Zero Days (2016) - full transcript
Documentary detailing claims of American/Israeli jointly developed malware Stuxnet being deployed not only to destroy Iranian enrichment centrifuges but also threaten attacks against Iranian civilian infrastructure. Adresses obvious potential blowback of this possibly being deployed against the US by Iran in retaliation.
Through the darkness
of the pathways that we marched,
evil and good lived side by side.
And this is the nature of... Of life.
We are in an unbalanced
and inequivalent confrontation between democracies
who are obliged to play by the rules
and entities who think democracy is a joke.
You can't convince fanatics
by saying, "hey, hatred paralyzes you,
love releases you."
There are different rules that we have to play by.
Female newsreader: Today, two of Iran's top nuclear scientists
were targeted by hit squads.
Female newsreader 2: ...In the capital Tehran.
Male newsreader: ...The latest in a string of attacks.
Female newsreader 3: Today's attack has all the hallmarks
of major strategic sabotage.
Female newsreader 4: Iran immediately accused
the U.S. and Israel
of trying to damage its nuclear program.
I want to categorically deny any United States involvement
in any kind of act of violence inside Iran.
Covert actions can help,
can assist.
They are needed, they are not all the time essential,
and they, in no way, can replace political wisdom.
Alex Gibney: Were the assassinations in Iran
related to the Stuxnet computer attacks?
Uh, next question, please.
Male newsreader: Iran's infrastructure
is being targeted
by a new and dangerously powerful cyber worm.
The so-called Stuxnet worm is specifically designed,
it seems, to infiltrate and sabotage
real-world power plants and factories and refineries.
Male newsreader 2: It's not trying to steal information
or grab your credit card,
they're trying to get into some sort of industrial plant
and wreak havoc trying to blow up an engine or...
Male newsreader 4: No one knows
who's behind the worm
and the exact nature of its mission,
but there are fears Iran will hold Israel
or America responsible and seek retaliation.
Male newsreader 5: It's not impossible that
some group of hackers did it,
but the security experts that are studying this
really think this required the resource of a nation-state.
Man: Okay, and spinning.
Gibney: Okay, good. Here we go.
What impact, ultimately, did the Stuxnet attack have?
Can you say?
I don't want to get into the details.
Gibney: Since the event has already happened,
why can't we talk more openly and publicly about Stuxnet?
Yeah, I mean, my answer is because it's classified.
I... I won't knowledge... You know, knowingly
offer up anything I consider classified.
Gibney: I know that you can't talk much about Stuxnet,
because Stuxnet is officially classified.
You're right on both those counts.
Gibney: But there has been
a lot reported about it in the press.
I don't want to comment on this.
I read it in the newspaper, the media, like you,
but I'm unable to elaborate upon it.
People might find it frustrating
not to be able to talk about it when it's in the public domain,
but...
Gibney: I find it frustrating.
Yeah, I'm sure you do.
I don't answer that question.
Unfortunately, I can't comment.
I do not know how to answer that.
Two answers before you even get started, I don't know,
and if I did, we wouldn't talk about it anyway.
Gibney: How can you have a debate if everything's secret?
I think right now that's just where we are.
No one wants to...
Countries aren't happy about confessing
or owning up to what they did because they're not quite sure
where they want the system to go.
And so whoever was behind Stuxnet
hasn't admitted they were behind it.
Gibney: Asking officials about Stuxnet
was frustrating and surreal,
like asking the emperor about his new clothes.
Even after the cyber weapon had penetrated computers
all over the world,
no-one was willing to admit it was loose
or talk about the dangers it posed.
What was it about the Stuxnet operation
that was hiding in plain sight?
Maybe there was a way the computer code
could speak for itself.
Stuxnet first surfaced in Belarus.
I started with a call to the man who discovered it
when his clients in Iran began to panic
over an epidemic of computer shutdowns.
Had you ever seen anything quite so sophisticated before?
I have seen very sophisticated viruses before,
but they didn't have...
this kind of...
zero day.
It was the first time in my practice.
That led me to understand
that I should notify web security companies ASAP
about the fact that such a danger exists.
Eric Chien: On a daily basis, basically
we are sifting through
a massive haystack looking for that proverbial needle.
We get millions of pieces of new malicious threats
and there are millions of attacks going on
every single day.
And not only are we trying to protect people
and their computers and... And their systems
and countries' infrastructure
from being taken down by those attacks.
But more importantly, we have to find the attacks that matter.
When you're talking about that many,
impact is extremely important.
Eugene Kaspersky: Twenty years ago, the antivirus companies,
they were hunting for computer viruses
because there were not so many.
So we had, like, tens of dozens a month,
and there was just little numbers.
Now, we collect millions of unique attacks every month.
Vitaly Kamluk: This room we call a woodpecker's room
or a virus lab,
and this is where virus analysts sit.
We call them woodpeckers because they are
pecking the worms, network worms, and viruses.
And we see, like, three different groups of hackers
behind cyber-attacks.
They are traditional cyber criminals.
Those guys are interested only in illegal profit.
And quick and dirty money.
Activists, or hacktivists,
they are hacking for fun or hacking to push
some political message.
And the third group is nation-states.
They're interested in high-quality intelligence
or sabotage activity.
Chien: Security companies not only share information
but we also share binary samples.
So when this threat was found
by a Belarusian security company
on one of their customer's machines in Iran,
the sample was shared amongst the security community.
When we try to name threats, we just try to pick
some sort of string, some sort of words,
that are inside of the binary.
In this case, there was a couple of words in there
and we took pieces of each, and that formed Stuxnet.
I got the news about Stuxnet from one of my engineers.
He came to my office, opened the door,
and he said, "so, Eugene, of course you know that
we are waiting for something really bad.
It happened."
Gibney: Give me some sense of what it was like
in the lab at that time.
Was there a palpable sense of amazement
that you had something really different there?
Well, I wouldn't call it amazement.
It was a kind of a shock.
It went beyond our worst fears, our worst nightmares,
and this continued the more we analyzed.
The more we researched,
the more bizarre the whole story got.
We look at so much malware every day that
we can just look at the code and straightaway we can say,
"Okay, there's something bad going on here,
and I need to investigate that."
And that's the way it was
when we looked at Stuxnet for the first time.
We opened it up and there was just bad things everywhere.
Just like, okay, this is bad and that's bad,
and, you know, we need to investigate this.
And just suddenly we had, like,
a hundred questions straightaway.
The most interesting thing that we do is detective work
where we try to track down who's behind a threat,
what are they doing, what's their motivation,
and try to really stop it at the root.
And it is kind of all-consuming.
You get this new puzzle
and it's very difficult to put it down,
you know, work until, like, 4:00 am in the morning
and figure these things out.
And I was in that zone where I was very consumed by this,
very excited about it, very interested to know
what was happening.
And Eric was also in that same sort of zone.
So the two of us were, like, back and forth all the time.
Chien: Liam and I continued to grind at the code,
sharing pieces, comparing notes,
bouncing ideas off of each other.
We realized that we needed to do
what we called deep analysis, pick apart the threat,
every single byte, every single zero, one,
and understand everything that was inside of it.
And just to give you some context,
we can go through and understand every line of code
for the average threat in minutes.
And here we are one month into this threat
and we were just starting to discover what we call
the payload or its whole purpose.
When looking at the Stuxnet code,
it's 20 times the size of the average piece of code
but contains almost no bugs inside of it.
And that's extremely rare.
Malicious code always has bugs inside of it.
This wasn't the case with Stuxnet.
It's dense and every piece of code does something
and does something right in order to conduct its attack.
One of the things that surprised us
was that Stuxnet utilized what's called
a zero-day exploit, or basically,
a piece of code that allows it to spread
without you having to do anything.
You don't have to, for example, download a file and run it.
A zero-day exploit is an exploit that
nobody knows about except the attacker.
So there's no protection against it.
There's been no patch released.
There's been zero days protection,
you know, against it.
