WEBVTT

00:00:04.980 --> 00:00:08.540
JACK: [MUSIC] In the eighteenth Century the US had the Army and Navy to defend and attack

00:00:08.540 --> 00:00:09.540
with.

00:00:09.540 --> 00:00:13.660
In the 20th Century the US developed an Air Force to carry out strikes with a new level

00:00:13.660 --> 00:00:16.039
of speed, precision, and agility.

00:00:16.039 --> 00:00:21.650
In the 21st Century the US created and launched cyber weapons with the goal of destroying

00:00:21.650 --> 00:00:26.130
physical equipment in another country, an attack that can be done from the other side

00:00:26.130 --> 00:00:31.119
of the planet without any ground troops or air support needed, an attack done entirely

00:00:31.119 --> 00:00:32.119
electronically.

00:00:32.119 --> 00:00:37.910
There are now five domains of warfare that the US military recognizes and is responsible

00:00:37.910 --> 00:00:38.910
for.

00:00:38.910 --> 00:00:42.520
That is land, air, sea, space, and now information.

00:00:42.520 --> 00:00:46.910
It’s amazing to see this shift of power happen right in front of our eyes.

00:00:46.910 --> 00:00:51.370
We were here at the birth of this new military weapon and it will forever change the way

00:00:51.370 --> 00:00:55.960
diplomacy is conducted, wars are fought, and battles are waged.

00:00:55.960 --> 00:01:04.830
JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet.

00:01:04.830 --> 00:01:09.430
I’m Jack Rhysider.

00:01:09.430 --> 00:01:13.910
This is Darknet Diaries.

00:01:13.910 --> 00:01:22.650
[INTRO MUSIC ENDS]

00:01:22.650 --> 00:01:30.320
JACK: This episode is about Stuxnet, the most sophisticated piece of malware to ever be

00:01:30.320 --> 00:01:31.320
discovered.

00:01:31.320 --> 00:01:34.380
But we only know about Stuxnet because it was discovered.

00:01:34.380 --> 00:01:38.500
I assume there’s even more sophisticated malware out there that hasn’t been found

00:01:38.500 --> 00:01:44.680
yet and it’s being used more covertly and secretly and maybe even has bigger objectives.

00:01:44.680 --> 00:01:50.750
Stuxnet burrowed its way deep into a nuclear facility in Iran and destroyed its centrifuges

00:01:50.750 --> 00:01:55.010
which caused a massive amount of damage to this nuclear enrichment facility.

00:01:55.010 --> 00:01:59.290
Nobody ever confessed or took credit for this attack against Iran but here’s the thing;

00:01:59.290 --> 00:02:03.890
besides Stuxnet being the most sophisticated malware ever discovered, it’s probably also

00:02:03.890 --> 00:02:06.350
the most well-researched malware, too.

00:02:06.350 --> 00:02:10.810
Now that researchers have spent years putting all the pieces of the puzzle together, it

00:02:10.810 --> 00:02:13.530
gives us an amazing view into this virus.

00:02:13.530 --> 00:02:15.610
Yeah, this story is old news.

00:02:15.610 --> 00:02:20.329
This incident happened back in 2009 but sometimes it takes five or more years to fully put the

00:02:20.329 --> 00:02:22.040
pieces together.

00:02:22.040 --> 00:02:26.340
One thing that fascinates me the most about Stuxnet is who was behind it.

00:02:26.340 --> 00:02:28.620
Usually attribution is impossible and pointless.

00:02:28.620 --> 00:02:33.189
You never really can tell who did an attack unless they admit to it and even if you know,

00:02:33.189 --> 00:02:35.060
there’s usually nothing you can do about it.

00:02:35.060 --> 00:02:38.460
I mean, imagine if you found out some Russian group hacked you.

00:02:38.460 --> 00:02:41.590
You can’t really call the police there to report it and there’s really nothing you

00:02:41.590 --> 00:02:42.590
can do.

00:02:42.590 --> 00:02:46.470
With Stuxnet, do we know who built it and used it to attack Iran?

00:02:46.470 --> 00:02:49.060
KIM: Oh, we know.

00:02:49.060 --> 00:02:50.690
It was the US and Israel.

00:02:50.690 --> 00:02:51.810
JACK: This is Kim Zetter.

00:02:51.810 --> 00:02:57.310
KIM: I’m a journalist who’s been covering cyber-security and national security for more

00:02:57.310 --> 00:02:58.549
than a decade.

00:02:58.549 --> 00:03:03.819
I’ve written for Wired as a staff writer and freelanced for the New York Times, Washington

00:03:03.819 --> 00:03:08.780
Post, Politico, and other publications and I’m the author of Countdown to Zero Day:

00:03:08.780 --> 00:03:11.239
Stuxnet and the Launch of the World’s First Digital Weapon.

00:03:11.239 --> 00:03:14.830
JACK: Countdown to Zero Day is an incredibly detailed book about Stuxnet.

00:03:14.830 --> 00:03:19.859
It’s the result of Kim spending years researching this story and putting all the pieces together.

00:03:19.859 --> 00:03:23.010
When I make an episode for this podcast, I spend weeks researching it.

00:03:23.010 --> 00:03:28.590
She spent two years on this story, interviewing dozens of people, reading hundreds of articles

00:03:28.590 --> 00:03:34.099
and documents, and asking a lot of questions to a lot of people; security researchers,

00:03:34.099 --> 00:03:37.249
nuclear scientists, government officials, journalists, and so many more.

00:03:37.249 --> 00:03:40.989
The result is an amazing book which has so much more detail than what we’ll be able

00:03:40.989 --> 00:03:42.209
to cover here.

00:03:42.209 --> 00:03:46.049
But what I’m trying to say is that this makes Kim one of the most qualified and knowledgeable

00:03:46.049 --> 00:03:47.790
people to talk Stuxnet with.

00:03:47.790 --> 00:03:49.469
So, let’s get started.

00:03:49.469 --> 00:03:55.670
[MUSIC] In 1998 Pakistan detonated the bomb.

00:03:55.670 --> 00:03:57.010
This was the big one.

00:03:57.010 --> 00:04:02.139
A nuclear atomic bomb was created and tested out in the hills of Pakistan.

00:04:02.139 --> 00:04:07.810
A lot of countries took note of this, especially the US so the CIA began infiltrating Pakistan

00:04:07.810 --> 00:04:10.150
to learn more of what’s going on there.

00:04:10.150 --> 00:04:12.840
They found their chief physicist was a guy named A.Q.

00:04:12.840 --> 00:04:13.840
Khan.

00:04:13.840 --> 00:04:17.239
KIM: They had been working for a while to infiltrate the A.Q.

00:04:17.239 --> 00:04:23.070
Khan network primarily to study what Pakistan was doing.

00:04:23.070 --> 00:04:26.580
They were able to infiltrate in the supply network.

00:04:26.580 --> 00:04:31.980
That is flipping people who are actually involved in supplying A.Q.

00:04:31.980 --> 00:04:33.970
Khan with equipment.

00:04:33.970 --> 00:04:40.000
In flipping those people they were able to determine where else he was selling designs

00:04:40.000 --> 00:04:41.000
and materials.

00:04:41.000 --> 00:04:45.060
In infiltrating that network they discovered that once he had built the illicit program

00:04:45.060 --> 00:04:51.530
in Pakistan he was interested in spreading that knowledge throughout the world.

00:04:51.530 --> 00:04:52.530
JACK: A.Q.

00:04:52.530 --> 00:04:56.060
Khan had made trade deals with North Korea, Libya, and Iran, and was selling them equipment

00:04:56.060 --> 00:04:58.320
and supplies to conduct nuclear enrichment.

00:04:58.320 --> 00:05:05.971
KIM: We know that Iran launched [00:05:00] its illicit nuclear program probably sometime

00:05:05.971 --> 00:05:08.500
around late 1998, 1999.

00:05:08.500 --> 00:05:13.890
That’s when it first started purchasing blueprints for building a centrifuge factory

00:05:13.890 --> 00:05:15.460
and purchasing materials.

