Report: Obama Ordered Stuxnet to Continue After Bug Caused It to Spread Wildly
June 3, 2012
Kim Zetter / Threat Level, Wired Magazine
An error in the Stuxnet worm that attacked Iran's uranium enrichment program, caused the malware to spread wildly out of control and infect computers outside of Iran. President Barack Obama ordered US officials who were behind the attack to continue the operation despite the fact that Stuxnet was spreading to machines in the US and elsewhere and could have contained errors that could have affected US machines.
WASHINGTON (June 1, 2012) -- Despite an error in the Stuxnet worm that attacked Iran's uranium enrichment program, which caused the malware to spread wildly out of control and infect computers outside of Iran in 2010, President Barack Obama ordered US officials who were behind the attack to continue the operation.
That was despite the fact that Stuxnet was spreading to machines in the United States and elsewhere and could have contained other unknown errors that might affect US machines.
The information comes in a new report from The New York Times, which asserts that an error in the code led it to spread to an engineer's computer after it was hooked up to systems controlling the centrifuges at Iran's uranium enrichment plant near Natanz. When the engineer left the Natanz facility, he spread it to other machines, writes Times reporter David Sanger, based on a book he has written that will be released next week.
Sources told Sanger that they believed the Israelis introduced the error in the code.
"We think there was a modification done by the Israelis," an unidentified US source reportedly told the president, "and we don't know if we were part of that activity."
Vice President Joe Biden accused the Israelis of going "too far," a source told Sanger.
According to the Times, Obama wondered to advisers whether the attack should be discontinued after Stuxnet began spreading, believing the operation might have been irrevocably compromised.
"Should we shut this thing down?" Obama reportedly asked at a meeting in the White House Situation Room that included Biden and the director of the Central Intelligence Agency at the time, Leon E. Panetta.
But aides advised him that it should proceed since it was unclear how much the Iranians knew about the code, and the sabotage was still working.
At the time, security researchers were still furiously trying to figure out what Stuxnet was designed to do, and hadn't yet discovered that it was attacking the centrifuges in Iran. They would later determine that it was very targeted code that was tailor-made to attack only machines in Iran's enrichment program. Although it infected more than 100,000 computers in and out of Iran, it didn't do damage to those computers.
But given that US authorities appeared to be unclear about what the Israelis might have done to change the code, the exchange between Obama and his advisors seems to indicate that Obama gave the order to continue without the administration knowing precisely whether the code might damage other machines outside of Iran.
In weeks following that meeting, Sanger writes, while researchers at Symantec in the United States were still examining the code, the Natanz plant was hit by a newer version of the computer worm. A few weeks after Stuxnet was detected and disclosed in July 2010, the malware temporarily took out about 1,000 centrifuges in Iran.
The ongoing cyberattack authorized by Obama coincided with the Administration and members of Congress chastising China for its supposed roles in cyber-intrusions into government contractors, human rights groups and Western corporations. The Times piece notes that Obama was aware and concerned that the government's forays into cyberattacks would give justification to Iran, China and other entities conducting similar attacks against the United States.
According to the Times, the first Stuxnet attacks were launched in 2008, a date that is much earlier than previously believed. But those early attacks were small. No two attacks were alike so they caused confusion among the Iranians, who couldn't figure out the source of problems that were occurring with centrifuges.
By the time President Bush left office in January 2009, the operation had still not accomplished wholesale destruction of centrifuges, and the outgoing president urged Obama to continue the operation.
The story provides new details that expand on a story that Sanger reported in January 2011 when he wrote that Bush had authorized the cybersabotage plan against Iran before he left office, but that Obama had accelerated it once he was inaugurated in January 2009.
Sanger had previously written in 2011 that Israel and the United States had worked on the plan in partnership, and had tested it using centrifuges that had been seized from Libya's defunct nuclear enrichment operations in 2003, which were the same model of centrifuges being used at Natanz.
Sanger's latest story gets a little confusing in places. It jumps around in time and the organization of it makes it sound as if centrifuges were destroyed at Natanz before Bush left office at the beginning of 2009.
But reports from the U.N.'s nuclear monitoring agency, the International Atomic Energy Agency, indicate that centrifuges weren't destroyed until much later, likely beginning in the early fall of 2009, after Obama took office.
Because Sanger doesn't provide actual dates in his story, it's difficult to determine when exactly events are taking place that he describes. The piece indicates, however, that the Obama administration knew the worm had escaped Natanz before the worm was publicly disclosed in July 2010.
Researchers have uncovered a version of the worm that appeared to have been first launched in June 2009. In March 2010, the attackers launched a new more aggressive wave of attacks against Natanz, that researchers also recovered. It was this version of the worm that spread Natanz wider than intended and eventually led to its discovery.
Sanger describes at least two subsequent attacks of the code after it spread. This coincides with what researchers have found. They say a slightly different version of Stuxnet was released again in April 2010 and that a version of its driver was discovered in July 2010, signed with a new digital certificate, suggesting another version of Stuxnet might have been released at that time.
Sanger doesn't say what the error was that caused Stuxnet to spread. But researchers found that the attackers added a number of zero-day exploits to the code in the March 2010 attack that hadn't been in the code previously. These allowed the worm to spread automatically to many machines on the same network as well as to machines on separate networks.
According to the Times, the first stage of the attack operation involved the use of a cyberespionage tool, which Sanger calls a beacon, to siphon intelligence about Natanz's operations and technical configurations so that Stuxnet could be tailored to attack it.
Sanger doesn't mention the name of this "beacon," but researchers in Hungary last year discovered a piece of malware they dubbed DuQu, which many believe was the precursor to Stuxnet and was used to gain information from machines in Iran to design the Stuxnet code.
What Sanger describes, however, is code that was placed in control systems made by Siemens, that were being used at Natanz. The beacon was designed to map the operation of the controllers and create an electrical blueprint of the Natanz plant, and send the data back to the National Security Agency. This intelligence-gathering stage took months, according to the Times.
DuQu, however, was not designed to infect Siemens systems and was found on computers that were not running Siemens software. Most researchers also believe that the espionage part of the plot against the centrifuges began outside of Natanz, and that the infection spread from contractors to computers at Natanz, not the other way around.
According to sources who spoke with Sanger, Flame, the most recently discovered malware found infecting targeted machines in Iran and other Middle East countries, was not part of operation Olympic Games and declined to acknowledge whether the United States was behind it.
Posted in accordance with Title 17, Section 107, US Code, for noncommercial, educational purposes.