That's what attackers value,
because they know 100 percent
if they have this zero-day exploit,
they can get in wherever they want.
They're actually very valuable.
You can sell these on the underground
for hundreds of thousands of dollars.
Chien: Then we became more worried
because immediately we discovered more zero days.
And again, these zero days are extremely rare.
Inside Stuxnet we had, you know, four zero days,
and for the entire rest of the year,
we only saw 12 zero days used.
It blows all... everything else out of the water.
We've never seen this before.
Actually, we've never seen it since, either.
Seeing one in a malware you could understand
because, you know, the malware authors are making money,
they're stealing people's credit cards and making money,
so it's worth their while to use it,
but seeing four zero days, could be worth
half a million dollars right there,
used in one piece of malware,
this is not your ordinary criminal gangs doing this.
This is... This is someone bigger.
It's definitely not traditional crime,
not hacktivists. Who else?
It was evident on a very early stage
that just given the sophistication
of this malware...
Suggested that there must have been
a nation-state involved,
at least one nation-state involved in the development.
When we look at code that's coming from
what appears to be a state attacker
or state-sponsored attacker, usually they're scrubbed clean.
They don't... they don't leave little bits behind.
They don't leave little hints behind.
But in Stuxnet there were actually
a few hints left behind.
One was that, in order to get low-level access
to Microsoft Windows,
Stuxnet needed to use a digital certificate,
which certifies that this piece of code
came from a particular company.
Now, those attackers obviously couldn't go to Microsoft
and say, "Hey, test our code out for us.
And give us a digital certificate."
So they essentially stole them...
From two companies in Taiwan.
And these two companies have nothing to do with each other
except for their close proximity
in the exact same business park.
Digital certificates are guarded very, very closely
behind multiple doors
and they require multiple people to unlock.
Security: ...To the camera.
Chien: And they need to provide both biometrics
- and, as well, pass phrases.
It wasn't like those certificates were
just sitting on some machine connected to the Internet.
Some human assets had to be involved, spies.
O'Murchu: Like a cleaner who comes in at night
and has stolen these certificates
from these companies.
It did feel like walking onto the set
of this James Bond movie and you...
You've been embroiled in this thing that,
you know, you... You never expected.
We continued to search,
and we continued to search in code,
and eventually we found some other bread crumbs left
we were able to follow.
It was doing something with Siemens,
Siemens software, possibly Siemens hardware.
We'd never ever seen that in any malware before,
something targeting Siemens.
We didn't even know why they would be doing that.
But after googling, very quickly we understood
it was targeting Siemens PLCs.
Stuxnet was targeting a very specific hardware device,
something called a PLC or a programmable logic controller.
Langner: The PLC is kind of a very small computer
attached to physical equipment,
like pumps, like valves, like motors.
So this little box is running a digital program
and the actions of this program
turns that motor on, off, or sets a specific speed.
Chien: Those program module controllers
control things like power plants, power grids.
O'Murchu: This is used in factories,
it's used in critical infrastructure.
Critical infrastructure, it's everywhere around us,
transportation, telecommunications,
financial services, health care.
So the payload of Stuxnet was designed
to attack some very important part
of our world.
The payload is gonna be important.
What happens there could be very dangerous.
Langner: The next very big surprise came
when it infected our lab system.
We figured out that the malware was probing
for controllers.
It was quite picky on its targets.
It didn't try to manipulate any given controller in a network
that it would see.
It went through several checks, and when those checks failed,
it would not implement the attack.
It was obviously probing for a specific target.
You've got to put this in context that,
at the time, we already knew,
well, this is the most sophisticated piece of malware
that we have ever seen.
So it's kind of strange.
Somebody takes that huge effort to hit one specific target?
Well, that must be quite a significant target.
Chien: So at Symantec we have probes on networks
all over the world
watching for malicious activity.
O'Murchu: We'd actually seen infections of Stuxnet
all over the world, in the U.S., Australia,
in the U.K., in France, Germany, all over Europe.
Chien: It spread to any Windows machine in the entire world.
You know, we had these organizations
inside the United States who were in charge of
industrial control facilities saying,
"We're infected. What's gonna happen?"
O'Murchu: We didn't know if there was a deadline coming up
where this threat would trigger
and suddenly would, like, turn off all, you know,
electricity plants around the world
or it would start shutting things down
or launching some attack.
We knew that Stuxnet could have very dire consequences,
and we were very worried about
what the payload contained
and there was an imperative speed
that we had to race and try and, you know,
beat this ticking bomb.
Eventually, we were able to refine the statistics a little
and we saw that Iran was the number one
infected country in the world.
Chien: That immediately raised our eyebrows.
We had never seen a threat before
where it was predominantly in Iran.
And so we began to follow what was going on
in the geopolitical world,
what was happening in the general news.
And at that time, there were actually multiple explosions
of gas pipelines going in and out of Iran.
Unexplained explosions.
O'Murchu: And of course, we did notice that at the time
there had been assassinations of nuclear scientists.
So that was worrying.
We knew there was something bad happening.
Gibney: Did you get concerned for yourself?
I mean, did you begin to start looking over your shoulder
from time to time?
Yeah, definitely looking over my shoulder
and... and being careful about what I spoke about on the phone.
I was... pretty confident my conversations on my...
On the phone were being listened to.
We were only half joking
when we would look at each other
and tell each other things like,
"Look, I'm not suicidal.
If I show up dead on Monday, you know, it wasn't me."
We'd been publishing information about Stuxnet
all through that summer.
And then in November, the industrial control system
sort of expert in Holland contacted us...
And he said all of these devices that would be inside of
an industrial control system hold a unique identifier number
that identified the make and model of that device.
And we actually had a couple of these numbers in the code
that we didn't know what they were.
And so we realized maybe what he was referring to
was the magic numbers we had.
And then when we searched for those magic numbers
in that context,
we saw that what had to be connected
to this industrial control system that was being targeted
were something called frequency converters
from two specific manufacturers,
one of which was in Iran.
And so at this time, we absolutely knew
that the facility that was being targeted
had to be in Iran
and had equipment made from Iranian manufacturers.
When we looked up those frequency converters,
we immediately found out that they were actually
export controlled by the nuclear regulatory commission.
And that immediately lead us then
to some nuclear facility.
Gibney: This was more than a computer story,
so I left the world of the antivirus detectives
and sought out journalist, David Sanger,
who specialized in the strange intersection
of cyber, nuclear weapons, and espionage.
Sanger: The emergence of the code
is what put me on alert that an attack was under way.
And because of the covert nature of the operation,
not only were official government spokesmen
unable to talk about it, they didn't even know about it.
Eventually, the more I dug into it,
the more I began to find individuals
who had been involved in some piece of it
or who had witnessed some piece of it.
And that meant talking to Americans,
talking to Israelis, talking to Europeans,
because this was obviously the first, biggest,
and most sophisticated example of a state
or two states using a cyber weapon
for offensive purposes.
I came to this with a fair bit of history,
understanding the Iranian nuclear program.
How did Iran get its first nuclear reactor?
We gave it to them... Under the Shah,
because the Shah was considered an American ally.
Thank you again for your warm welcome, Mr. President.
Gary Samore: During the Nixon administration,
the U.S. was very enthusiastic about supporting
the Shah's nuclear power program.
And at one point, the Nixon administration
was pushing the idea that Pakistan and Iran
should build a joint plant together in Iran.
There's at least some evidence that
the Shah was thinking about acquisition of nuclear weapons,
because he saw, and we were encouraging him to see Iran
as the so-called policemen of the Persian Gulf.
And the Iranians have always viewed themselves
as naturally the dominant power in the Middle East.
Samore: But the revolution,
which overthrew the Shah in '79,
really curtailed the program
before it ever got any head of steam going.
Part of our policy against Iran after the revolution
was to deny them nuclear technology.
So most of the period when I was involved
in the '80s and the '90s
was the U.S. running around the world
and persuading potential nuclear suppliers
not to provide even peaceful nuclear technology to Iran.