00:05:15.460 --> 00:05:18.140
JACK: The CIA became aware of what equipment A.Q.

00:05:18.140 --> 00:05:20.440
Khan was selling to these countries.

00:05:20.440 --> 00:05:29.250
KIM: Intelligence agencies, CIA and UK Intelligence, had infiltrated the supply network going to

00:05:29.250 --> 00:05:30.600
Libya, between A.Q.

00:05:30.600 --> 00:05:37.400
Khan and Libya, and intercepted a shipment in the United Arab Emirates that was going

00:05:37.400 --> 00:05:38.990
to Libya.

00:05:38.990 --> 00:05:45.630
They then were able to publically expose the Libya program and pressure Libya into coming

00:05:45.630 --> 00:05:48.000
clean about the program and giving it up.

00:05:48.000 --> 00:05:51.910
JACK: When Libya gave them up, the US seized these centrifuges and the materials to build

00:05:51.910 --> 00:05:52.910
them with.

00:05:52.910 --> 00:06:00.270
KIM: The United Nations International Atomic Energy Agency which oversees nuclear programs

00:06:00.270 --> 00:06:05.720
around the world immediately travelled to Libya, this was around 2004, to catalogue

00:06:05.720 --> 00:06:08.260
all the materials that Libya had.

00:06:08.260 --> 00:06:15.380
Shortly after that the CIA shipped those materials to a secret lab in Tennessee.

00:06:15.380 --> 00:06:20.810
JACK: [MUSIC] This secret lab was the Oakridge National Laboratory and these centrifuges

00:06:20.810 --> 00:06:26.410
taken from Libya look like big stove pipes about ten inches wide, eight feet tall, made

00:06:26.410 --> 00:06:30.800
of hard metal, and they’re shipped in big wooden crates almost like how you’d see

00:06:30.800 --> 00:06:32.440
rockets shipped on the black market.

00:06:32.440 --> 00:06:36.721
The purpose of these centrifuges is to separate the isotopes in uranium, thus enriching the

00:06:36.721 --> 00:06:39.580
uranium to be used for nuclear capabilities.

00:06:39.580 --> 00:06:43.080
These centrifuges were the exact same model as the ones A.Q.

00:06:43.080 --> 00:06:45.710
Khan had sold to Iran.

00:06:45.710 --> 00:06:46.710
The models were…

00:06:46.710 --> 00:06:48.120
KIM: IR-1 and IR-2.

00:06:48.120 --> 00:06:49.120
Mostly IR-1s.

00:06:49.120 --> 00:06:54.020
JACK: Since the CIA knew Iran had the exact same model centrifuges, the physicists in

00:06:54.020 --> 00:06:56.220
Tennessee began studying them.

00:06:56.220 --> 00:07:02.500
KIM: [MUSIC] The initial study was primarily aimed at determining how efficient these centrifuges

00:07:02.500 --> 00:07:08.530
were at enriching uranium so that inspectors could determine how far along the illicit

00:07:08.530 --> 00:07:11.170
nuclear program in Iran might be.

00:07:11.170 --> 00:07:15.030
They were simply just trying to study the centrifuges to see how they worked, how much

00:07:15.030 --> 00:07:20.110
gas they could enrich, and how long it might take Iran to have enough enriched uranium

00:07:20.110 --> 00:07:22.170
material to create a bomb.

00:07:22.170 --> 00:07:26.680
JACK: The nuclear physicists who already understand nuclear materials and how uranium enrichment

00:07:26.680 --> 00:07:29.890
works studied these centrifuges extensively.

00:07:29.890 --> 00:07:34.590
KIM: There have been reports that part of the research was also done actually in Israel

00:07:34.590 --> 00:07:42.580
at a – Israel has an illicit nuclear facility that also has been publically exposed in Dimona,

00:07:42.580 --> 00:07:44.310
in the southern part of the country, in the desert.

00:07:44.310 --> 00:07:48.860
JACK: All the while Iran had continued to work on their nuclear enrichment program.

00:07:48.860 --> 00:07:54.360
KIM: The illicit program was known by the CIA, by intelligence agencies.

00:07:54.360 --> 00:07:57.240
They knew that blueprints had been sold to Iran.

00:07:57.240 --> 00:08:01.800
They knew that meetings had occurred and the exchange of money had occurred.

00:08:01.800 --> 00:08:06.010
They knew that there was activity going on but they didn’t actually know where the

00:08:06.010 --> 00:08:08.680
facilities were initially.

00:08:08.680 --> 00:08:13.250
Then they knew that ground had been broken on a facility outside of a village called

00:08:13.250 --> 00:08:15.570
Natanz in around 2000.

00:08:15.570 --> 00:08:20.620
JACK: The CIA and intelligence officials had been monitoring the location and found evidence

00:08:20.620 --> 00:08:23.560
that a nuclear facility was being built there.

00:08:23.560 --> 00:08:25.140
But this wasn’t public information.

00:08:25.140 --> 00:08:31.330
KIM: It’s unclear exactly who leaked the information but in August 2002 the Iranian

00:08:31.330 --> 00:08:33.310
illicit nuclear program went public.

00:08:33.310 --> 00:08:38.060
[MUSIC] Although intelligence agencies had known about this, this was the first public

00:08:38.060 --> 00:08:40.729
exposure of it.

00:08:40.729 --> 00:08:46.399
Once that information was public the International Atomic Energy Agency which is the arm of the

00:08:46.399 --> 00:08:51.939
United Nations that monitors nuclear programs, demanded access to that facility at Natanz

00:08:51.939 --> 00:08:53.160
from Iran.

00:08:53.160 --> 00:08:58.350
They obtained that access for the first time in February 2003 and they started cataloguing

00:08:58.350 --> 00:09:00.560
what was going on in the program.

00:09:00.560 --> 00:09:05.190
They saw that it was much further advanced than they expected from the satellite images,

00:09:05.190 --> 00:09:11.170
that Iran was actually quite prepared to start enriching uranium hexafluoride gas.

00:09:11.170 --> 00:09:17.350
Then pressure was placed on Iran by western countries and the United Nations to halt the

00:09:17.350 --> 00:09:22.850
program until they could obtain more information about how far advanced the program was.

00:09:22.850 --> 00:09:29.630
Iran did agree to hold the program for a while but in 2005 when Mahmoud Ahmadinejad was elected

00:09:29.630 --> 00:09:37.009
President of Iran, Iran decided to stop cooperating and they decided to move forward with beginning

00:09:37.009 --> 00:09:40.269
to enrich the first batch of uranium hexafluoride gas.

00:09:40.269 --> 00:09:45.370
JACK: President George W. Bush was in office at the time and diplomacy between Iran and

00:09:45.370 --> 00:09:47.550
the US wasn’t going very well.

00:09:47.550 --> 00:09:52.100
Iranian President Ahmadinejad was very adamant about progressing with the nuclear enrichment.

00:09:52.100 --> 00:09:56.200
Bush had already invaded Iraq and Afghanistan so invading another country in that region

00:09:56.200 --> 00:09:58.449
was not gonna play favorably for him.

00:09:58.449 --> 00:10:02.490
Iran knew this and used this to their advantage [00:10:00] by choosing this time to progress

00:10:02.490 --> 00:10:06.970
with their nuclear capabilities by doing things like inviting the press to tour the facility

00:10:06.970 --> 00:10:10.300
with the President of Iran to show it off to the world.

00:10:10.300 --> 00:10:14.220
All the while, Iran was saying this was a civilian nuclear program and was not going

00:10:14.220 --> 00:10:16.850
to be used to create any weapons with.

00:10:16.850 --> 00:10:22.610
This angered President Bush and Vice President Dick Cheney so another plan had to be made,

00:10:22.610 --> 00:10:29.089
one more covert and undercover, one that could slow down and impede their progress and potentially

00:10:29.089 --> 00:10:31.740
look like faulty equipment or an accident.

00:10:31.740 --> 00:10:37.360
KIM: That’s when the solution was proposed to conduct some kind of secret sabotage that

00:10:37.360 --> 00:10:41.980
would hold the Iranians back without tipping them off to exactly what was happening.

