Did the Israeli-American Stuxnet Virus Launch a Cyber World War?
July 17, 2016 Gar Smith / Environmentalists Against War & Neta Alexander / Haaretz
A new documentary tells the story of Stuxnet, a computer virus developed, it is claimed, by Israel and the US to disrupt the Iranian nuclear project. In an interview, filmmaker Alex Gibney talks about Israel's responsibility for the revelation of the operation and its eventual spread around the world. Are we already in the midst of what Gibney calls 'World War 3.0'?
Zero Days: Alex Gibney's Disturbing Film Reveal the Dark Forces Behind the Stuxnet Computer Worm Gar Smith / Environmentalists Against War
(July 8, 2016) -- Welcome to the Brave New World of Cyber War. Our guide today is Alex Gibney, acclaimed director of Taxi to the Dark Side, We Steal Secrets, and ENRON: The Smartest Guys in the Room. We're in good hands: Gibney has been honored with Oscars, Emmys, Grammys, the Peabody, the Writers Guild of America Award and (in 2013) the International Documentary Association's Lifetime Achievement Award.
Several weeks ago, Gibney visited San Francisco for a Q&A following a press screening of Zero Days, his edgy new documentary about the Stuxnet computer virus that destroyed Iran's uranium centrifuges and went on to wreak cyber-havoc around the world.
Accompanying Gibney to the SF screening were Eric Chen and Liam O'Murchu, two local computer geeks from Semantec. Chen and O'Murchu are the "heroes" of the film. Their work-day job at Semantec is to protect computers from viruses and malware. To do that, they need to identify and track the nature of each example of cyber-snarkiness that comes their way. But they had never seen anything like the Sworm. (No one had.) It was these two guys who gave the worm its name.
Gibney's investigation makes a convincing case that the US (in partnership with Israel) created the worm to destroy Iran's nuclear processing ability. The suspicion is that US hoped to forestall an impending Israeli air attack that could have spread fallout over the region -- and may well have triggered a major (perhaps cataclysmic) war.
Zero Days dives behind the algorithmic veils of computer science to troll the complexities of cyberwar with keen eye and a curious mind. In a world of techno-terms and shorthand identifiers -- LLPs, P-1s, IR-2s -- it would be easy to loose track of the proceedings. (Take, for example, this explanation: "The ICS worm now developed would hit every machine on the net in an hour. Stuxnet would affect every Microsoft machine it encountered and would activate once it found a compatible LLP.") Fortunately, Gibney keeps the journey lively with cinematic tricks and lots of key-player interviews.
Watching the film's animated invocations of cyberspace leaves viewers swimming through a dark soup where billions of numbers and letters march and arch in lockstep to some unknowable purpose. Sometimes, in this vast swath of cosmic complexity, a single short line of identifiable code might be spotted. That, in turn, can lead to other bits of traceable data.
With enough pieces, a puzzle may begin to emerge. Then the challenge is to "solve" the puzzle. But when you're dealing with terabytes, petabytes, exabytes, zetabytes and yottabytes of data, "connecting the dots" becomes a Heculean task.
Surprise factoid: The Semantecnicians confirmed that you can use a Microsoft word search to look for -- and find -- tell-tale bits of hidden code.
The most memorable effect in Zero Days is an "anonymous" insider who appears as a disembodied female face suspended in a black void and defined by a floating veil of computerized netting. (Gibney explained the character's testimony is a composite of more than a dozen individuals who agreed to be interviewed on the promise of anonymity. He also explained that he chose to make his "insider" a female because "there were no other women in the film." Cyberwar, wouldn't you know, is still largely a "man's world.")
The Growing Problem of Cyberwar Attacks
In today's "connected" world, computers can be targeted for destruction just like the jihadists and "collaterals" on Obama's Tuesday Kill List. But instead of using a "killer drone" (courtesy of General Atomics, at 3 million taxpayer-dollars-per-shot) modern, militarized nation-states use complex codes that can be smuggled into an "enemy country" and covertly injected into a computer system via a thumbdrive. It's a new era of global combat. Call it the Code War.