And what we missed was the clandestine transfer
in the mid-1980s from Pakistan to Iran.
Rolf Mowatt-Larssen: Abdul Qadeer Khan
is what we would call
the father of the Pakistan nuclear program.
He had the full authority and confidence
of the Pakistan government from its inception
to the production of nuclear weapons.
I was a CIA officer for... For...
For over two decades, operations officer,
worked overseas most of my career.
The A.Q. Khan network is so notable
because aside from building
the Pakistani program for decades...
It also was the means by which other countries
were able to develop nuclear weapons,
including Iran.
Samore: A.Q. Khan acting on behalf
of the Pakistani government
negotiated with officials in Iran
and then there was a transfer which took place
through Dubai
of blueprints for nuclear weapons design
as well as some hardware.
Throughout the mid-1980s,
the Iranian program was not very well-resourced.
It was more of an R & D program.
It wasn't really until the mid-'90s
that it started to take off when they made the decision
to build the nuclear weapons program.
You know, we can speculate what,
in their mind, motivated them.
I think it was the U.S. invasion of Iraq
after Kuwait.
You know, there was an eight-year war
between Iraq and Iran,
we had wiped out Saddam's forces in a matter of weeks.
And I think that was enough to convince the rulers
in Tehran that they needed to pursue
nuclear weapons more seriously.
George Bush: States like these and their terrorist allies
constitute an axis of evil,
arming to threaten the peace of the world.
Samore: From 2003 to 2005
when they feared that the U.S. would invade them,
they accepted limits on their nuclear program.
But by 2006, the Iranians had come to the conclusion
that the U.S. was bogged down in Afghanistan and Iraq
and no longer had the capacity to threaten them,
and so they felt it was safe to resume their enrichment program
they started producing low enriched uranium,
producing more centrifuges, installing them
at the large-scale underground enrichment facility at Natanz.
Gibney: How many times have you been to Natanz?
Not that many, because I left few years ago, the IAEA,
but I was there quite... Quite a few times.
Natanz is just in the middle of the desert.
When they were building it in secret,
they were calling it desert irrigation facility.
For the local people,
you want to sell why you are building a big complex.
There is a lot of artillery and air force.
It's better protected against attack from air
than any other nuclear installation I have seen.
So this is deeply underground.
But then inside, Natanz is like any other centrifuge facility.
I have been all over the world, from Brazil to Russia, Japan,
so they are all alike with their own features,
their own centrifuges, their own culture,
but basically, the process is the same.
And so are the monitoring activities of the IAEA.
There are basic principles.
You want to see what goes in, what goes out,
and then on top of that you make sure that
it produces low enriched uranium
instead of anything to do with the higher enrichments
and nuclear weapon grade uranium.
Emad Kiyaei: Iran's nuclear facilities
are under 24-hour watch
of the United Nations nuclear watchdog,
the IAEA, the International Atomic Energy Agency.
Every single gram of Iranian fissile material...
is accounted for.
They have, like, basically seals they put
on fissile materials. There are IAEA seals.
You can't break it
without getting noticed.
Heinonen: When you look at the uranium
which was there in Natanz, it was a very special uranium.
This is called Isotope 236, and that was a puzzle to us,
because you only see this sort of uranium
in states which have had nuclear weapons.
We realized that they had cheated us.
This sort of equipment has been bought
from what they call a black market.
They never pointed out it to A.Q. Khan
at that point of time.
What I was surprised was the sophistication
and the quality control
and the way they have the manufacturing
was really professional.
It was not something, you know, you just create
in a few months' time.
This was a result of a long process.
A centrifuge, you feed uranium gas
in and you have a cascade, thousands of centrifuges,
and from the other end you get enriched uranium out.
It separates uranium based on spinning the rotors.
It spins so fast, 300 meters per second,
the same as the velocity of sound.
These are tremendous forces
and as a result, the rotor, it twists,
looks like a banana at one point of time.
So it has to be balanced
because any small vibration it will blow up.
And here comes another trouble.
You have to raise the temperature
but this very thin rotor was...
They are made from carbon fiber,
and the other pieces, they are made from metal.
When you heat carbon fiber, it shrinks.
When you heat metal, it expands.
So you need to balance not only that they spin,
they twist, but this temperature behavior
in such a way that it doesn't break.
So this has to be very precise.
This is what makes them very difficult to manufacture.
You can model it, you can calculate it,
but at the very end, it's actually based
on practice and experience.
So it's a... It's a piece of art, so to say.
Heinonen: Iranians are very proud of their centrifuges.
They have a lot of public relations videos
given up always in April when they have what they call
a national nuclear day.
Kiyaei: Ahmadinejad came into his presidency saying
if the international community wants to derail us
we will stand up to it.
If they want us to sign more inspections
and more additional protocols and other measures,
no, we will not. We will fight for our rights.
Iran is a signature to nuclear non-proliferation treaty,
and under that treaty, Iran has a right to a nuclear program.
We can have enrichment. Who are you, world powers,
to come and tell us that we cannot have enrichment?
This was his mantra,
and it galvanized the public.
Sanger: By 2007, 2008,
the U.S. government was in a very bad place with
the Iranian program.
President Bush recognized
that he could not even come out in public
and declare that the Iranians were building a nuclear weapon,
because by this time, he had gone through
the entire WMD fiasco in Iraq.
He could not really take military action.
Condoleezza Rice said to him at one point,
"You know, Mr. President, I think you've invaded
your last Muslim country, even for the best of reasons."
He didn't want to let the Israelis
conduct a military operation.
It's 1938, and Iran is Germany and it's racing...
To arm itself with atomic bombs.
Iran's nuclear ambitions must be stopped.
They have to be stopped. We all have to stop it, now.
That's the one message I have for you today.
- Thank you.
Israel was saying they were gonna bomb Iran.
And the government here in Washington
did all sorts of scenarios about what would happen
if that Israeli attack occurred.
They were all very ugly scenarios.
Our belief was that if they went on their own
knowing the limitations...
No, they're a very good air force, all right?
But it's small and the distances are great
and the target's disbursed and hardened, all right?
If they would have attempted a raid
on a military plane,
we would have been assuming that they were assuming
we would finish that which they started.
In other words, there would be many of us
in government thinking that the purpose of the raid
wasn't to destroy the Iranian nuclear system,
but the purpose of the raid was to put us at war with Iran.
Israel is very much concerned about
Iran's nuclear program, more than the United States.
It's only natural because of the size of the country,
because we live in this neighborhood,
America lives thousands and thousands miles away from Iran.
The two countries agreed on the goal.
There is no page between us
that Iran should not have a nuclear military capability.
There are some differences
on how to... How to achieve it
and when action is needed.
Yadlin: We are taking very seriously
leaders of countries who call to the destruction
and annihilation of our people.
If Iran will get nuclear weapons,
now or in the future...
It means that for the first time in human history
Islamic zealots, religious zealots,
will get their hand on
the most dangerous, devastating weapons,
and the world should prevent this.
Samore: The Israelis believe that the Iranian leadership
has already made the decision to build nuclear weapons
when they think they can get away with it.
The view in the U.S. is that the Iranians
haven't made that final decision yet.
To me, that doesn't make any difference.
I mean, it really doesn't make any difference,
and it's probably unknowable, unless you can put, you know,
supreme leader Khamenei on the couch and interview him.
I think, you know, from our standpoint,
stopping Iran from getting the threshold capacity
is, you know, the primary policy objective.
Once they have the fissile material,
once they have the capacity to produce nuclear weapons,
then the game is lost.
Hayden: President Bush once said to me, he said,
"Mike, I don't want any president ever to be faced
with only two options, bombing or the bomb."
Right?
He... He wanted options that... That made it...
Made it far less likely he or his successor
or successors would ever get to that point
where that's... That's all you've got.
We wanted to be energetic enough in pursuing this problem
that... that the Israelis would certainly believe,
"Yeah, we get it."
