really looking at a government agency from some country who is politically motivated and who has the insider information from a uranium enrichment facility that would facilitate building a threat like this.
Kroft: An intelligence agency probably?
O Murchu: Probably.
Langner: We know from reverse engineering the attack codes that the attackers have full, and I mean this literally, full tactical knowledge of every damn detail of this plant. So you could say in a way they know the plant better than the Iranian operator.
We wanted to know what Retired General Michael Hayden had to say about all this since he was the CIA director at the time Stuxnet would have been developed.
Kroft: You left the CIA in 2009?
Hayden: 2009. Right.
Kroft: Does this surprise you that this happened?
Hayden: You need to separate my experience at CIA with your question, alright?
Kroft: Alright. You can't talk about the CIA?
Hayden: No and I don't want to even suggest what may have been on the horizon or not on the horizon. Or anything like that.
Kroft: If you look at the countries that have the capability of designing something like Stuxnet and you take a look at the countries that have -- would have a motive for trying to destroy Natanz...
Hayden: Where do those two sets intersect?
Kroft: You're pretty much left with the United States and Israel.
Hayden: Well, yes. But-- but-- it-- it-- there is no good with someone of my background even speculating on that question, so I won't.
Iran's president, Mahmoud Ahmadinejad, shown here at Natanz in 2008, blamed the cyberattack on "enemies of the state" and downplayed the damage. Both the U.S. and Israel maintain that it set back the Iranian program by several years. What's impossible to know is how much damage the attackers might have inflicted if the virus had gone undetected and not been exposed by computer security companies trying to protect their customers.
Ralph Langner: They planned to stay in that plant for many years. And to do the whole attack in a completely covert manner, that anytime a centrifuge would break, the operators would think, "This is again a technical problem that we have experienced, for example, because of poor quality of these centrifuges that we are using."
Liam O Murchu: We had a good idea that this was a blown operation, something that was never meant to be seen. It was never meant to come to the public's attention.
Kroft: You say blown. Meaning?
O Murchu: If you're running an operation like this to sabotage a uranium enrichment facility, you don't want the code uncovered, you want it kept secret. And you want it just to keep working, stay undercover, do its damage and disappear, and hopefully nobody would ever see it.
Kroft: Do you think this was a blown operation?
Hayden: No, not at all. I think it's an incredibly sophisticated operation.
But General Hayden did acknowledge that there are all sorts of potential problems and possible consequences that come with this new form of warfare.
Hayden: When you use a physical weapon it destroys itself, in addition to the target, if it's used properly. A cyberweapon doesn't. So there are those out there who can take a look at this, study it and maybe even attempt to turn it to their own purposes.
Such as launching a cyberattack against critical infrastructure here in the United States. Until last fall Sean McGurk was in charge of protecting it, as head of cyber defense at the Department of Homeland Security. He believes that Stuxnet has given countries like Russia and China, not to mention terrorist groups and gangs of cybercriminals for hire, a textbook on how to attack key U.S. installations.
Sean McGurk: You can download the actual source code of Stuxnet now and you can repurpose it and repackage it and then, you know, point it back towards wherever it came from.
Kroft: Sounds a little bit like Pandora's box.
McGurk: Yes.
Kroft: Whoever launched this attack--
McGurk: They opened up the box. They demonstrated the capability. They showed the ability and the desire to do so. And it's not something that can be put back.
Kroft: If somebody in the government had come to you and said, "Look, we're thinking about doing this. What do you think?" What would you have told them?
McGurk: I would have strongly cautioned them against it because of the unintended consequences of releasing such a code.
Kroft: Meaning that other people could use it against you?
McGurk: Yes.
Kroft: Or use their own version of the code?
McGurk: Something similar. Son of Stuxnet, if you will.
As a result what was once abstract theory has now become a distinct possibility.
Kroft: If you can do this to an uranium enrichment plant, why couldn't you do it to a nuclear power reactor in the United States or an electric company?
O Murchu: You could do that to those facilities. It's not easy. It's a difficult task, and that's why Stuxnet was so sophisticated, but it could be done.
Langner: You don't need many billions, you just need a couple of millions. And this would buy you a decent cyberattack, for example, against the U.S. power grid.
Kroft: If you were a terrorist group or a failed nation state and you had a couple of million dollars, where would you go to find the people that knew how to do this?
Langner: On the Internet.
Kroft: They're out there?
Langner: Sure.
Most of the nation's critical infrastructure is privately owned and extremely vulnerable to a highly sophisticated cyberweapon like Stuxnet.
Sen. Susan Collins: I can't think of another area in Homeland Security where the threat is greater and we've done less.
After several failures, Congress is once again trying to pass the nation's first cybersecurity law. And once again, there is fierce debate over whether the federal government should be allowed to require the owners of critical infrastructure to improve the security of their computer networks. Whatever the outcome no one can say the nation hasn't been warned.