00:10:41.980 --> 00:10:46.920
JACK: The idea was just to slow down Iran’s nuclear developments until diplomatic negotiations

00:10:46.920 --> 00:10:47.920
could be reached.

00:10:47.920 --> 00:10:49.589
They just needed to buy some time.

00:10:49.589 --> 00:10:57.309
KIM: Oakridge National Lab has a secret nuclear intelligence division there.

00:10:57.309 --> 00:11:02.430
They already are engaged in this kind of activity, this kind of investigatory work, to monitor

00:11:02.430 --> 00:11:09.310
nuclear programs along with the United Nations and the US government.

00:11:09.310 --> 00:11:13.060
They already had the capabilities there and the knowhow there.

00:11:13.060 --> 00:11:19.550
They are part of the intelligence community and so they are working to quickly build the

00:11:19.550 --> 00:11:23.009
centrifuge, these cascades, to study them, to do an analysis of them.

00:11:23.009 --> 00:11:26.220
JACK: By the way, this laboratory is ran by the Department of Energy and it’s where

00:11:26.220 --> 00:11:29.009
most of the work for The Manhattan Project took place.

00:11:29.009 --> 00:11:36.470
KIM: At some point, simultaneously there’s a lab in Idaho called the Idaho National Lab.

00:11:36.470 --> 00:11:38.449
JACK: Which is also ran by the Department of Energy.

00:11:38.449 --> 00:11:44.490
KIM: That does investigations into industrial control systems so there’s expertise there

00:11:44.490 --> 00:11:47.970
for the technical capabilities.

00:11:47.970 --> 00:11:55.759
At some point this program that began as an investigation just to determine the efficiency

00:11:55.759 --> 00:12:01.619
of the Iranian centrifuges just to determine – to gain intelligence about how far along

00:12:01.619 --> 00:12:04.050
Iran’s program might be.

00:12:04.050 --> 00:12:09.389
At some point someone got the idea to see if they could actually sabotage it physically

00:12:09.389 --> 00:12:14.899
and that’s when the solution was proposed to conduct some kind of secret sabotage that

00:12:14.899 --> 00:12:20.769
would hold the Iranians back without tipping them off to exactly what was happening.

00:12:20.769 --> 00:12:25.459
JACK: Scientists at the Oakridge Lab began working to try to come up with ways to cause

00:12:25.459 --> 00:12:29.819
damage to these centrifuges in a subtle but catastrophic way.

00:12:29.819 --> 00:12:33.930
They may have received help from scientists at the Idaho Lab too, since they had previously

00:12:33.930 --> 00:12:37.500
done research on electrical components within industrial control systems.

00:12:37.500 --> 00:12:41.809
KIM: September 2005, Iran announces that it’s moving forward with the enrichment of the

00:12:41.809 --> 00:12:43.029
uranium hexafluoride gas.

00:12:43.029 --> 00:12:47.730
In January, February 2006, they announced that they are beginning to enrich their first

00:12:47.730 --> 00:12:49.870
batch of uranium hexafluoride gas.

00:12:49.870 --> 00:12:54.439
JACK: Stuxnet wasn’t ready yet but another attack was ready and was launched.

00:12:54.439 --> 00:12:58.050
KIM: [MUSIC] That’s when we knew that when the first sabotage occurred.

00:12:58.050 --> 00:13:04.589
They had installed about 150 centrifuges in a pilot plant testing facility at Natanz and

00:13:04.589 --> 00:13:08.700
the centrifuges were spinning fine for about ten days and then suddenly they started spinning

00:13:08.700 --> 00:13:09.920
out of control.

00:13:09.920 --> 00:13:14.259
It took the Iranians some time to figure out what was happening but they ultimately traced

00:13:14.259 --> 00:13:20.149
it to some sabotage in the uninterruptible power supply, UPSs that they had purchased

00:13:20.149 --> 00:13:23.350
from Turkey; someone had sabotaged them.

00:13:23.350 --> 00:13:28.110
JACK: This caused significant damage to the centrifuges and ultimately stopped Iran from

00:13:28.110 --> 00:13:31.899
moving forward with the enrichment process for the rest of 2006.

00:13:31.899 --> 00:13:36.250
The CIA were likely the ones introducing this faulty equipment into the facility by infiltrating

00:13:36.250 --> 00:13:40.100
the supply chain going in and slightly sabotaging the equipment.

00:13:40.100 --> 00:13:44.119
Around the same time the US was trying to get a detailed map of what was in the Natanz

00:13:44.119 --> 00:13:45.579
nuclear facility.

00:13:45.579 --> 00:13:50.389
They used conventional spying techniques and also infiltrated computers in Iran to figure

00:13:50.389 --> 00:13:52.750
out what was going on in Natanz.

00:13:52.750 --> 00:13:57.929
They gathered information from contractors, engineers, scientists, and the Iranian government

00:13:57.929 --> 00:14:02.319
and they may have gotten a virus in the Natanz facility just to take inventory of what’s

00:14:02.319 --> 00:14:03.769
on the network in there.

00:14:03.769 --> 00:14:07.519
Using all these techniques they developed a pretty good understanding of exactly what’s

00:14:07.519 --> 00:14:14.249
in the facility which would be crucial for building a weapon to target only those systems.

00:14:14.249 --> 00:14:17.450
By this point the facility was recovering from their faulty power supplies.

00:14:17.450 --> 00:14:22.910
KIM: Once they had resolved that issue in January 2007, they announced they were beginning

00:14:22.910 --> 00:14:28.379
to enrich their first batch of uranium hexafluoride gas not in the pilot plant but in the actual

00:14:28.379 --> 00:14:29.760
enrichment plant.

00:14:29.760 --> 00:14:33.829
That’s when things started to move into full force.

00:14:33.829 --> 00:14:40.170
Israel got very nervous and was asking the US for permission to bomb the plant and to

00:14:40.170 --> 00:14:41.170
halt it.

00:14:41.170 --> 00:14:47.029
JACK: [MUSIC] Keep in mind, Israel and Iran have a long history of not liking each other.

00:14:47.029 --> 00:14:52.209
The Supreme Leader of Iran once called Israel a cancerous tumor that should be removed.

00:14:52.209 --> 00:14:57.139
Iran has also called Israel an illegal state and a parasite, mostly angry with the way

00:14:57.139 --> 00:15:01.830
Israel has treated Palestine, so Israel gets extremely nervous [00:15:00] whenever Iran

00:15:01.830 --> 00:15:06.009
starts enriching uranium and this wouldn’t be the first time an Israeli airstrike would

00:15:06.009 --> 00:15:08.019
be done on a nuclear facility.

00:15:08.019 --> 00:15:13.510
Operation Opera was when Israeli fighter jets bombed a nuclear reactor in Iraq.

00:15:13.510 --> 00:15:18.319
Operation Orchard was another airstrike that Israel did on a nuclear facility in Syria.

00:15:18.319 --> 00:15:22.120
Israel was ready to deploy fighter jets to take out Natanz.

00:15:22.120 --> 00:15:28.600
There are also stories of the US bombing nuclear facilities in Cuba so an airstrike was definitely

00:15:28.600 --> 00:15:29.899
an option.

00:15:29.899 --> 00:15:34.910
But Israel was growing increasingly nervous and looked to the US for help but the US calmed

00:15:34.910 --> 00:15:37.819
Israel down and told them about another plan.

00:15:37.819 --> 00:15:43.209
KIM: That’s when the alternative plan, Stuxnet, kicked into full gear.

00:15:43.209 --> 00:15:47.569
JACK: Israel wasn’t entirely sure this secret plan was going to work so to help convince

00:15:47.569 --> 00:15:52.839
them the US shared the plan with Israel to let them in on it, sharing the virus, the

00:15:52.839 --> 00:15:55.550
strategies, the intelligence gathered, and the method of attack.

00:15:55.550 --> 00:15:59.779
There may have even been some demonstrations done in the nuclear facility in Dimona where

00:15:59.779 --> 00:16:02.170
Israel could see its effectiveness.