In August 2012, an unprecedented hack-attack fried 30,000 Internet workstations at Saudi Arabia's massive ARAMCO oil facility. An unknown (and possibly fictitious) group called the "Cutting Sword of Justice" claimed responsibility for the disabling attack.
Beginning in September 2013, a series of cyber attacks began hammering major US banks over a period of weeks. Bank of America, Citigroup, Wells Fargo, US Bancorp, PNC, Capital One, BB&T and HSBC were all hit by sophisticated "distributed denial of service attacks."
In December 2015, when Ukraine's power grid went out for six hours it was clearly seen as a nation-state cyberattack. Desperate operators were forced to switch to manual mode -- flipping physical switches instead of typing orders on a keyboard. (The US generally doesn't have that "luxury" but some older systems made protection possible.)
In New York State, a small dam was attacked by an attempted cyber-strike but, fortunately, no serous damage was done. Were Iranian hackers behind this incident? Russia? China? If anyone knows, they aren't talking.
Cyberwar is a spreading menace: During the Q&A, Semantec's two cyber-sleuths estimated there have been 80 to 100 significant "government actions" over recent years.
The US may not have been the first out-of-the-gate in the cyber-war arms race, but it was soon in the saddle. "Once it happened," one insider recalls, it was a simple matter of realizing, ""Hey, we could be doing this."
So the US secretly devised a "superworm" of unprecedented power. But, something went wrong and, after taking out Iran's centrifuges (by causing them to spin with increasing speed until they self-destructed), the worm began to spread. It quickly spilled beyond Iran's borders and spread around the world, leaping from one hemisphere to the next, taking down thousands of computers as it multiplied and self-replicated. And eventually it "came home to roost," devastating systems in the US itself.
Even the Department of Homeland Security was kept out of the loop. The DHS had no response plan when the Stuxnet virus began to eat its way into the Homeland's computers. A DHS spokesperson later confessed: "We didn't know the threat was homemade."
Why did Stuxnet 'go rogue'? According to Gibney's investigation, it was a case of "blowback." Unbeknownst to the US, its co-partner Israel secretly changed the code to be more aggressive.
Three viruses were released. Some had longer play periods before they "activated." In the first version, the program allowed 12 days before activation. The activation trigger was shortened in later versions.
Behind the Wall of Secrecy
"There are so many secrets it's hard to get to the bottom of the story," Gibney told the roomful of reviewers. "Everything is secret. People could be playing games with you. It was not neat and tidy -- and that's what made it exciting."
There is a pervasive fear of prosecution (quietly and before special courts) for anyone who dares to reveal state secrets involving Washington's cyber warfare programs.
Gen. James Cartwright, a four-star general who was vice chair of the Joint Chiefs from 2007 to 2011, ran the cyber operation, (code name: Olympic Games) under the Bush and Obama administrations. In 2010, an attack by the Stuxnet worm disabled 1,000 centrifuges that the Iranians were using to enrich uranium.
Cartwright, the former second ranking officer in the US military became the target of a Justice Department investigation into a politically sensitive leak of classified information about Stuxnet.
Chien and O'Murchu spent months looking for encoded clues encased in the complex, multi-layered depths of the Stuxnet virus. They were virtually on their own: there was no academic or systemic record to explore. As one cyber-warfare insider explains, the whole enterprise is "hideously over-classified."
When the two investigators realized how advanced and complicated the code was, they began to get concerned about their own safety. After all, a number of nuclear scientists had been brutally assassinated in Iran (Israeli agents were suspected). Both Semantecers became convinced their phones were being tapped.
Gibney was also concerned about his own security. He explained that, while writing his screenplay, he relied on "encryption technology" to avoid the possibility that his work might be monitored online. In this case, "encryption technology" meant transcribing audio recordings of his interviews on an old-fashioned electronic typewriter.