The intelligence cooperation between Israel
and the United States is very, very good.
And therefore, the Israelis went to the Americans
and said, "Okay, guys, you don't want us to bomb Iran.
Okay, let's do it differently."
And then the American intelligence community started
rolling in joint forces
with the Israeli intelligence community.
One day a group of intelligence and military officials showed up
in President Bush's office
and said, "sir, we have an idea.
It's a big risk.
It might not work, but here it is."
Langner: Moving forward in my analysis of the codes,
I took a closer look at the photographs
that had been published
by the Iranians themselves in a press tour from 2008
of Ahmadinejad and the shiny centrifuges.
Sanger: Well, photographs of Ahmadinejad
going through the centrifuges at Natanz
had provided some very important clues.
There was a huge amount to be learned.
First of all, those photographs showed
many of the individuals who were guiding Ahmadinejad
through the program.
And there's one very famous photograph that shows
Ahmadinejad being shown something.
You see his face, you can't see what's on the computer.
And one of the scientists who was behind him
was assassinated a few months later.
Langner: In one of those photographs,
you could see parts of a computer screen.
We... we refer to that as a SCADA screen.
The SCADA system is basically a piece of software
running on a computer.
It enables the operators to monitor the processes.
What you could see when you look close enough
was a more detailed view of the configuration
there were these six groups of centrifuges
and each group had 164 entries.
And guess what?
That was a perfect match to what we saw
in the attack code.
It was absolutely clear that this piece of code
was attacking an array of six different groups
of, let's just say, thingies, physical objects,
and in those six groups, there were 164 elements.
Gibney: Were you able to do any actual physical tests?
Or it was all just code analysis?
Yeah, so, you know, we obviously
couldn't set up our own sort of nuclear enrichment facility.
So... but what we did was we did obtain some pics
the exact models.
We then ordered an air pump, and that's what we used
sort of as our sort of proof of concept.
O'Murchu: We needed a visual demonstration
to show people what we discovered.
So we thought of different things that we could do,
and we... we settled on blowing up a balloon.
We were able to write a program that would inflate a balloon,
and it was set to stop after five seconds.
So it would inflate the balloon to a certain size
but it wouldn't burst the balloon
and it was all safe.
And we showed everybody, this is the code
that's on the PLC.
And the timer says, "stop after five seconds."
We know that's what's going to happen.
And then we would infect the computer with Stuxnet,
and we would run the test again.
Here is a piece of software
that should only exist in a cyber realm
and it is able to affect physical equipment
in a plant or factory and cause physical damage.
Real-world physical destruction.
At that time, things became very scary to us.
Here you had malware potentially killing people
and that was something that was always Hollywood-esque to us
that we'd always laugh at
when people made that kind of assertion.
Gibney: At this point, you had to have started developing
theories as to who had built Stuxnet.
It wasn't lost on us that
there were probably only a few countries
in the world that would want
and have the motivation to sabotage
Iran's nuclear enrichment facility.
The U.S. government would be up there.
Israeli government certainly would be... would be up there.
You know, maybe U.K., France, Germany,
those sorts of countries,
but we never found any information that
would tie it back 100 percent to... to those countries.
There are no telltale signs.
You know, the attackers don't leave a message inside
saying, you know, "It was me."
And even if they did, all of that stuff can be faked.
So it's very, very difficult to do attribution
when looking at computer code.
Gibney: Subsequent work that's been done
leads us to believe that this was the work of
a collaboration between Israel and the United States.
Yeah, yeah.
Gibney: Did you have any evidence
in terms of your analysis
that would lead you to believe that
that's correct also?
Nothing that I could talk about on camera.
Gibney: Well, can I ask why?
No.
Well, you can, but I won't answer.
Gibney: But even in the case of nation-states,
I mean, one of the concerns is...
Gibney: This was beginning to really piss me off.
Even civilians with an interest in telling the Stuxnet story
were refusing to address the role of Tel Aviv
and Washington. But luckily for me,
while D.C. is a city of secrets,
it is also a city of leaks.
They're as regular as a heartbeat
and just as hard to stop.
That's what I was counting on.
Finally, after speaking to a number of people on background,
I did find a way of confirming, on the record,
the American role in Stuxnet.
In exchange for details of the operation,
I had to agree to find a way
to disguise the source of the information.
- Gibney: We're good? - Man: We're on.
Gibney: So the first question I have to ask you
is about secrecy.
I mean, at this point, everyone knows about Stuxnet.
Why can't we talk about it?
It's a covert operation.
Gibney: Not anymore.
I mean, we know what happened, we know who did it.
Well, maybe you don't know as much as you think you know.
Gibney: Well, I'm talking to you because I want to
get the story right.
Well, that's the same reason I'm talking to you.
Gibney: Even though it's a covert operation?
Look, this is not a Snowden kind of thing, okay?
I think what he did was wrong.
He went too far. He gave away too much.
Unlike snowden, who was a contractor,
I was in NSA.
I believe in the agency, so what I'm willing to give you
will be limited, but we're talking
because everyone's getting the story wrong
and we have to get it right.
We have to understand these new weapons.
The stakes are too high.
Gibney: What do you mean?
We did Stuxnet.
It's a fact.
You know, we came so fucking close to disaster,
and we're still on the edge.
It was a huge multinational, inter-agency operation.
In the U.S. it was CIA,
NSA, and the military cyber command.
From Britain, we used Iran intel out of GCHQ,
but the main partner was Israel.
Over there, Mossad ran the show,
and the technical work was done by unit 8200.
Israel is really the key to the story.
Melman: Oh, traffic in Israel is so unpredictable.
Gibney: Yossi, how did you get into this whole Stuxnet story?
I have been covering the Israeli intelligence
in general, in the Mossad in particular
for nearly 30 years.
In '82, I was a London-based correspondent
and I covered a trial of terrorists,
and I became more familiar with this topic of terrorism,
and slowly but surely, I started covering it as a beat.
Israel, we live in a very rough neighborhood
where the... The Democratic values,
western values, are very rare.
But Israel pretends to be a free, Democratic,
westernized society,
posh neighborhoods, rich people,
youngsters who are having
almost similar mind-set to their American
or Western European counterparts.
On the other hand, you see a lot of scenes
and events which resemble the real Middle East,
terror attacks, radicals, fanatics, religious zealots.
I knew that Israel is trying to slow down
Iran's nuclear program,
and therefore, I came to the conclusion that
if there was a virus infecting Iran's computers,
it's... it's one more element in... in this larger picture
based on past precedents.
Yadlin: 1981 I was an F-16 pilot,
and we were told that, unlike our dream
to do dogfights and to kill MiGs,
we have to be prepared for a long-range mission
to destroy a valuable target.
Nobody told us what is
this very valuable strategic target.
It was 600 miles from Israel.
So we train our self to do the job,
which was very difficult. No air refueling at that time.
No satellites for reconnaissance.
Fuel was on the limit.
Pilot: What? Whoa! Whoa!
Yadlin: At the end of the day,
we accomplished the mission.
Gibney: Which was?
Yadlin: To destroy the Iraqi nuclear reactor
near Baghdad, which was called Osirak.
And Iraq never was able to accomplish
its ambition to have a nuclear bomb.
Melman: Amos Yadlin, General Yadlin,
he was the head of the military intelligence.
The biggest unit within that organization
was unit 8200.
They'd block telephones, they'd block faxes,
they're breaking into computers.
A decade ago, when Yadlin became
the chief of military intelligence,
there was no cyber warfare unit in 8200.
So they started recruiting very talented people,
hackers either from the military
or outside the military that can contribute
to the project of building a cyber warfare unit.
Yadlin: In the 19th century, there were only army and Navy.
In the 20th century, we got air power
as a third dimension of war.
In the 21st century,
cyber will be the fourth dimension of war.
It's another kind of weapon
and it is for unlimited range in a very high speed
and in a very low signature.
So this give you a huge opportunity...