00:16:02.170 --> 00:16:06.499
This convinced Israel it was a good idea and even started to help develop it.

00:16:06.499 --> 00:16:11.420
By this point out at Oakridge National Laboratory, they built a replica of the Natanz facility

00:16:11.420 --> 00:16:15.819
and work was well underway on how to cause damage to their centrifuges.

00:16:15.819 --> 00:16:20.010
This work was spread out among many different teams and even some of the most trusted scientists

00:16:20.010 --> 00:16:21.949
weren’t aware of the full picture.

00:16:21.949 --> 00:16:26.829
They figured out a way to send a command to a controller to cause the centrifuge to behave

00:16:26.829 --> 00:16:27.829
abnormally.

00:16:27.829 --> 00:16:36.129
KIM: [MUSIC] The 2007 version was designed to close valves, exit valves, on the centrifuges.

00:16:36.129 --> 00:16:40.709
The way that it works is that gas pumps into the centrifuges, the centrifuge spins and

00:16:40.709 --> 00:16:45.699
enriches the uranium, and that enriched uranium then goes out through a pipe that has a valve

00:16:45.699 --> 00:16:47.029
in it.

00:16:47.029 --> 00:16:52.610
What Stuxnet did was it closed the valves on the exit pipes so that the gas would go

00:16:52.610 --> 00:16:55.999
into the centrifuges but it couldn’t get out.

00:16:55.999 --> 00:16:59.899
The result then, was that the pressure inside the centrifuge increased until it damaged

00:16:59.899 --> 00:17:00.899
the centrifuges.

00:17:00.899 --> 00:17:05.650
JACK: The damage was catastrophic to the centrifuge but it just looked like a basic malfunction.

00:17:05.650 --> 00:17:08.880
During one test, the gas built up so much pressure that it caused the centrifuge to

00:17:08.880 --> 00:17:14.490
wobble chaotically and break apart into pieces, leaving a pile of rubble on the floor in the

00:17:14.490 --> 00:17:15.490
lab.

00:17:15.490 --> 00:17:18.750
A person working on this project collected the rubble, put it in a box, flew to Washington

00:17:18.750 --> 00:17:23.140
DC, and dumped the pieces on the conference room table in the Situation Room in front

00:17:23.140 --> 00:17:24.900
of President Bush.

00:17:24.900 --> 00:17:30.429
KIM: When Bush saw that it could be successful, he gave the go-ahead to do that.

00:17:30.429 --> 00:17:35.929
That was 2006 and then Stuxnet was actually unleashed sometime in 2007.

00:17:35.929 --> 00:17:41.940
They would have had that time between 2006 and 2007 when it was unleashed to perfect

00:17:41.940 --> 00:17:48.080
Stuxnet, to make sure that it wouldn’t be caught, to make sure that it was stealth enough,

00:17:48.080 --> 00:17:50.350
and that it would do what it was designed to do.

00:17:50.350 --> 00:17:57.450
JACK: It was important to keep this as a top-secret mission, very covert, hush-hush.

00:17:57.450 --> 00:18:01.470
The project kicked into gear at this point, fine tuning it and figuring out ways to distribute

00:18:01.470 --> 00:18:02.470
it.

00:18:02.470 --> 00:18:06.720
One tricky problem though was that the computers in Natanz were not reachable from the internet;

00:18:06.720 --> 00:18:11.130
they were air gapped so the only way to use those computers was to be physically present

00:18:11.130 --> 00:18:12.340
in front of the terminal.

00:18:12.340 --> 00:18:16.490
So the attackers came up with the idea of putting the virus on a USB stick and to try

00:18:16.490 --> 00:18:21.200
to get someone to walk into the facility and plug it in, maybe a worker or a contractor

00:18:21.200 --> 00:18:22.210
or something.

00:18:22.210 --> 00:18:26.490
USB sticks with the Stuxnet virus were spread, trying to get them into the hands of the people

00:18:26.490 --> 00:18:28.130
who went inside Natanz.

00:18:28.130 --> 00:18:32.530
They were unsure how far these went and how they tried to get them into the facility.

00:18:32.530 --> 00:18:36.539
Perhaps they knew which scientists were there and gave them USB sticks at a conference or

00:18:36.539 --> 00:18:39.299
tried to get a contractor to use them on the systems.

00:18:39.299 --> 00:18:43.270
It’s not like you can just leave them all over the parking lot because the Natanz facility

00:18:43.270 --> 00:18:45.730
is extremely well-guarded.

00:18:45.730 --> 00:18:50.080
Imagine a typical military base with high fences, guards, and artillery weapons spread

00:18:50.080 --> 00:18:51.289
all over the place.

00:18:51.289 --> 00:18:54.640
You’re not going to get anywhere near the parking lot of this place.

00:18:54.640 --> 00:18:58.701
But the sticks were launched into the wild to try to get them into this nuclear facility

00:18:58.701 --> 00:19:00.840
in Iran.

00:19:00.840 --> 00:19:05.649
Once the attackers pumped a bunch of USB sticks into the region, they had to wait and see

00:19:05.649 --> 00:19:07.559
if it worked.

00:19:07.559 --> 00:19:12.040
[MUSIC] But it’s really hard to tell if it worked.

00:19:12.040 --> 00:19:16.560
The NSA had no visibility into the facility and no access to computers even if they got

00:19:16.560 --> 00:19:17.990
Stuxnet onto one.

00:19:17.990 --> 00:19:21.690
They were at the mercy of the local news or inspection reports.

00:19:21.690 --> 00:19:25.450
The IAEA is a group of nuclear inspectors appointed by the UN.

00:19:25.450 --> 00:19:30.059
KIM: They started visiting Natanz a couple of times a month and they would write reports

00:19:30.059 --> 00:19:33.299
that they would send back to their headquarters in Vienna, Austria.

00:19:33.299 --> 00:19:39.799
In those reports they describe the progress of Iran’s nuclear program.

00:19:39.799 --> 00:19:44.480
Beginning around 2007 they are describing that the Iranians are having problems with

00:19:44.480 --> 00:19:45.750
the centrifuges.

00:19:45.750 --> 00:19:48.320
They are wasting gas.

00:19:48.320 --> 00:19:52.460
They’re not progressing as fast as they’re intending.

00:19:52.460 --> 00:19:56.450
What is happening in that version is as I said, that the exit valves are closing.

00:19:56.450 --> 00:20:00.340
The gas pours into the centrifuges and it can’t get out of the centrifuges.

00:20:00.340 --> 00:20:02.450
The pressure inside [00:20:00] the centrifuges increases.

00:20:02.450 --> 00:20:07.890
JACK: When the pressure of the gas would increase by five times, the gas would start to solidify.

00:20:07.890 --> 00:20:12.880
KIM: If the spinning centrifuge has gas that’s solidified in it, that solidified gas is going

00:20:12.880 --> 00:20:17.779
to catch on that rotor that’s spinning inside and it’s going to cause the centrifuge to

00:20:17.779 --> 00:20:18.779
spin out of control.

00:20:18.779 --> 00:20:20.040
It’s going to become unbalanced.

00:20:20.040 --> 00:20:24.279
What can happen is that the centrifuges, they’re spinning at supersonic speed.

00:20:24.279 --> 00:20:29.419
If a centrifuge becomes unmoored it’s going to crash into centrifuges that are next to

00:20:29.419 --> 00:20:30.419
it.

00:20:30.419 --> 00:20:34.840
You’re going to ruin the centrifuges themselves but you’re also going to waste that gas.

00:20:34.840 --> 00:20:37.070
That was the design of the program.

00:20:37.070 --> 00:20:42.390
Iran had only a limited supply of uranium hexafluoride gas and a limited supply of materials

00:20:42.390 --> 00:20:43.980
to build new centrifuges.

00:20:43.980 --> 00:20:49.019
For every centrifuge that you could destroy and every batch of gas that you could ruin,

00:20:49.019 --> 00:20:50.860
it was setting the program back.