Some observers believe the Stuxnet attack played a large role Iran's decision to agree to a nuclear deal with the West.
At the press conference, Gibney mentioned an interview with former Washington Post staffer Brian Krebs who specializes on cybercrime and security topics. The Krebs interview was deleted from the film but you can expect to see it on the "bonus reel" when Zero Days in released on the DVD.)
NEW YORK (July 15, 2016) -- The two following assertions sound like something out of a James Bond movie: 1. We are in the midst of a new global war on a scale of the world wars of the 20th century, and, 2. The countries that have declared and launched the war refuse, in effect, to acknowledge its existence -- or being held accountable for its outcome.
These notions are not some Hollywood fantasy: They underlie "Zero Days," the new film by the Oscar-winning American documentary filmmaker Alex Gibney.
The film is based on years of in-depth research, carried out with the help and cooperation of more than 100 journalists, information security experts, senior personnel at the US National Security Agency and the Central Intelligence Agency, and Israeli figures including Yuval Steinitz, the national infrastructure minister who is also responsible for the Atomic Energy Commission, and the former director of Military Intelligence, Maj. Gen. (res.) Amos Yadlin.
"Zero Days" tells the constantly surprising story of the Stuxnet computer virus, which, according to Gibney and his sources, was developed by Israel and the United States during 2007-2008 in order to thwart the Iranian nuclear enterprise.
Considerable information about the virus, including Israeli and US involvement in its development, became public in September 2010, a few months after Stuxnet was first detected by information security firms.
In the six years that have elapsed, The New York Times, The Washington Post and other important media outlets have revealed additional details about the subject. Neither Israel nor the United States, however, has ever admitted its involvement in creating the virus, nor have they taken responsibility for its subsequent unexpected and aggressive spread around the world, in the course of which it attacked American computer networks and infrastructure facilities.
The purpose of Gibney's documentary, which had its Israeli premiere this week at the Jerusalem Film Festival (where it has a final screening on July 16), then, is to generate a public discussion on questions that have not otherwise been addressed because of ostensible security considerations.
In light of the 62-year-old filmmaker's career– he won an Academy Award for best documentary feature for Taxi to the Dark Side (2007) and was nominated for one for Enron: The Smartest Guys in the Room (2005) -- it wouldn't be surprising if he took home yet another gilded statuette next winter. However, he says, "If the film is recognized [by the Academy] that would be great, but I don't make films for that reason."
He got the idea for "Zero Days," he explained in an interview in New York last month, from Marc Shmuger, one of the producers of his 2013 documentary We Steal Secrets: The Story of WikiLeaks:
"I started out making a small film investigating Stuxnet, the self-replicating computer virus invented by the US and Israel to infiltrate and sabotage the Iranian nuclear centrifuges at Natanz.
"What I discovered was a massive clandestine operation involving the CIA, the NSA, the US military and Israel's intelligence agency Mossad, to build and launch secret cyber 'bombs' that could plunge the world into a devastating series of crisscrossing attacks on critical infrastructure, shutting down electricity, poisoning water supplies and turning cars, trains and planes into deadly weapons."
Do you believe that a cyberwar could be as dangerous, or even more dangerous, than aerial bombing that causes mass deaths, or than nuclear weapons, for example?
"From a moral perspective, I think we should take cyber weapons extremely seriously. I think this was the point of making this film. While these weapons are still at a relatively unadvanced stage -- though even at this stage they can shut down entire grids -- we should be looking at them, and that was reason why a number of the sources came forward. They were convinced that the people in the US Cyber Command didn't have a sufficiently full appreciation of the damage that these weapons can do.
"The nuclear comparison can be overdone -- when you shut down grids, people are not eviscerated in a nuclear explosion -- but still, these weapons can wreak destruction. So much of the machinery and the controls that manipulate the machines that keep our society running were never intended to be integrated in this way with the Internet. We don't know what the problem might be like in 10 or 20 years, and that is a big issue.
