Stuxnet: Leaks or Lies?
Did journalist David Sanger discover the true story behind Stuxnet, or was he caught in a deeper web of deception?
Steven Cherry: Hi, this is Steven Cherry for IEEE Spectrum’s “Techwise Conversations.”
The Stuxnet computer worm of 2010 was by far the most sophisticated attack software ever written. Half a million bytes long, Stuxnet was designed to propagate via thumb drives and other removable storage. It targeted a single, specific type of highly specialized industrial device: uranium-enrichment centrifuges made by one company, the German conglomerate Siemens, at one location, Iran’s Natanz processing facility.
In a book published earlier this year by Crown Publishing, New York Times journalist David Sanger describes how, according to his sources, Stuxnet “escaped into the wild” when an engineer accidentally infected his own computer and later plugged it into the Internet.
My guest today is a software engineer who has been involved with industrial control systems for decades. He has even helped Siemens design some of the software tools used to program systems like the one in Natanz. He says that some aspects of Sanger’s account are just not possible.
Larry Constantine is a professor in the mathematics and engineering department at the University of Madeira, in Portugal. He’s also the coauthor, with Ed Yourdon, of one of the most influential books in computer science, Structured Design. He was my guest last year when several spin-off worms of the Stuxnet technology were found by cybersecurity firms. He joins us by phone.
Larry, welcome back to the podcast.
Larry Constantine: I’m glad to be here.
Steven Cherry: Larry, let’s start by reminding our listeners in a bit more detail what Stuxnet was designed to do and what made it special.
Larry Constantine: Well, there are several things that made Stuxnet distinctive. It was, at the time, the largest piece of malicious software that had ever been discovered. Since then, larger complexes have been uncovered, possibly developed by some of the same people. Stuxnet was a specifically targeted attack system; it looked for a particular configuration that happened to be unique and distinctive to the Natanz facility for enriching uranium. It reached its target through several intermediate steps, first looking for configurations of Siemens software used to program these PLCs, or programmable logic controllers. Once it found the Siemens software, it waited for an opportunity when an engineering workstation would be connected directly to the PLC controllers, and then it would install a portion of itself—the payload—into the PLC computer and then systematically work to destroy some of the high-speed centrifuges. It did this by first spinning them up to beyond their designed speed and then suddenly slamming on the brakes to slow them way down. While it was doing this, it also used a very clever man-in-the-middle attack in which it
recoded recorded normal activity and then played this back during the times when it was carrying out its attack on the centrifuges. It was also designed to phone home and look at specific sites to get updates to its code so that it could be refined on the fly if necessary. So it combined a number of distinctive features, and in history, as far as we know, it’s the first piece of malicious software specifically designed to destroy real-world physical equipment.
Steven Cherry: In his book, Sanger describes in some detail how the Stuxnet worm escaped into the wild. What is Sanger’s account, and what’s wrong with it?
Larry Constantine: Well, the issue to me—why this, I think, is important—is whether journalists who are reporting important political stories to the public have a responsibility to get pivotal technical details right. And there are a number of things about Sanger’s account which are just not possible. So there are a number of possibilities here. One is that Sanger somehow, despite the fact that he’s a good journalist, didn’t do all the necessary background research. Another possibility is that he was deliberately misled by his sources. A third possibility might even be that he actually knew the account that he was sharing was not valid but had been requested or directed to do that since he was dealing with high-level personnel in the current administration. So, what did he get wrong? First of all, the Stuxnet worm did not escape into the wild. The analysis of initial infections and propagations by Symantec show that, in fact, that it never was widespread, that it affected computers in closely connected clusters, all of which involved collaborators or companies that had dealings with each other. Secondly, it couldn’t have escaped over the Internet, as Sanger’s account maintains, because it never had that capability built into it: It can only propagate over [a] local-area network, over removable media such as CDs, DVDs, or USB thumb drives. So it was never capable of spreading widely, and in fact the sequence of infections is always connected by a close chain. Another thing that Sanger got wrong that he reported in slightly different words in his original New York Times article earlier this year and in the book was the notion that the worm escaped when an engineer connected his computer to the PLCs that were controlling the centrifuges and his computer became infected, which then later spread over the Internet. This is also patently impossible because the software that was resident on the PLCs is the payload that directly deals with the centrifuge motors; it does not have the capability of infecting a computer because it doesn’t have any copy of the rest of the Stuxnet system, so that part of the story is simply impossible. In addition, the explanation offered in his book and in his article is that Stuxnet escaped because of an error in the code, with the Americans claiming it was the Israelis’ fault that suddenly allowed it to get onto the Internet because it no longer recognized its environment. Anybody who works in the field knows that this doesn’t quite make sense, but in fact the last version, the last revision to Stuxnet, according to Symantec, had been in March, and it wasn’t discovered until June 17. And in fact the mode of discovery had nothing to do with its being widespread in the wild because in fact it was discovered inside computers in Iran that were being supported by a Belarus antivirus company called VirusBlokAda. So there are a number of aspects of Sanger’s story that on technical grounds simply cannot be correct, and to me this is a significant issue, not just an obscure technical matter, because it raises broad questions about the nature of the so-called leaks from administration personnel to Sanger about the quality and reliability of his reporting. If he got these aspects wrong—and these are the ones that I was able to check through public sources and my knowledge of industrial control systems—then the question is, what else did he get wrong? And interestingly enough, none of the mainstream media seems to be interested in this story, which is why I’m talking with you.