00:20:50.860 --> 00:20:56.700
JACK: But the reports show that progress was only slowed by about 30%.

00:20:56.700 --> 00:21:00.970
This still meant that Iran could develop nuclear capabilities in the next few years so this

00:21:00.970 --> 00:21:03.809
wasn’t slowing the progress enough for Israel to feel comfortable.

00:21:03.809 --> 00:21:08.590
But at this point Stuxnet was so covert and stealthy that nobody in the world knew about

00:21:08.590 --> 00:21:11.019
it except the attackers who created it.

00:21:11.019 --> 00:21:14.550
This caused a lot of confusion and frustration with the scientists.

00:21:14.550 --> 00:21:18.190
But the attackers went back to the drawing board at Oakridge Lab.

00:21:18.190 --> 00:21:22.399
Scientists and security researchers went back to working on this virus to improve it but

00:21:22.399 --> 00:21:25.139
around this time something changed in the US.

00:21:25.139 --> 00:21:30.090
KIM: [MUSIC] We had a change of presidents in that period and a new president comes in

00:21:30.090 --> 00:21:31.789
in 2009.

00:21:31.789 --> 00:21:36.190
This was a covert operation and a covert operation has to be authorized by the sitting president

00:21:36.190 --> 00:21:41.059
and because the sitting president was leaving, Stuxnet had to be reauthorized.

00:21:41.059 --> 00:21:47.029
Essentially, it would have come to a halt at that point if Obama hadn’t reauthorized

00:21:47.029 --> 00:21:48.590
it and he did.

00:21:48.590 --> 00:21:52.790
JACK: With the reauthorization of the virus, worked kicked into high gear once again.

00:21:52.790 --> 00:21:56.290
The team at Oakridge discovered a new way to damage the centrifuges.

00:21:56.290 --> 00:21:59.750
They wanted to continue to use different types of sabotage because if the same attack was

00:21:59.750 --> 00:22:02.600
used every time, it would look more suspicious.

00:22:02.600 --> 00:22:08.059
They found that if you changed the revolutions per second significantly it would case a harmonic

00:22:08.059 --> 00:22:13.549
resonance, making the centrifuge wobble chaotically and become too damaged to continue.

00:22:13.549 --> 00:22:17.929
Not only was a new method of destruction discovered but security researchers found new ways to

00:22:17.929 --> 00:22:19.590
infect the systems.

00:22:19.590 --> 00:22:21.269
The first version only had one zero-day.

00:22:21.269 --> 00:22:25.020
A zero-day is a bug that the software vendor isn’t aware of.

00:22:25.020 --> 00:22:27.960
But this new code contained four zero-days.

00:22:27.960 --> 00:22:30.580
This number of zero-days is unprecedented.

00:22:30.580 --> 00:22:34.490
No malware in history has ever been discovered to have this many zero-days in it.

00:22:34.490 --> 00:22:38.620
The malware would first have to infect a Windows machine to plant itself on it, which exploited

00:22:38.620 --> 00:22:40.169
an unknown Windows bug.

00:22:40.169 --> 00:22:44.720
To do this the virus used an authentic digitally signed certificate to appear legitimate.

00:22:44.720 --> 00:22:48.470
This is another layer of a complexity to this virus because it’s believed the private

00:22:48.470 --> 00:22:53.159
keys needed to sign these certificates were stolen from two different hardware manufacturers

00:22:53.159 --> 00:22:55.100
in Taiwan.

00:22:55.100 --> 00:22:59.360
Then once a computer is infected, the virus can seek out the SCATA software that’s on

00:22:59.360 --> 00:23:02.580
that computer and this is the software that controls the centrifuges.

00:23:02.580 --> 00:23:07.370
It would alter the files there, again exploiting an unknown bug in that SCATA software.

00:23:07.370 --> 00:23:11.279
If the monitoring software would detect a centrifuge spinning too fast, it would shut

00:23:11.279 --> 00:23:12.370
down the system.

00:23:12.370 --> 00:23:16.539
The virus also tricked the monitoring software to make it look like nothing was wrong and

00:23:16.539 --> 00:23:19.130
made it look like it was spinning at normal speed.

00:23:19.130 --> 00:23:25.580
Finally, the centrifuge itself would be infected to alter the actual spinning speeds.

00:23:25.580 --> 00:23:27.519
This virus is a masterpiece.

00:23:27.519 --> 00:23:32.179
The level of sophistication, precision, stealthiness, and effectiveness have never been rivaled

00:23:32.179 --> 00:23:33.980
in any malware ever discovered.

00:23:33.980 --> 00:23:38.740
It’s truly an unbelievable, amazing piece of malware.

00:23:38.740 --> 00:23:42.830
The virus was built and it was ready to infect the systems but the problem was still getting

00:23:42.830 --> 00:23:44.460
over that air gap.

00:23:44.460 --> 00:23:49.190
They tried to get the virus onto the systems within Natanz but it just wasn’t working.

00:23:49.190 --> 00:23:53.440
We think it was probably the NSA who crafted this virus but then the CSA or Israel’s

00:23:53.440 --> 00:23:57.880
Mossad likely tried to get it on the computers of the people working at the Natanz facility.

00:23:57.880 --> 00:24:01.549
But for whatever reason the virus wasn’t getting onto the right systems or infecting

00:24:01.549 --> 00:24:03.710
enough of the machines in the facility.

00:24:03.710 --> 00:24:07.710
By this time the intelligence units in Israel had been collaborating with the US on this

00:24:07.710 --> 00:24:08.710
attack.

00:24:08.710 --> 00:24:12.550
Both Israel and the US were modifying and programming Stuxnet and then sharing code

00:24:12.550 --> 00:24:13.889
between each other.

00:24:13.889 --> 00:24:18.460
Since it wasn’t quite infecting the facility well enough, a more aggressive spreading mechanism

00:24:18.460 --> 00:24:19.899
was added to the virus.

00:24:19.899 --> 00:24:25.960
KIM: They used a worm and because of that, they would infect any Windows system that

00:24:25.960 --> 00:24:26.960
Stuxnet encountered.

00:24:26.960 --> 00:24:30.740
It would deposit the payload but again, the payload wouldn’t affect those systems unless

00:24:30.740 --> 00:24:32.960
it had the configuration that Stuxnet was seeking.

00:24:32.960 --> 00:24:38.179
JACK: US and Israel worked together to very precisely target Natanz with this virus.

00:24:38.179 --> 00:24:42.830
[MUSIC] The virus was introduced to the network of some contractors that were known to go

00:24:42.830 --> 00:24:43.830
into Natanz.

00:24:43.830 --> 00:24:48.649
Either through a USB or a shared drive, the worm had spread onto their computers.

00:24:48.649 --> 00:24:53.590
The virus then sat on their computers and waited to be taken into the Natanz facility.

00:24:53.590 --> 00:24:57.950
When the contractor with the infected computer went into the facility the virus spread all

00:24:57.950 --> 00:25:03.009
through the network, infecting the exact systems [00:25:00] it was programmed to attack.

00:25:03.009 --> 00:25:05.720
This was pay dirt for the virus.

00:25:05.720 --> 00:25:10.730
From within the network it spread to many more systems, infecting the computers that

00:25:10.730 --> 00:25:16.169
controlled the centrifuges but there was a mistake in the virus, a bug in the bug.

00:25:16.169 --> 00:25:20.260
The spreading mechanism was too aggressive; the worm that was added to it spread beyond

00:25:20.260 --> 00:25:22.620
the target network of Natanz.

00:25:22.620 --> 00:25:25.690
Computers that were connected to the same shared drives as the virus were also getting

00:25:25.690 --> 00:25:29.480
infected and then those computers were taken to other networks and infecting other systems

00:25:29.480 --> 00:25:30.480
there.

00:25:30.480 --> 00:25:34.640
Soon the virus became out of control and was infecting systems all over Iran and the rest

00:25:34.640 --> 00:25:35.640
of the world.

00:25:35.640 --> 00:25:37.270
The worm was on the loose.