"Unlike the agreements we now have regarding nuclear or chemical weapons, there are no guidelines when it comes to cyberwars. And the use of malware can be kept secret -- attribution is very difficult. Think how long everybody was arguing about whether the Sony hack [in 2014] really originated in North Korea. And there were a number of grid attacks on Ukraine, which were attributed to Russia [but never confirmed].
"So, attribution is difficult, raising the specter of false flags and mistaken counterattacks that could lead to a cyber world war. Our sources have confirmed that, since the launch of Stuxnet, offensive cyber operations -- conducted by nation-states -- are an everyday occurrence. They are expanding exponentially."
Indeed, although the history of computer viruses dates back to the 1960s, the original idea was for the malware to spread as rapidly as possible from computer to computer, irrespective of the users' identity. Stuxnet, in contrast, was a "designated" virus that was developed specifically to disable control systems at the Natanz facility, in Iran's Isfahan province.
There were cyberattacks before Stuxnet, Gibney notes, "but I think what made Stuxnet important," he says, "is that you had a piece of malware that was developed by a nation-state specifically to take control over a PLC [programmable logic controller, which controls the speed and various functions of the centrifuges]. It worked by effectively spying on the system for a number of days and then launching an attack on its own.
"The Iranians had no idea what had hit them, and that level of capability is extraordinary in itself."
Gibney adds that once Tehran realized what had happened, "they established the Iranian Cyber Army. In a sense, Stuxnet gave Iran, China, Russia and any other country a Rosetta Stone for cyber weapons that could be used in a future war." In other words, what started out as a secret operation has become a model for future attempts to develop malware specifically meant to spy on, and eventually destroy, grids and facilities across the world.
Atomic Love Affair
To get a handle on the genesis of this form of weaponry, we need to go back to the 1970s. In "Zero Days," David E. Sanger, a senior New York Times correspondent who has been reporting on Stuxnet since 2010, asks how the Iranians obtained their first facility for uranium enrichment. To which he gives his own amused reply: "Very simple: We [Americans] gave it to them."
According to Sanger, President Richard Nixon was an ardent supporter of the Iranian nuclear project and provided Tehran with assistance in building nuclear facilities during the period of the shah (who ruled Iran from 1941 to 1979).
The atomic love affair between the two countries came to an abrupt halt in 1979, however, after the shah's ouster, when Iran adopted a stridently anti-American posture under the regime of the ayatollahs.
Nevertheless, Iran did not abandon its nuclear ambitions. On the contrary: Its war with Iraq (1980-88) convinced the country's leaders that it was urgently necessary to develop nuclear weapons as a defensive deterrent. In the decades that followed, Iran built several uranium-enrichment facilities, including the Natanz site.
Toward the end of the presidency of George W. Bush, with the United States entangled in Iraq and Afghanistan, Washington made every effort to avoid the emergence of an Iranian front. Gen. Michael Hayden, who was CIA director from 2006 to 2009 and is a key interviewee in "Zero Days," states on camera that Washington believed that Israel would mount an air force attack on Iran by itself, on the assumption that the United States would then join in. The Israelis' goal would presumably be not to derail the nuclear project in Iran, but to drag the United States into a war with that country, Hayden told Gibney.
In order to dispel some of the tension with the US, Israel suggested the development of a computer virus that would disrupt the activity of Iran's centrifuges, and thus significantly set back the country's nuclear project.
Gibney notes that in contrast to other malware, which infiltrates computers when activated by an external command, Stuxnet operates autonomously. Once in the system, it is capable of taking control without additional outside intervention.
According to the film, everything went so smoothly -- the virus destroyed hundreds of centrifuges at Natanz -- that Israel decided to create another, far more aggressive version, and that's when things began to go awry.
What do you think would have happened if Israel had not developed the new version of Stuxnet?