And the superpowers have to change
the way we think about warfare.
Finally we are transforming our military
for a new kind of war that we're fighting now...
And for wars of tomorrow.
We have made our military better trained,
better equipped, and better prepared
to meet the threats facing America today
and tomorrow and long in the future.
Sanger: Back in the end of the Bush administration,
people within the U.S. government
were just beginning to convince President Bush
to pour money into offensive cyber weapons.
Stuxnet started off in the defense department.
Then Robert Gates, Secretary of Defense,
reviewed this program and he said,
"This program shouldn't be in the defense department.
This should really be under the covert authorities
over in the intelligence world."
So the CIA was very deeply involved
in this operation,
while much of the coding work was done
by the National Security Agency
and unit 8200, its Israeli equivalent,
working together with a newly created military position
called U.S. cyber command.
And interestingly, the director of the National Security Agency
would also have a second role
as the commander of U.S. cyber command.
And U.S. cyber command is located
at Fort Meade in the same building as the NSA.
Col. Gary D. Brown: I was deployed for a year
giving advice on air operations in Iraq and Afghanistan,
and when I was returning home after that,
the assignment I was given was to go
to U.S. Cyber Command.
Cyber Command is a...
is the military command that's responsible for
essentially the conducting of the nation's military affairs
in cyberspace.
The stated reason the United States
decided it needed a Cyber Command
was because of an event called operation "Buckshot Yankee".
Chris Inglis: In the fall of 2008,
we found some adversaries inside
of our classified networks.
While it wasn't completely true
that we always assumed that we were successful
at defending things at the barrier,
at the... at the kind of perimeter that we might have
between our networks and the outside world,
there was a large confidence
that we'd been mostly successful.
But that was a moment in time when we came to
the quick conclusion that it... It's not really ever secure.
That then accelerated the department of defense's
progress towards what ultimately
became Cyber Command.
Good morning.
Good morning.
Good morning, sir. Cyber has one item for you today.
Earlier this week, Antok analysts
detected a foreign adversary using known methods
to access the U.S. military network.
We identified the malicious activity
via data collected through our information assurance
and signals from intelligence authorities
and confirmed it was a cyber adversary.
We provided data to our cyber partners within the DoD...
You think of NSA as an institution
that essentially uses its abilities in cyberspace
to help defend communications in that space.
Cyber Command extends that capability
by saying that they will then take responsibility to attack.
Hayden: NSA has no legal authority to attack.
It's never had it, I doubt that it ever will.
It might explain why U.S. cyber Command
is sitting out at Fort Meade on top of
the National Security Agency,
because NSA has the abilities to do these things.
Cyber Command has the authority to do these things.
And "these things" here refer to the cyber-attack.
This is a huge change
for the nature of the intelligence agencies.
The NSA was supposed to be a code-making
and code-breaking operation
to monitor the communications of foreign powers
and American adversaries
in the defense of the United States.
But creating a Cyber Command meant using
the same technology to do offense.
Once you get inside an adversary's computer networks,
you put an implant in that network.
And we have tens of thousands of foreign computers
and networks that the United States put implants in.
You can use it to monitor what's going across
that network and you can use it
to insert cyber weapons, malware.
If you can spy on a network, you can manipulate it.
It's already included.
The only thing you need is an act of will.
NSA source: I played a role in Iraq.
I can't tell you whether it was military or not,
but I can tell you
NSA had combat support teams in country.
And for the first time, units in the field
had direct access to NSA intel.
Over time, we thought more about offense
than defense, you know,
more about attacking than intelligence.
In the old days, SIGINT units would try to track radios,
but through NSA in Iraq,
we had access to all the networks
going in and out of the country.
And we hoovered up every text message,
email, and phone call.
A complete surveillance state.
We could find the bad guys, say, a gang making IEDs,
map their networks, and follow them in real time.
Soldier: Roger.
NSA source: And we could lock into cell phones
even when they were off and send a fake text
from a friend, suggest a meeting place,
and then capture...
Soldier: 1A, clear to fire.
...or kill.
Soldier: Good shot.
Brown: A lot of the people that came to Cyber Command,
the military guys, came directly from
an assignment in Afghanistan or Iraq,
'cause those are the people with experience
and expertise in operations,
and those are the ones you want looking at this
to see how cyber could facilitate
traditional military operations.
NSA source: Fresh from the surge,
I went to work at NSA in '07 in a supervisory capacity.
Gibney: Exactly where did you work?
NSA source: Fort Meade.
You know, I commuted to that massive complex
every single day.
I was in TAO-s321, "The ROC."
Gibney: Okay, the TAO, the ROC?
Right, sorry. TAO is Tailored Access Operations.
It's where NSA's hackers work.
Of course, we didn't call them that.
Gibney: What did you call them?
NSA source: On net operators.
They're the only people at NSA allowed to break in
or attack on the Internet.
Inside TAO headquarters is the ROC,
Remote Operations Center.
If the U.S. government wants to get in somewhere,
it goes to the ROC.
I mean, we were flooded with requests.
So many that we could only do about, mm,
30% of the missions that were requested of us at one time,
through the web
but also by hijacking shipments of parts.
You know, sometimes the CIA would assist
inputting implants in machines,
so once inside a target network,
we could just...
Watch...
Or we could attack.
Inside NSA was a strange kind of culture,
like, two parts macho military
and two parts cyber geek. I mean, I came from Iraq,
so I was used to, "Yes, sir. No, sir."
But for the weapons programmers
we needed more "think outside the box" types.
From cubicle to cubicle,
you'd see light-sabers, tribbles,
those Naruto action figures,
lots of Aqua Teen Hunger Force.
This one guy, they were mostly guys,
who liked to wear a yellow hooded cape,
he used a ton of gray Legos to build a massive Death Star.
Gibney: Were they all working on Stuxnet?
NSA source: We never called it Stuxnet.
That was the name invented by the antivirus guys.
When it hit the papers,
we're not allowed to read about classified operations,
even if it's in the New York Times.
We went out of our way to avoid the term.
I mean, saying "Stuxnet" out loud
was like saying "Voldemort" in Harry Potter.
The name that shall not be spoken.
Gibney: What did you call it then?
The Natanz attack, and this is out there already,
was called Olympic Games or OG.
There was a huge operation to test the code
on PLCs here are Fort Meade
and in Sandia, new Mexico.
Remember during the Bush era
when Libya turned over all the centrifuges?
Those were the same models the Iranians got
from A.Q. Khan. P1's.
We took them to Oak Ridge and used them
to test the code which demolished the insides.
At Dimona, the Israelis also tested on the P1's.
Then, partly by using our intel on Iran,
we got the plans for the newer models, the IR-2's.
We tried out different attack vectors.
We ended up focusing on ways to destroy the rotor tubes.
In the tests we ran, we blew them apart.
They swept up the pieces,
they put it on an airplane, they flew it to Washington,
they stuck it in the truck,
they drove it through the gates of the White House,
and dumped the shards out on the conference room table
in the situation room.
And then they invited President Bush
to come down and take a look.
And when he could pick up the shard
of a piece of centrifuge...
He was convinced this might be worth it,
and he said, "Go ahead and try."
Gibney: Was there legal concern inside the Bush administration
that this might be an act of undeclared war?
If there were concerns, I haven't found them.
That doesn't mean that they didn't exist
and that some lawyers somewhere
weren't concerned about it,
but this was an entirely new territory.
At the time, there were really very few people
who had expertise specifically on the law of war and cyber.
And basically what we did was looking at, okay,
here's our broad direction.
Now, let's look... Technically what can we do
to facilitate this broad direction?
After that, maybe the... I would come in
or one of my lawyers would come in and say,
"Okay, this is what we may do." Okay.
There are many things we can do,
but we are not allowed to do them.
And then after that, there's still a final level
that we look at and that's, what should we do?
Because there are many things that would be
technically possible and technically legal
but a bad idea.
For Natanz, it was a CIA-led operation,
so we had to have agency sign-off.