00:25:37.270 --> 00:25:43.660
When the US military found this Stuxnet worm was spreading rapidly, it was horrible news.

00:25:43.660 --> 00:25:44.809
This wasn’t supposed to happen.

00:25:44.809 --> 00:25:46.130
This was a big mistake.

00:25:46.130 --> 00:25:48.630
This may blow their cover and reveal their secret weapon.

00:25:48.630 --> 00:25:52.930
A meeting was held in the Situation Room to inform President Obama and Vice President

00:25:52.930 --> 00:25:56.840
Biden that this worm had gotten out of hand and may soon be discovered.

00:25:56.840 --> 00:26:00.929
The President and Vice President were deeply troubled by this but they allowed the attacks

00:26:00.929 --> 00:26:02.360
to continue.

00:26:02.360 --> 00:26:06.360
Stuxnet was present on the Windows computers that controlled the centrifuges and the centrifuges

00:26:06.360 --> 00:26:08.500
in the Natanz facility were infected, too.

00:26:08.500 --> 00:26:12.799
After the computers were infected the virus would sit and wait for weeks.

00:26:12.799 --> 00:26:18.889
It would listen and record what normal behavior looked like so it could replay this back during

00:26:18.889 --> 00:26:21.769
the attack.

00:26:21.769 --> 00:26:25.510
After a couple weeks, the virus instructed the centrifuge to significantly increase in

00:26:25.510 --> 00:26:28.800
revolutions per second, but only for fifteen minutes.

00:26:28.800 --> 00:26:32.460
This would be an attempt to knock it off its access or cause a wobble.

00:26:32.460 --> 00:26:36.169
Then the spinning would return to normal again for a few more weeks.

00:26:36.169 --> 00:26:40.200
This temporary change in spinning speed could be enough to damage the centrifuge that normal

00:26:40.200 --> 00:26:42.510
spin speeds would damage it more.

00:26:42.510 --> 00:26:46.380
Because if centrifuges were breaking during normal operations this would certainly hide

00:26:46.380 --> 00:26:49.309
that sabotage and covert operations were at hand.

00:26:49.309 --> 00:26:53.299
If the centrifuge continued to operate after another twenty six days, it would slow down

00:26:53.299 --> 00:26:56.820
to just barely spinning and then back up again to normal spin speed.

00:26:56.820 --> 00:27:00.960
By changing the speed could cause the centrifuge to wobble off-balance just enough that it

00:27:00.960 --> 00:27:05.210
could damage it, but also by slowing down the speed it would drastically reduce their

00:27:05.210 --> 00:27:08.169
enrichment process, also slowing the program.

00:27:08.169 --> 00:27:13.019
The subtlety of this attack was very precise.

00:27:13.019 --> 00:27:17.309
Centrifuges began randomly producing less enriched gas and some were getting damaged.

00:27:17.309 --> 00:27:20.789
The change in the spinning was enough to damage them to the point where they would waste gas

00:27:20.789 --> 00:27:23.470
inside them or they just wouldn’t work anymore.

00:27:23.470 --> 00:27:27.260
This baffled scientists and engineers because the monitoring system all showed everything

00:27:27.260 --> 00:27:31.710
was working fine yet some centrifuges were changing their speeds randomly.

00:27:31.710 --> 00:27:35.230
Because an attack like this had never been seen before, the scientists didn’t suspect

00:27:35.230 --> 00:27:39.120
that a virus would do this but they couldn’t figure out what was.

00:27:39.120 --> 00:27:43.200
We don’t know the exact destruction caused within the facility but cameras installed

00:27:43.200 --> 00:27:47.429
by the nuclear inspectors saw the Iranians were disassembling centrifuges and removing

00:27:47.429 --> 00:27:48.950
large amounts of equipment.

00:27:48.950 --> 00:27:54.080
Upon the next inspection report it was noted that there were around 1,000 less working

00:27:54.080 --> 00:27:57.129
centrifuges compared to the last report.

00:27:57.129 --> 00:28:01.890
Because of this we believe the Stuxnet virus had successfully damaged around 1,000 centrifuges.

00:28:01.890 --> 00:28:09.350
The loss of 1,000 centrifuges and a bunch of the gas being used in them was a huge setback

00:28:09.350 --> 00:28:11.780
for Iran’s nuclear facility.

00:28:11.780 --> 00:28:14.960
Catastrophic damage was done to this facility but nobody was harmed during it.

00:28:14.960 --> 00:28:19.880
They had a very limited supply of both centrifuges and gas and couldn’t simply go buy more.

00:28:19.880 --> 00:28:24.060
Iran had more materials but this event destroyed a significant percentage of it.

00:28:24.060 --> 00:28:29.340
[MUSIC] The head of Iran’s atomic energy organization resigned at the same time and

00:28:29.340 --> 00:28:33.200
we can only speculate that his resignation occurred because of how damaging this attack

00:28:33.200 --> 00:28:35.350
was to the atomic program.

00:28:35.350 --> 00:28:39.720
While this sabotage did cause significant damage of the facility, it only slowed Iran’s

00:28:39.720 --> 00:28:43.750
nuclear program momentarily; very quickly they tried to replace all the centrifuges

00:28:43.750 --> 00:28:46.840
with new ones and get back to enriching.

00:28:46.840 --> 00:28:50.139
Around this time, because of the nature of how aggressive the virus had spread around

00:28:50.139 --> 00:28:55.019
the world, security researchers from Symantec began noticing this virus and analyzing it

00:28:55.019 --> 00:28:57.140
and reporting about it.

00:28:57.140 --> 00:29:02.039
The team at Symantec studied the malware and eventually realized the complexity and sophistication

00:29:02.039 --> 00:29:05.419
of this worm was unlike anything they’d ever seen.

00:29:05.419 --> 00:29:10.090
Surely it was created by a nation state actor, somebody with an enormous amount of resources

00:29:10.090 --> 00:29:14.690
and a strong understanding of the technology he had to make this, which made the Symantec

00:29:14.690 --> 00:29:17.289
team very nervous to study it further.

00:29:17.289 --> 00:29:21.710
They knew if they published their findings it would exposed this entire operation and

00:29:21.710 --> 00:29:25.470
they thought whatever nation state actor created it probably didn’t want them blowing their

00:29:25.470 --> 00:29:26.539
cover.

00:29:26.539 --> 00:29:31.070
But the team at Symantec had a duty and that was to publish malware when they find it so

00:29:31.070 --> 00:29:33.220
they published their findings.

00:29:33.220 --> 00:29:39.130
While the Iranians were struggling and scrambling to try to stabilize their enrichment facility,

00:29:39.130 --> 00:29:45.200
the Symantec report tipped them off that these centrifuges had been sabotaged by this virus.

00:29:45.200 --> 00:29:49.789
Immediately they shut down the facility and wiped the viruses off all systems in there.

00:29:49.789 --> 00:29:54.130
The Iranian President told the press, quote, “They succeeded in creating problems for

00:29:54.130 --> 00:29:58.360
a limited number of our centrifuges with the software they installed in electronic parts.

00:29:58.360 --> 00:30:00.399
They did a bad thing.

00:30:00.399 --> 00:30:04.309
Fortunately [00:30:00] our experts discovered that and today they are not able to do that

00:30:04.309 --> 00:30:06.309
anymore.” End quote.

00:30:06.309 --> 00:30:09.950
By trying to figure out who conducted this cyber-attack, you map out a few things.

00:30:09.950 --> 00:30:13.889
First, who would have the motive to sabotage Iran’s nuclear program?

00:30:13.889 --> 00:30:19.190
Second, who has the capabilities of creating a virus with four zero-days in it?

00:30:19.190 --> 00:30:23.090
Just those two questions alone narrows down the potential attackers to less than five

00:30:23.090 --> 00:30:24.340
suspects.

00:30:24.340 --> 00:30:28.470
You could imagine the local Iranian news was desperate to speculate who was behind this

00:30:28.470 --> 00:30:31.520
and provided many scenarios that may have happened.

00:30:31.520 --> 00:30:35.870
They speculated that the US and Israel were behind this attack.