"Once the initial mission was accomplished, the US said, 'Okay, let's cool it now.' But the Israelis wanted more destruction, so they adapted the code and released a newer version. The code was extremely viral and spread across the world. But there was a flaw in the code, which started to shut down computers uncontrollably -- and that tipped off cyber security experts everywhere."
Indeed, many of those interviewed in "Zero Days" cite similar allegations about Israel's -- and Prime Minister Netanyahu's -- over-eagerness to expand the use of Stuxnet, which resulted in the operation's exposure and the global spread of the virus.
According to Sanger, the discovery of the code, reported in the media, infuriated the administration. Vice President Joe Biden blew his stack during a meeting in the White House situation room and said that it must be the Israelis who were behind the leak.
Yet, despite the spate of reports in the international media, President Barack Obama denied vehemently any American involvement in the creation of Stuxnet. Instead of issuing public statements, Obama declared a "zero tolerance" policy toward leakers, and his administration was more occupied with pursuing Sanger's sources (among them the former vice chairman of the Joint Chiefs of Staff, retired Gen. James Cartwright) than with answering reporters' questions on the subject.
It was the new and more aggressive version of the malware that ultimately led to Stuxnet attacking American infrastructure facilities. The height of absurdity occurred when American cyberwar experts identified the assault and assumed that it was Russian or Chinese in origin.
Their mistake was due to the fact that the NSA, determined to preserve the operation's secrecy, failed to update other governmental agencies about the virus' existence.
In the meantime, reprisal attacks had begun. In 2012, Iranian hackers attacked an oil-drilling company and subsequently a number of American banks. Since the virus' existence became known, the Iranians have recruited hundreds of engineers into their Iranian Cyber Army, which within a few years became one of the largest forces of its kind anywhere.
"World War 3.0," as Gibney calls the global cyberwar that began around 2010, also played a significant part in the agreement that was signed between the world powers and Tehran on July 14, 2015, over the protests of Netanyahu and other senior Israeli figures.
Obama, Gibney says, knew he was coming to the negotiating table from a position of power, because the United States has the ability to strike at Iranian infrastructures if Tehran violates the terms of the accord.
Based on your conversations with senior people in the Israeli and American security systems, do you think the Stuxnet episode is the cause of the strained relations between Obama and Netanyahu?
"The origins of the Stuxnet plan were during the Bush administration. Then Obama -- like he did with the use of drones -- ratchets it up. I think there were a lot of issues between Obama and Netanyahu, but this was a contributing factor, particularly since I think that Obama inherited the idea from Bush that the whole notion of the Stuxnet weapon was not so much to attack Iran as to prevent Israel from dropping a bomb on Iran."
Did the snafu that led to the Iranians' discovery of Stuxnet affect the negotiations that led to the nuclear agreement with Iran?
"I think both Iran and the US were happy with the fact that they made a deal. For Obama, knowing that he has a much more powerful [cyber-offense] program, called Nitro Zeus, certainly informed the parameters of the deal.
"While Obama was widely criticized -- both in Israel and at home -- for being 'too weak' and not getting a 'good enough' deal -- another way of looking at it is that he was sitting there thinking, 'If they cheat, we have a new weapon that can make things increasingly difficult for them.' They knew that the US could virtually shut down the entire country in the event that Iran cheated on the deal."
Ticking "Cyber Bombs"
Indeed, one of the major revelations in "Zero Days" is that the Stuxnet affair was only a small part of a broad policy overhaul in which the United States moved from the development of defenses against cyberattacks, to developing malware for offensive purposes.
Nitro Zeus, whose existence is mentioned toward the end of Gibney's documentary, was an ambitious plan aimed at monitoring, and if necessary attacking, disrupting and destroying such essential infrastructure as the supply of electric power, fuel and water, and also aerial defense systems.
According to an article published in The Times last February, Nitro Zeus -- which was planned and developed by thousands of American military and intelligence personnel at an estimated cost of tens of millions of dollars -- is part of a secret cybernetic assault plan that was designed as a safety net in the event Iran refused to sign a nuclear accord or violated its terms after signing.