Gibney: Really?
Someone from the agency
stood behind the operator and the analyst
and gave the order to launch every attack.
Chien: Before they had even started this attack,
they put inside of the code the kill date,
a date at which it would stop operating.
O'Murchu: Cutoff dates, we don't normally see that
in other threats, and you have to think,
"well, why is there a cutoff date in there?"
And when you realize that, well, Stuxnet was probably
written by government and that there are laws
regarding how you can use this sort of software,
that there may have been a legal team who said, "no, you...
You need to have a cutoff date in there,
and you can only do this and you can only go that far
and we need to check if this is legal or not.
That date is a few days before Obama's inauguration.
So the theory was that this was an operation
that needed to be stopped at a certain time
because there was gonna be a handover
and that more approval was needed.
Are you prepared to take the oath, senator?
I am.
I, Barack Hussein Obama...
- I, Barack... - Do solemnly swear...
I, Barack Hussein Obama, do solemnly swear...
Sanger: Olympic Games was reauthorized by President Obama
in his first year in office, 2009.
It was fascinating because it was the first year of
the Obama administration and they would talk to you
endlessly about cyber defense.
Obama: We count on computer networks
to deliver our oil and gas, our power, and our water.
We rely on them for public transportation
and air traffic control.
But just as we failed in the past
to invest in our physical infrastructure,
our roads, our Bridges, and rails,
we failed to invest in the security
of our digital infrastructure.
Sanger: He was running east room events
trying to get people to focus on the need to
defend cyber networks
and defend American infrastructure.
But when you asked questions about the use of
offensive cyber weapons, everything went dead.
No cooperation.
White House wouldn't help, Pentagon wouldn't help,
NSA wouldn't help.
Nobody would talk to you about it.
But when you dug into the budget
for cyber spending during the Obama administration,
what you discovered was
much of it was being spent on offensive cyber weapons.
You see phrases like "Title 10 CNO."
Title 10 means operations for the U.S. military,
and CNO means Computer Network Operations.
This is considerable evidence
that Stuxnet was just the opening wedge
of what is a much broader U.S. government effort now
to develop an entire new class of weapons.
Chien: Stuxnet wasn't just an evolution.
It was really a revolution in the threat landscape.
In the past, the vast majority of threats that we saw
were always controlled by an operator somewhere.
They would infect your machines,
but they would have what's called a callback
or a command-and-control channel.
The threats would actually contact the operator
and say, what do you want me to do next?
And the operator would send down commands
and say, maybe, search through this directory,
find these folders, find these files,
upload these files to me, spread to this other machine,
things of that nature.
But Stuxnet couldn't have a command-and-control channel
because once it got inside in Natanz
it would not have been able to reach back out to the attackers.
The Natanz network is completely air-gapped
from the rest of the Internet.
It's not connected to the Internet.
It's its own isolated network.
Generally, getting across an air gap is...
is one of the more difficult challenges
that attackers will face just because of the fact that
there... everything is in place to prevent that.
You know, everything, you know, the policies and procedures
and the physical network that's in place is
specifically designed to prevent you crossing the air gap.
But there's no truly air-gapped network
in these real-world production environments.
People gotta get new code into Natanz.
People have to get log files off of this network in Natanz.
People have to upgrade equipment.
People have to upgrade computers.
This highlights one of the major
security issues that we have in the field.
If you think, "Well, nobody can attack
this power plant or this chemical plant
because it's not connected to the internet,"
that's a bizarre illusion.
NSA source: The first time we introduced the code into Natanz
we used human assets,
maybe CIA, more likely Mossad,
but our team was kept in the dark about the trade craft.
We heard rumors in Moscow,
an Iranian laptop infected by a phony Siemens technician
with a flash drive...
A double agent in Iran with access to Natanz,
but I don't really know.
What we had to focus on was to write the code
so that, once inside, the worm acted on its own.
They built in all the code and all the logic
into the threat to be able to operate all by itself.
It had the ability to spread by itself.
It had the ability to figure out, do I have the right PLCs?
Have I arrived in Natanz? Am I at the target?
Langner: And when it's on target,
it executes autonomously.
That also means you... You cannot call off the attack.
It was definitely the type of attack
where someone had decided
that this is what they wanted to do.
There was no turning back once Stuxnet was released.
When it began to actually execute its payload,
you would have a whole bunch of centrifuges
in a huge array of cascades sitting in a big hall.
And then just off that hall
you would have an operators room,
the control panels in front of them, a big window
where they could see into the hall.
Computers monitor the activities
of all these centrifuges.
So a centrifuge, it's driven by an electrical motor.
And the speed of this electrical motor
is controlled by another PLC,
by another programmable logic controller.
Chien: Stuxnet would wait for 13 days
before doing anything,
because 13 days is about the time it takes
to actually fill an entire cascade of centrifuges
with uranium.
They didn't want to attack when the centrifuges essentially
were empty or at the beginning of the enrichment process.
What Stuxnet did was it actually would sit there
during the 13 days and basically record
all of the normal activities
that were happening and save it.
And once they saw them spinning for 13 days,
then the attack occurred.
Centrifuges spin at incredible speeds,
about 1,000 hertz.
Langner: They have a safe operating speed,
63,000 revolutions per minute.
Chien: Stuxnet caused the uranium enrichment centrifuges
to spin up to 1,400 hertz.
Langner: Up to 80,000 revolutions per minute.
What would happen was those centrifuges
would go through what's called a resonance frequency.
It would go through a frequency at which the metal would
basically vibrate uncontrollably
and essentially shatter.
There'd be uranium gas everywhere.
And then the second attack they attempted
was they actually tried to lower it to two hertz.
They were slowed down to almost standstill.
Chien: And at two hertz, sort of an opposite effect occurs.
You can imagine a toy top that you spin
and as the top begins to slow down, it begins to wobble.
That's what would happen to these centrifuges.
They'd begin to wobble and essentially shatter
and fall apart.
And instead of sending back to the computer
what was really happening, it would send back
that old data that it had recorded.
So the computer's sitting there thinking,
"yep, running at 1,000 hertz, everything is fine.
Running at 1,000 hertz, everything is fine."
But those centrifuges are potentially spinning up wildly,
a huge noise would occur.
It'd be like, you know, a jet engine.
So the operators then would know, "Whoa,
something is going wrong here."
They might look at their monitors and say, "Hmm,
it says it's 1,000 hertz," but they would hear that in the room
something gravely bad was happening.
Not only are the operators fooled into thinking
everything's normal,
but also any kind of automated protective logic
is fooled.
Chien: You can't just turn these centrifuges off.
They have to be brought down in a very controlled manner.
And so they would hit, literally, the big red button
to initiate a graceful shutdown,
and Stuxnet intercepts that code.
So you would have these operators
slamming on that button over and over again
and nothing would happen.
Yadlin: If your cyber weapon is good enough,
if your enemy is not aware of it,
it is an ideal weapon, because the enemy
even don't understand what is happening to it.
Gibney: Maybe even better if the enemy begins to doubt
- their own capability. - Absolutely.
Certainly one must conclude
that what happened at Natanz
must have driven the engineers crazy,
because the worst thing that can happen
to a maintenance engineer is not being able to figure out
what the cause of specific trouble is.
So they must have been analyzing themselves to death.
Heinonen: You know, you see centrifuges blowing up.
You look the computer screens, they go with the proper speed.
There's a proper gas pressure. Everything looks beautiful.
Sanger: Through 2009 it was going pretty smoothly.
Centrifuges were blowing up.
The International Atomic Energy Agency inspectors
would go in to Natanz and they would see that
whole sections of the centrifuges had been removed.
The United States knew from its intelligence channels
that some Iranian scientists and engineers
were being fired because the centrifuges were blowing up
and the Iranians had assumed that this was because
they had been making errors or manufacturing mistakes.
Clearly this was somebody's fault.