00:30:35.870 --> 00:30:39.510
At this point it seemed like another plan went into effect.

00:30:39.510 --> 00:30:43.980
Nuclear enrichment is hard and you need very smart scientists to bring it along so once

00:30:43.980 --> 00:30:50.620
Iran continued to enrich the uranium again, assassinations started happening; two separate

00:30:50.620 --> 00:30:56.389
car bombs exploded at nearly the same time in Iran, one killing a quantum physicist that

00:30:56.389 --> 00:31:01.090
had been working at Natanz, and the other seriously injured a high-ranking official

00:31:01.090 --> 00:31:02.980
in Iran’s Ministry of Defense.

00:31:02.980 --> 00:31:09.289
A few months later a car bomb killed another nuclear scientist and two years after that,

00:31:09.289 --> 00:31:17.529
the Director of the Natanz nuclear facility was also killed in a similar explosion.

00:31:17.529 --> 00:31:21.840
Because of how aggressive the spreading mechanism was within Stuxnet, it’s how the world discovered

00:31:21.840 --> 00:31:22.840
this virus.

00:31:22.840 --> 00:31:26.480
KIM: If those spreading mechanisms hadn’t been added to Stuxnet we might still not know

00:31:26.480 --> 00:31:27.999
about this.

00:31:27.999 --> 00:31:34.330
Stuxnet could have continued for years to conducts its sabotage.

00:31:34.330 --> 00:31:41.669
But it was that sloppiness, that recklessness that exposed it and really endangered the

00:31:41.669 --> 00:31:42.669
program.

00:31:42.669 --> 00:31:48.120
That doesn’t mean that there isn’t current activity going on but it definitely put the

00:31:48.120 --> 00:31:54.230
Iranians on notice what was happening and made them more suspicious and careful.

00:31:54.230 --> 00:31:57.960
JACK: Reports say that the US President and Vice President were particularly upset about

00:31:57.960 --> 00:31:59.830
Stuxnet being discovered.

00:31:59.830 --> 00:32:04.389
This was supposed to be a covert operation that nobody would ever find out about.

00:32:04.389 --> 00:32:11.289
KIM: They were angry about the spreading mechanisms because until then Stuxnet had been very controlled

00:32:11.289 --> 00:32:13.080
and precise.

00:32:13.080 --> 00:32:20.269
When the Israelis added the spreading mechanisms, that’s what launched Stuxnet outside of

00:32:20.269 --> 00:32:23.320
Natanz and it started spreading wildly out of control.

00:32:23.320 --> 00:32:25.690
That’s what got it exposed.

00:32:25.690 --> 00:32:30.620
They were angry because apparently they didn’t know that the Israelis were going to be adding

00:32:30.620 --> 00:32:31.900
these spreading mechanisms.

00:32:31.900 --> 00:32:37.110
JACK: But what group in the Israeli government helped develop this virus and launch it?

00:32:37.110 --> 00:32:40.509
Some of my keen listeners may be jumping out of their seats right now saying it was Unit

00:32:40.509 --> 00:32:46.039
8200 and in fact, dozens of news agencies did point fingers at 8200 for doing this.

00:32:46.039 --> 00:32:47.510
But it may not be that simple.

00:32:47.510 --> 00:32:50.049
KIM: I wouldn’t point fingers at 8200.

00:32:50.049 --> 00:32:56.370
They seem logical because they have the technical abilities but again, this was very, very specific

00:32:56.370 --> 00:32:59.759
knowledge of industrial control systems that was needed for this attack.

00:32:59.759 --> 00:33:04.350
It’s not clear that 8200 had that knowledge.

00:33:04.350 --> 00:33:10.909
Dimona, where they have centrifuges, where they have industrial control systems, they

00:33:10.909 --> 00:33:12.610
have a lot of expertise down there.

00:33:12.610 --> 00:33:23.350
That’s why I’m saying that it’s a little foggy who the exact people were pointed to.

00:33:23.350 --> 00:33:29.120
In the US here, you can have people who are working at Idaho National Lab which is under

00:33:29.120 --> 00:33:34.450
the energy department but they can be – there’s a special word for it.

00:33:34.450 --> 00:33:38.049
It’s not lent, but they can be lent out, for instance to the FBI, they can be lent

00:33:38.049 --> 00:33:39.159
out to the NSA.

00:33:39.159 --> 00:33:44.870
When you say that the NSA does it, it can actually be [inaudible] from the energy department,

00:33:44.870 --> 00:33:45.870
really.

00:33:45.870 --> 00:33:52.409
Energy labs, department of energy labs, who are borrowed out, let’s say, to the NSA

00:33:52.409 --> 00:33:55.080
for their expertise and for specific projects and things like that.

00:33:55.080 --> 00:33:59.190
JACK: Clearly this was a joint effort between the Department of Energy, which is still surprising

00:33:59.190 --> 00:34:01.800
to me, the NSA, the CIA, and Israel.

00:34:01.800 --> 00:34:04.870
This was a very covert operation, extremely hush-hush.

00:34:04.870 --> 00:34:07.960
The people who were working on it probably didn’t even understand the full purpose

00:34:07.960 --> 00:34:09.610
of what they were doing.

00:34:09.610 --> 00:34:14.720
Still today, the United States has never admitted to conducting this attack or conducting any

00:34:14.720 --> 00:34:16.899
cyber-attack ever.

00:34:16.899 --> 00:34:19.520
How do we know so strongly who was behind this?

00:34:19.520 --> 00:34:22.500
Well, like I was saying before, Kim did her research.

00:34:22.500 --> 00:34:26.929
The Symantec team who first studied this virus released a sixty-seven page report about everything

00:34:26.929 --> 00:34:28.740
Stuxnet was capable of.

00:34:28.740 --> 00:34:32.710
This gained the interest of many more security researchers and journalists who also published

00:34:32.710 --> 00:34:33.710
papers.

00:34:33.710 --> 00:34:38.200
We also see from documents that Snowden leaked that the president did, in fact, sign executive

00:34:38.200 --> 00:34:40.030
orders to use cyber weapons.

00:34:40.030 --> 00:34:42.940
But there was another leak somewhere in the government.

00:34:42.940 --> 00:34:47.859
Someone had told David Sanger, a reporter for the New York Times, some classified information

00:34:47.859 --> 00:34:53.300
about Stuxnet which resulted in an eye-opening article about how Israel, Bush, and Obama

00:34:53.300 --> 00:34:56.109
had authorized this cyber-attack.

00:34:56.109 --> 00:34:59.040
The press questioned President Obama about this.

00:34:59.040 --> 00:35:01.869
OBAMA: David Jackson.

00:35:01.869 --> 00:35:05.650
DAVID: Thank you, sir.

00:35:05.650 --> 00:35:09.609
[00:35:00] There are a couple interesting details about national security issues.

00:35:09.609 --> 00:35:10.860
There are reports of cyber-attacks on the Iranian nuclear programs that you ordered.

00:35:10.860 --> 00:35:11.860
What’s your reaction to this information getting out in public?

00:35:11.860 --> 00:35:19.430
OBAMA: First of all, I’m not gonna comment on the details of what are supposed to be

00:35:19.430 --> 00:35:30.740
classified items, which is why, since I’ve been in office, my attitude has been zero

00:35:30.740 --> 00:35:40.220
tolerance for these kinds of leaks and speculation.

00:35:40.220 --> 00:35:49.380
Now, we have mechanisms in place where if we can root out folks who have leaked, they

00:35:49.380 --> 00:35:51.320
will suffer consequences.

00:35:51.320 --> 00:35:54.880
In some cases it’s criminal.

00:35:54.880 --> 00:35:59.750
These are criminal acts, when they release information like this.

00:35:59.750 --> 00:36:04.310
We will conduct thorough investigations as we have in the past.

00:36:04.310 --> 00:36:08.430
JACK: After that thorough investigation, US Marine General James Cartwright was found

00:36:08.430 --> 00:36:13.230
guilty for lying to the FBI about whether he had talked to a reporter about this.