Steven Cherry: [laughs] Well, I’ll take that as some sort of weird, backhanded compliment, I guess. Now, it’s been tacitly—and in some ways explicitly—acknowledged, that the U.S. and Israeli governments were behind the Stuxnet worm, as security experts thought all along. What if it’s a national security secret of two different nations—shouldn’t we just, no pun intended, let it lie?
Larry Constantine: Well, the specific technical details which I’ve just been talking about of course are already in the public media; they’re easily retrieved off the Web, and in fact I’m surprised that Sanger in fact didn’t just use his sources in industrial security, because he’s previously talked with Ralph Langner, for example, in Germany to double-check his story. The Israelis have already released information about their role. In fact, Der Spiegel, in Germany, reported back last year—August, I believe—that Meir Dagan at Mossad in Israel had actually acknowledged that Mossad and Israel were responsible for the Stuxnet worm. The only new thing that’s recently come out and been made public is the role of the German intelligence service, the BND, in persuading Siemens to cooperate in the construction—possibly—and definitely the infection of the facilities at Natanz. On the other hand, there are parts of the story that Sanger and others have reported that also do not ring true because the pattern of infection shows that actually the initial infections were almost certainly outside of the Natanz facility but in organizations that were closely connected to Natanz. So it seems unlikely that Siemens personnel actually carried the Stuxnet worm physically into the plant on a USB stick but rather served as vectors to infect computers of closely collaborating organizations. As to the national security issue, this is one of the things that has led to criticism of Sanger, is that he’s essentially leaking critical intelligence, and in fact there’s a congressional investigation that’s been started into this. I wonder if perhaps they aren’t really leaks... Is it possible this is deliberate disinformation for which Sanger was the witting or unwitting carrier of the message?
Steven Cherry: So if I understand this correctly, Stuxnet could propagate over a local-area network but not the Internet. That seems sort of counterintuitive. If something can spread over a short-range network, why can’t it spread over a long-range network?
Larry Constantine: Well, the distinction is again technical. When people say something is spread over the Internet and when there’s a virus or a worm that becomes widespread, it usually is spread either by the Web or e-mail. The thing is that Stuxnet has to actually see the local addresses over the local-area network, which is by definition more limited than the Internet. Now, it did have the capability of exploiting a hole in what’s called “remote procedure calls,” which—I don’t know the details—but might allow it, for example, to do something over a virtual private network. And there are some things about the patterns of infections in other countries that suggest that computers in one organization or one part of an organization connected by a virtual private network would be seen by Stuxnet as local and would be able to infect by that process. But it was never widespread. There are only tens of thousands of infections, rather than millions like is more commonly the case with a truly viral piece of malicious software.
Steven Cherry: You mention the payload, and I just want to be clear here: A worm like Stuxnet has several components, and in particular there’s the payload, which is what actually infected the Siemens controller, and then there’s the sort of delivery code. So I guess this is a little bit like an Apollo capsule and the Saturn 5 rockets that would send it up into space or whatever. So, what exactly is the argument about thumb drives and payloads and delivery code?
Larry Constantine: Your analogy is very good. In fact, I sometimes use the guided-missile analogy when I’m teaching students about these kinds of malicious software systems. So the first stage—the booster stage that gets it off the ground—is analogous to the infection vector that enables Stuxnet to get into and infect Windows systems in the first place. Once it’s inside, it installs itself deep into the core of the software in what’s called a root kit and begins looking for specific targets. And the first target is Siemens WinCC and Siemens Step 7 programming software. If it finds these, it looks for particular kinds of projects which would be related to programming centrifuges, controlling centrifuges, and it infects—injects part of itself into—the database and into the DLLs—the dynamic link libraries—of Step 7. At some future point when the engineering workstation is actually connected to the PLC in order to update the control software in the PLC, Stuxnet injects its final payload—the explosive charge, if you will. And this is a block of highly specialized code that does the two parts of the attack: the man-in-the-middle portion, which fools the operators into thinking everything is okay, and the actual attack code, which spins up the centrifuges, overspeeds them, and then slams on the brakes, and it does this repeatedly, spread over an extended period of time, with the idea that eventually the centrifuges will fail. And when they fail, they fail catastrophically: They essentially explode out of their casings and send supersonic fragments all over the place.
Steven Cherry: And so you have a concern about the account that the Stuxnet worm spread, escaped into the wild, precisely because of this distinction with the payload and the delivery code.
Larry Constantine: Well, it couldn’t have escaped at all from the PLCs—the actual control systems. And secondly, it could not escape lightly over the Internet because it didn’t have the exploits built into it that would allow it to do that. It could only communicate over the local-area network and spread itself via removable media.
Steven Cherry: Well, very good. I doubt Stuxnet will ever achieve the romantic, legendary status of the Kennedy assassination, but like it, even as we try to get to the bottom of it, the mystery seems to only confound itself into greater depths. So thanks for further muddying the waters, Larry.
Larry Constantine: [laughs] You’re most welcome, Steven.
Steven Cherry: We’ve been speaking with software engineer and University of Madeira professor Larry Constantine about the accuracy of recent reporting on how the world’s most sophisticated computer worm operated. For IEEE Spectrum’s “Techwise Conversations,” I’m Steven Cherry.
Announcer: “Techwise Conversations” is sponsored by National Instruments.
NOTE: Transcripts are created for the convenience of our readers and listeners and may not perfectly match their associated interviews and narratives. The authoritative record of IEEE Spectrum’s audio programming is the audio version.