So the program was doing
exactly what it was supposed to be doing,
which was it was blowing up centrifuges
and it was leaving no trace
and leaving the Iranians to wonder
what they got hit by.
This was the brilliance of Olympic Games.
You know, as a former director of a couple of big
3-letter agencies,
slowing down 1,000 centrifuges in Natanz...
Abnormally good.
There was a need for... for... For buying time.
There was a need for slowing them down.
There was the need to try to push them
to the negotiating table.
I mean, there are a lot of variables at play here.
Sanger: President Obama would
go down into the situation room,
and he would have laid out in front of him
what they called the horse blanket,
which was a giant schematic
of the Natanz nuclear enrichment plan.
And the designers of Olympic Games
would describe to him what kind of progress they made
and look for him for the authorization
to move on ahead to the next attack.
And at one point during those discussions,
he said to a number of his aides,
"You know, I have some concerns
because once word of this gets out,"
and eventually he knew it would get out,
"the Chinese may use it as an excuse
for their attacks on us. The Russians might or others."
So he clearly had some misgivings,
but they weren't big enough to stop him
from going ahead with the program.
And then in 2010,
a decision was made to change the code.
Our human assets
weren't always able to get code updates into Natanz
and we weren't told exactly why,
but we were told we had to have a cyber solution
for delivering the code.
But the delivery systems were tricky.
If they weren't aggressive enough, they wouldn't get in.
If they were too aggressive, they could spread
and be discovered.
Chien: When we got the first sample,
there was some configuration information inside of it.
And one of the pieces in there was a version number, 1.1
and that made us realize,
well, look, this likely isn't the only copy.
We went back through our databases looking for
anything that looks similar to Stuxnet.
Chien: As we began to collect more samples,
we found a few earlier versions of Stuxnet.
O'Murchu: And when we analyzed that code,
we saw that versions previous to 1.1
were a lot less aggressive.
The earlier version of Stuxnet,
it basically required humans to do a little bit
of double clicking in order for it to spread
from one computer to another.
And, so, what we believe after looking at that code
is two things,
one, either they didn't get in to Natanz
with that earlier version,
because it simply wasn't aggressive enough,
wasn't able to jump over that air gap,
and/or two, that payload as well
didn't work properly, didn't work to their satisfaction,
maybe was not explosive enough.
There were slightly different versions
which were aimed at different parts
of the centrifuge cascade.
Gibney: But the guys at Symantec figured you changed the code
because the first variations couldn't get in
and didn't work right.
Bullshit.
We always found a way to get across the air gap.
At TAO, we laughed when people thought they were
protected by an air gap.
And for OG, the early versions of the payload did work.
But What NSA did...
Was always low-key and subtle.
The problem was that unit 8200, the Israelis,
kept pushing us to be more aggressive.
Chien: The later version of Stuxnet 1.1,
that version had multiple ways of spreading.
Had the four zero days inside of it, for example,
that allowed it to spread all by itself
without you doing anything.
It could spread via network shares.
It could spread via USB keys.
It was able to spread via network exploits.
That's the sample that introduced us
to stolen digital certificates.
That is the sample that, all of a sudden,
became so noisy
and caught the attention of the antivirus guys.
In the first sample we don't find that.
And this is very strange, because it tells us that
in the process of this development
the attackers were less concerned
with operational security.
Chien: Stuxnet actually kept a log inside of itself
of all the machines that it infected along the way
as it jumped from one machine to another
to another to another.
And we were able to gather up
all the samples that we could acquire,
tens of thousands of samples. We extracted all of those logs.
O'Murchu: We could see the exact path that Stuxnet took.
Chien: Eventually, we were able to trace back
this version of Stuxnet to ground zero,
to the first five infections in the world.
The first five infections are all outside a Natanz plant,
all inside of organizations inside of Iran,
all organizations that are involved in
industrial control systems and construction
of industrial control facilities,
clearly contractors who were working on the Natanz facility.
And the attackers knew that.
They were electrical companies. They were piping companies.
They were, you know, these sorts of companies.
And they knew... They knew the technicians
from those companies would visit Natanz.
So they would infect these companies
and then technicians would take their computer
or their laptop or their USB...
That operator then goes down to Natanz
and he plugs in his USB key, which has some code
that he needs to update into Natanz,
into the Natanz network,
and now Stuxnet is able to get inside Natanz
and conduct its attack.
These five companies were specifically targeted
to spread Stuxnet into Natanz
and that it wasn't that... that Stuxnet escaped out of Natanz
and then spread all over the world
and it was this big mistake and "oh, it wasn't meant
to spread that far but it really did."
No, that's not the way we see it.
The way we see it is that they wanted it to spread far
so that they could get it into Natanz.
Someone decided that we're gonna create something new,
something evolved,
that's gonna be far, far, far more aggressive.
And we're okay, frankly,
with it spreading all over the world to innocent machines
in order to go after our target.
The Mossad had the role, had the... the assignment
to deliver the virus to make sure that Stuxnet
would be put in place in Natanz to affect the centrifuges.
Meir Dagan, the head of Mossad,
was under growing pressure from the prime minister,
Benjamin Netanyahu, to produce results.
Inside the ROC,
we were furious.
The Israelis took our code for the delivery system
and changed it.
Then, on their own, without our agreement,
they just fucking launched it.
2010 around the same time
they started killing Iranian scientists...
And they fucked up the code!
Instead of hiding,
the code started shutting down computers,
so naturally, people noticed.
Because they were in a hurry, they opened Pandora’s Box.
They let it out
and it spread all over the world.
Gibney: The worm spread quickly
but somehow it remained unseen
until it was identified in Belarus.
Soon after, Israeli intelligence confirmed
that it had made its way into the hands
of the Russian federal security service,
a successor to the KGB.
So it happened that the formula for a secret cyber weapon
designed by the U.S. and Israel
fell into the hands of Russia
and the very country it was meant to attack.
Kiyaei: In international law,
when some country or a coalition of countries
targets a nuclear facility, it's a act of war.
Please, let's be frank here.
If it wasn't Iran,
let's say a nuclear facility in United States...
Was targeted in the same way...
The American government
would not sit by and let this go.
Gibney: Stuxnet is an attack in peacetime
on critical infrastructures.
Yes, it is. I'm... Look, when I read about it,
I read it, I go, "whoa, this is a big deal."
Yeah.
Sanger: The people who were running this program,
including Leon Panetta,
the director of the CIA at the time,
had to go down into the situation room
and face President Obama,
Vice President Biden and explain that this program
was suddenly on the loose.
Vice President Biden,
at one point during this discussion,
sort of exploded in Biden-esque fashion
and blamed the Israelis.
He said, "It must have been the Israelis
who made a change in the code
that enabled it to get out."
Richard Clarke: President Obama said to the senior leadership,
"You told me it wouldn't get out of the network. It did.
You told me the Iranians would never figure out
it was the United States. They did.
You told me it would have a huge affect
on their nuclear program, and it didn't."
Sanger: The Natanz plant is inspected every couple of weeks
by the International Atomic Energy Agency inspectors.
And if you line up what you know about the attacks
with the inspection reports, you can see the effects.
Heinonen: If you go to the IAEA reports,
they really show that all of those centrifuges
were switched off and they were removed.
As much as almost couple of thousand got compromised.
When you put this altogether,
I wouldn't be surprised if their program got delayed
by the one year.
But go then to year 2012-13
and looking how the centrifuges started to come up again.
Kiyaei: Iran's number of centrifuges
went up exponentially,
to 20,000, with a stockpile of low enriched uranium.
This isn't... These are high numbers.
Iran's nuclear facilities expanded
with the construction of Fordow
and other highly protected facilities.
So ironically, cyber warfare...
Assassination of its nuclear scientists,
economic sanctions, political isolation...
Iran has gone through "a" to "x"
of every chorus of policy that the U.S., Israel,
and those who ally with them have placed on Iran,
and they have actually made Iran's nuclear program
more advanced today than it was ever before.