According to Gibney, the switch from defense to offense, and the attempt to deter other countries from developing cyberwar options against the United States was unsuccessful.
"Russia, China and North Korea have attacked the United States in one way or another," Gibney says, adding, "There are apparently thousands of ticking 'cyber bombs' that have been infiltrated into American computers and are capable of damaging infrastructure facilities, including electric power, water purification, transportation and more."
Why does the film focus on Stuxnet, whose existence was already known, and not on Nitro Zeus?
"Stuxnet is the Pandora's Box story. It is the moment when a new weapon is unleashed, just like in Hiroshima and Nagasaki. It was the first malware able to jump from the cyber realm into the physical one, so it was important to deal with it in detail and tell this origin story.
While we were doing the film about Stuxnet, we discovered Nitro Zeus. It demonstrates the momentum of cyberwar: Nitro Zeus shows that Stuxnet was not a one-of-a-kind occurrence."
Did Israel have anything to do with Nitro Zeus?
"As far as we know, it wasn't Israel, but rather the US Cyber Command and the NSA."
Does the program still exist?
"We are fairly certain that the US is still spending money on developing powerful cyber weapons, but we don't know for certain whether Nitro Zeus is still in effect. It was recently reported by David Sanger that some of the weapons we're using against ISIS are cyber weapons.
This is one of the first times that the US government has actually come forward and said, 'Yes, we're using cyber weapons.' They are now talking about literally changing texts and information, so when you send an email or a text message -- imagine that instead of saying 'I love you' it comes out 'I hate you and I'm going to kill you.' That's kind of a scary thought."
I asked Gibney whether he thinks Israel is portrayed fairly and objectively in the film.
"I was trying to show different aspects of the Israeli policy," he replied, "but we were able to establish that it was Israel that blew the secrecy of the operation. We don't know for sure whether this was intentional and was meant to send a message to Iran. We're told that it was Netanyahu who wanted to see more results more quickly, so maybe he was fine with Iran knowing what was blowing up the centrifuges.
"According to my sources, [the late Mossad chief] Meir Dagan was pressured by Netanyahu to show more explosions, and as a result, once Israel changed the code it spread much more quickly. This was a question I wasn't able to answer. If you're sharing intelligence and technology with another country, it can be problematic if that country happens to have a different interest."
Do you anticipate that the way Israel is presented in "Zero Days/i>" will generate criticism of you and your production company?
"I suspect I will be criticized, because any time there is any criticism of Israel there is some blowback. But to me this was a really important object lesson for how that alliance can be extremely problematic, particularly when you're sharing military technology, and Israel -- or certain parts of Israeli defense establishment -- and the US have very different views on how these weapons should be used.
My understanding is that the Israelis contributed quite a bit to the technology, and each side had the right to go along if it so wished. But after the explosion of 1,000 centrifuges, the US made it very clear to Israel that now would be a good time not to push it, because the Iranians had no idea what was going on. But the Israelis decided to push forward."
Did you try to interview Prime Minister Netanyahu or other senior Israeli governmental figures?
"Yes, certainly. We were trying to interview Prime Minister Netanyahu, as well as other Israeli officials like Meir Dagan. The closest we were able to get was Yadlin and Steinitz."
In the end, "Zero Days" raises disturbing questions about censorship, espionage and the use of military power, as well as making a case for a public discussion to take place on the legal and moral aspects of cyberwar.
Asked whether he truly believes that we are at the start of a third world war, Gibney replies that the expression "World War 3.0" is "a bit of a sardonic joke," but adds, "The serious part of it is that we do suggest that cyber weapons -- which are increasingly powerful -- could lead us into a war that could get out of control very quickly. Cyber weapons are just beginning to be used, and we can't tell who will end up using them, and how."
Queries to the Prime Minister's Office and the Israel Defense Forces' Spokesperson's Unit went unanswered.
Posted in accordance with Title 17, Section 107, US Code, for noncommercial, educational purposes.