Jan 24, 2020

Attacking Iran with Stuxnet Welcome to the History of Computing Podcast, where we explore the history of information technology. Because understanding the past prepares us to innovate (and sometimes cope with) the future! Today we’re going to cover Stuxnet, which we now considered the first real act of cyber warfare. Iran has arguably been in turmoil since the fall of the Persian empire. Alexander the Great conquered Iran in 336 BC and then the Macedonians ruled until the empire fragmented and one arm, the Seleucids ruled until the Parthians took it in 129BC. Then the Sasanians, of Persian descent, ruled until the Muslim conquest of Persia in 651. The region was then ruled by a collection of Muslim dynasties until this weirdo Ghengis Khan showed up around 1220. After a few decades the Muslim forces regained control in 1256 and the area returned to turning over to different Muslim dynasties every couple hundred years on average until 1925 when the Pahlavi took control. The final Shah of that regime was ousted during the Islamic Revolution in Iran in 1979. Ruholla Khomeini ruled for the first ten years until Sayyid Ali Hosseini Khameneh took over after his death in 1989. Something very important happened the year before that would shape Iran up until today. In 1988 Pakistan became a nuclear power. Iran started working toward a nuclear program shortly thereafter, buying equipment from Pakistan. Those centrifuges would be something those, including the US, would attempt to keep out of Iranian hands through to today. While you can argue the politics of that, those are the facts. Middle Eastern politics, wars over oil, and wars over territory have all ensued. In 2015, Iran reached agreement on the Joint Comprehensive Plan of Action, commonly referred to as the Iran nuclear deal, with the US and the EU, and their nuclear ambitions seemed to be stalled until US president Donald Trump pulled out of it. A little before the recording of this episode General Sullemani was killed by a US attack. One of the reasons negotiated the JCPA was that the Iranians received a huge setback in their nuclear program in 2010 when the US attacked an Iranian nuclear facility. It’s now the most Well researched computer worm. But Who was behind stuxnet? Kim Zetter took a two year journey researching the worm, now documented in her book Countdown to 0 day. The Air Force was created in 1947. In the early 2000s, advanced persistent threat, or APTs, began to emerge following Operation Eligible Receiver in 1997. These are pieces of malware that are specifically crafted to attack specific systems or people. Now that the field was seen as a new frontier of war, the US Cyber command was founded in 2009. And they developed weapons to attack SCADA systems, or supervisory control and data acquisition (SCADA) systems amongst other targets. By the mid-2000s, Siemens has built these industrial control systems. The Marrucci incident had brought these systems to light as targets and developers had not been building these systems with security in mind, making them quite juicy targets. So the US and Israel wrote some malware that destroyed centrifuges by hitting the Siemens software sitting on windows embedded operating systems. It was initially discovered by virus Blocada engineer Sergey Ulasen, and called Tootkit.Tmphider. Symantec originally called it W32.Temphid and then changed the name to W32.Stuxnet based on a mashup of stub and mrxnet.sys from the source code. The malware was signed and targeted a bug in the operating system to install a root kit. Sergey reported the bug to Microsoft and went public with the discovery. This led us into an era of cyber warfare as a the first widespread attack hitting industrial control systems. Stuxnet wasn’t your run of the mill ddos attack. Each of the 3 variants from 2010 had 150,000 lines of code and targeted those control systems and destroyed a third of Iranian centrifuges by causing the step-7 software systems to handle the centrifuges improperly. Iranian nuclear engineers had obtained the Step-7 software even though it was embargoed and used a back door password to change the rotation speed of engines that targeted a specific uranium enrichment facility. In 2011, Gary Samore, acting White House Coordinator for Arms Control and Weapons of Mass Destruction, would all but admit the attack was state sponsored. After that, in 2012, Iranian hackers use wiper malware, destroying 35,000 computers of Saudi Aramco costing the organization tens of millions of dollars. Cypem was hit in 2018. And the Sands casino after Sheldon Adelsyon said the US should nuke Iran. While not an official response, Stuxnet would hit another plant in the Hormozgon province a few months later. And continues in some form today. Since Iran and Israel are such good friends, it likely came as a shock when Gabi Ashkenazi, head of the Israeli Defense Forces, listed Stuxnet as one of his successes. And so the age of State sponsored Asymmetric cyber conflicts was born. Iran, North Korea, and others were suddenly able to punch above their weight. It was proven that what began in cyber could have real-world consequences. And very small and skilled teams could get as much done as larger, more beaurocratic organizations - much as we see small, targeted teams of developers able to compete head-on with larger software products. Why is that? Because often times, a couple of engineers with deep domain knowledge are equally as impactful as larger teams with a wider skill set.