00:36:13.230 --> 00:36:16.920
But two weeks before his sentence hearing, President Obama pardoned General Cartwright

00:36:16.920 --> 00:36:20.750
from any wrongdoing which allowed this case to be dropped.

00:36:20.750 --> 00:36:24.849
There are a million more articles, interviews, and pieces of information about Stuxnet that

00:36:24.849 --> 00:36:27.060
came out which help us put all these pieces together.

00:36:27.060 --> 00:36:31.430
That’s why we can give you a timeline today of how this got started, where it got started,

00:36:31.430 --> 00:36:35.150
why it got started, who did it, and all the different versions involved.

00:36:35.150 --> 00:36:39.270
From that point the US and other nations worked with Iran to try to come up with an agreement

00:36:39.270 --> 00:36:42.119
and in 2015, they did.

00:36:42.119 --> 00:36:47.921
OBAMA: Today, after two years of negotiations, the United States together with our international

00:36:47.921 --> 00:36:54.470
partners has achieved something that decades of animosity has not; a comprehensive, long-term

00:36:54.470 --> 00:36:59.180
deal with Iran that will prevent it from obtaining a nuclear weapon.

00:36:59.180 --> 00:37:03.430
JACK: Israel wasn’t entirely happy with this deal as it still allowed Iran to develop

00:37:03.430 --> 00:37:05.790
nuclear power, just not nuclear weapons.

00:37:05.790 --> 00:37:09.010
In fact Iran never did say they were developing nuclear weapons.

00:37:09.010 --> 00:37:12.280
They claimed it was always a civilian nuclear program.

00:37:12.280 --> 00:37:14.600
But one thing hangs in my head still.

00:37:14.600 --> 00:37:16.760
Was this an act of war?

00:37:16.760 --> 00:37:18.940
Was this a strike during peace time with Iran?

00:37:18.940 --> 00:37:19.940
Here’s Kim.

00:37:19.940 --> 00:37:24.920
KIM: It’s naïve to think that governments don’t engage in activities that are just

00:37:24.920 --> 00:37:28.441
below the threshold of all-out war and attack.

00:37:28.441 --> 00:37:30.550
They do it all the time.

00:37:30.550 --> 00:37:35.860
When diplomacy doesn’t work, when diplomacy is being engaged, in place of diplomacy, it

00:37:35.860 --> 00:37:36.860
happens all the time.

00:37:36.860 --> 00:37:42.540
We don’t know what wars are averted because governments have engaged in other things to

00:37:42.540 --> 00:37:46.500
achieve ends that otherwise might be achieved by war.

00:37:46.500 --> 00:37:51.950
The fact that it was done during a time of peace and it was done to avoid an all-out

00:37:51.950 --> 00:37:56.510
war, I think that there are people that would condemn the US for doing this.

00:37:56.510 --> 00:38:07.260
But I think that ultimately if Iran’s program was indeed an illicit weapons production program,

00:38:07.260 --> 00:38:11.050
the viewpoint of the US was that they actually saved lives by doing this.

00:38:11.050 --> 00:38:15.970
By not engaging in all-out warfare they were able to do this in a peaceful way that didn’t

00:38:15.970 --> 00:38:22.340
harm anyone and then ultimately prevented Iran from obtaining weapons that would have

00:38:22.340 --> 00:38:24.560
caused, of course, more bloodshed.

00:38:24.560 --> 00:38:30.599
So from that point of view, when you talk about the outrage of this being done, this

00:38:30.599 --> 00:38:36.540
being an active force being done during a time of peace, from the US perspective it

00:38:36.540 --> 00:38:38.330
was done to actually keep peace.

00:38:38.330 --> 00:38:43.180
JACK: But Iran didn’t see it that way, especially because Iran claimed this was only a civilian

00:38:43.180 --> 00:38:44.560
nuclear program.

00:38:44.560 --> 00:38:48.250
The truth is there wasn’t much evidence that say this was a weapons program.

00:38:48.250 --> 00:38:53.160
If this wasn’t intended to make weapons, imagine how Iran must see Israel and the US

00:38:53.160 --> 00:38:54.160
now.

00:38:54.160 --> 00:38:57.560
They were already really angry with Israel but now here’s evidence of Israel attacking

00:38:57.560 --> 00:39:02.829
their innovation, but if this cyber-attack didn’t work, a bombing run might have been

00:39:02.829 --> 00:39:04.000
next.

00:39:04.000 --> 00:39:08.540
While this looks ugly, dropping bombs looks a lot uglier and would almost certainly result

00:39:08.540 --> 00:39:10.490
in bigger clashes.

00:39:10.490 --> 00:39:14.859
The discovery of Stuxnet was such a major revelation in the history of cyber-attacks.

00:39:14.859 --> 00:39:18.960
We could almost divide the timeline up of a pre-Stuxnet and post-Stuxnet world.

00:39:18.960 --> 00:39:23.000
Before, we weren’t exactly sure what the US government was capable of doing but now

00:39:23.000 --> 00:39:27.780
we see that not only is the US government using hacking to destroy and sabotage physical

00:39:27.780 --> 00:39:32.309
equipment within other nations, but they’re doing it with an extreme sophistication and

00:39:32.309 --> 00:39:33.309
precision.

00:39:33.309 --> 00:39:37.670
The amount of zero-days found on this means the US government hoards zero-days and they

00:39:37.670 --> 00:39:41.750
keep it to use as a weapon to make us safer instead of telling the vendor to patch it,

00:39:41.750 --> 00:39:43.670
which would make us all safer too.

00:39:43.670 --> 00:39:48.750
This was a military-grade weapon which had the input of extremely knowledgeable scientists,

00:39:48.750 --> 00:39:50.860
engineers, and hackers.

00:39:50.860 --> 00:39:55.340
After this sabotage caused major setbacks to the Iranian nuclear program, Iran reinforced

00:39:55.340 --> 00:39:58.550
their efforts in building a cyber-army of their own and they weren’t going to take

00:39:58.550 --> 00:39:59.560
this laying down.

00:39:59.560 --> 00:40:04.349
A hack-back plan [00:40:00] was in the works and in the next episode we’ll see what Iran’s

00:40:04.349 --> 00:40:08.630
response was and that hack caused even more damage than what Stuxnet did.

00:40:08.630 --> 00:40:15.780
JACK (OUTRO): [OUTRO MUSIC] You’ve been listening to Darknet Diaries.

00:40:15.780 --> 00:40:18.960
A very special thanks to Kim Zetter for sharing this story with us.

00:40:18.960 --> 00:40:21.859
There’s so much more to Stuxnet than what we just covered.

00:40:21.859 --> 00:40:26.049
If this interests you at all you should definitely check out her book Countdown to Zero-Day.

00:40:26.049 --> 00:40:27.200
You can even get it in audiobook.

00:40:27.200 --> 00:40:29.710
It’s so much more detailed and wonderfully written.

00:40:29.710 --> 00:40:33.000
I read it twice and each time I learned so much more than I previously knew and went

00:40:33.000 --> 00:40:34.710
down all kinds of rabbit holes.

00:40:34.710 --> 00:40:38.309
It’s eye-opening and fascinating so check out Countdown to Zero-Day.

00:40:38.309 --> 00:40:43.099
Hey, if you liked this episode do me a huge favor and tell someone else to try the show.

00:40:43.099 --> 00:40:46.869
Word of mouth is my best method for spreading; maybe you could text someone you know right

00:40:46.869 --> 00:40:50.180
now and tell them hey, I think you’d like the podcast Darknet Diaries.

00:40:50.180 --> 00:40:51.180
Okay, thanks.

00:40:51.180 --> 00:40:54.880
This episode is made by me, the root-seeking missile, Jack Rhysider.

00:40:54.880 --> 00:40:58.200
Theme music was created by the piano tickler, Breakmaster Cylinder.

00:40:58.200 --> 00:41:01.910
I’m going to be releasing episodes every other Tuesday now, so look for another new

00:41:01.910 --> 00:41:03.200
episode in two weeks.