Mossad operative: This is a very
very dangerous minefield that we are walking,
and nations who decide
to take these covert actions
should be taking into consideration
all the effects, including the moral effects.
I would say that this is the price
that we have to pay in this... In this war,
and our blade of righteousness
shouldn't be so sharp.
Gibney: In Israel and in the United States,
the blade of righteousness cut both ways,
wounding the targets and the attackers.
When Stuxnet infected American computers,
the Department of Homeland Security,
unaware of the cyber weapons launch by the NSA,
devoted enormous resources trying to protect Americans
from their own government.
We had met the enemy and it was us.
Sean Paul McGurk: The purpose of the watch stations that
you see in front of you is to aggregate the data
- coming in from multiple feeds
of what the cyber threats could be,
so if we see threats
we can provide real-time recommendations
for both private companies, as well as federal agencies.
Male journalist: Can you give us a
readout on this Stuxnet virus?
Yep, absolutely. We'd be more than happy to discuss that.
Female journalist: Sean, is it...
McGurk: Early July of 2010 we received a call
that said that this piece of malware was discovered
and could we take a look at it.
When we first started the analysis,
there was that "Oh, crap" moment, you know,
where we sat there and said, this is something
that's significant.
It's impacting industrial control.
It can disrupt it to the point where it could cause harm
and not only damage to the equipment,
but potentially harm or loss of life.
We were very concerned because Stuxnet
was something that we had not seen before.
So there wasn't a lot of sleep that night.
Basically, light up the phones, call everybody we know,
inform the secretary, inform the White House,
inform the other departments and agencies,
wake up the world, and figure out what's going on
with this particular malware.
Good morning, chairman Lieberman,
ranking member Collins.
Something as simple and innocuous as this
becomes a challenge for all of us to maintain
accountability control of our critical infrastructure systems.
This actually contains the Stuxnet virus.
I've been asked on a number of occasions,
"did you ever think this was us?"
And at... at no point did that ever really cross our mind,
because we were looking at it from the standpoint of,
is this something that's coming after the homeland?
You know, what... what's going to potentially impact,
you know, our industrial control based
here in the United States?
You know, I liken it to, you know, field of battle.
You don't think the sniper that's behind you
is gonna be shooting at you,
'cause you expect him to be on your side.
We really don't know who the attacker was
in the Stuxnet case.
So help us understand a little more
what this thing is
whose origin and destination we don't understand.
Gibney: Did anybody ever give you any indication
that it was something that they already knew about?
No, at no time did I get the impression from someone
that that's okay, you know, get the little pat on the head,
and... and scooted out the door.
I never received a stand-down order.
I never... no one ever asked, "Stop looking at this."
Do we think that this was a nation-state actor
and that there are a limited number of nation-states
that have such advanced capacity?
Gibney: Sean McGurk, the director of cyber
for the Department of Homeland Security,
testified before the senate about how he thought
Stuxnet was a terrifying threat to the United States.
Is that not a problem?
I don't... and... and how... How do you mean?
That Stuxnet was a bad idea?
Gibney: No, no, no, just that before he knew what it was
- and what it attacks... - Oh, I... I get it.
- Gibney: Yeah... - Yeah,
he was responding to something that we...
Gibney: He thought it was a threat
to critical infrastructure in the United States.
Yeah. The worm is loose!
Gibney: The worm is loose. I understand.
But there's... There's a further theory
having to do with whether or not,
following upon David Sanger...
I got the subplot, and who did that?
Was it the Israelis? And, yeah, I...
I truly don't know, and even though I don't know,
I still can't talk about it, all right?
Stuxnet was somebody's covert action, all right?
And the definition of covert action
is an activity in which you want to have the hand
of the actor forever hidden.
So by definition, it's gonna end up in this
"We don't talk about these things" box.
Sanger: To this day, the United States government
has never acknowledged
conducting any offensive cyber attack anywhere in the world.
But thanks to Mr. Snowden, we know that in 2012
President Obama issued an executive order
that laid out some of the conditions
under which cyber weapons can be used.
And interestingly, every use of a cyber weapon
requires presidential sign-off.
That is only true in the physical world
for nuclear weapons.
Clarke: Nuclear war and nuclear weapons are vastly different
from cyber war and cyber weapons.
Having said that, there are some similarities.
And in the early 1960s,
the United States government suddenly realized
it had thousands of nuclear weapons,
big ones and little ones,
weapons on jeeps, weapons on submarines,
and it really didn't have a doctrine.
It really didn't have a strategy.
It really didn't have an understanding
at the policy level about how he was going to use
all of these things.
And so academics
started publishing unclassified documents
about nuclear war and nuclear weapons.
Sanger: And the result was
more than 20 years, in the United States,
of very vigorous national debates
about how we want to go use nuclear weapons.
And not only did that cause the congress
and people in the executive branch in Washington
to think about these things,
it caused the Russians to think about these things.
And out of that grew nuclear doctrine,
mutual assured destruction,
all of that complicated set of nuclear dynamics.
Today, on this vital issue at least,
we have seen what can be accomplished
when we pull together.
We can't have that discussion in a sensible way right now
about cyber war and cyber weapons
because everything is secret.
And when you get into a discussion
with people in the government, people still in the government,
people who have security clearances,
you run into a brick wall.
Trying to stop Iran
is really the... my number one job, and I think...
Host: And let me ask you, in that context,
about the Stuxnet computer virus potentially...
You can ask, but I won't comment.
Host: Can you tell us anything?
No.
What do you think has had the most impact
on their nuclear decision-making,
the Stuxnet virus?
I can't talk about Stuxnet.
I can't even talk about the operation of Iran centrifuges.
Was the U.S. involved in any way
in the development of Stuxnet?
It's hard to get into any kind of comment on that
till we've finished any... Our examination.
But, sir, I'm not asking you
if you think another country was involved.
I'm asking you if the U.S. was involved.
And we're... This is not something
that we're gonna be able to answer at this point.
Look, for the longest time, I was in fear that
I couldn't actually say the phrase
"computer network attack."
This stuff is hideously over classified,
and it gets into the way of a...
Of a mature public discussion
as to what it is we as a democracy
want our nation to be doing up here in the cyber domain.
Now, this is a former director of NSA and CIA
saying this stuff is over classified.
One of the reasons this is highly classified as it is
this is a peculiar weapons system.
This is a weapons system that's come out of
the espionage community,
and... and so those people have a habit of secrecy.
Secrecy is still justifiable in certain cases
to protect sources or to protect national security
but when we deal with secrecy, don't hide behind it
to use as an excuse to not disclose something properly
that you know should be
or that the American people
need ultimately to see.
Gibney: While most government officials refused
to acknowledge the operation,
at least one key insider did leak parts of the story
to the press.
In 2012, David Sanger wrote a detailed account
of Olympic Games that unmasked the extensive joint operation
between the U.S. and Israel
to launch cyber attacks on Natanz.
Sanger: The publication of this story
coming at a time that turned out that there were
a number of other unrelated national security stories
being published, lead to the announcement
of investigations by the Attorney General.
Gibney: In... into the press and into the leaks?
Into the press and into the leaks.
Gibney: Soon after the article,
the Obama administration targeted
General James Cartwright in a criminal investigation
for allegedly leaking
classified details about Stuxnet.
Journalist: There are reports of cyber attacks
on the Iranian nuclear program that you ordered.
What's your reaction to this information getting out?
Well, first of all, I'm not gonna comment on the...
The details of... what are...
Supposed to be classified items.
Since I've been in office, my attitude has been
zero tolerance for these kinds of leaks.
We have mechanisms in place
where, if we can root out folks who have leaked,
they will suffer consequences.
It became a significant issue
and a very wide-ranging investigation
in which I think most of the people who were cleared
for Olympic Games at some point
had been, you know, interviewed and so forth.
When Stuxnet hit the media,
they polygraphed everyone in our office,
including people who didn't know shit.
You know, they polyed the interns, for god's sake.
These are criminal acts
when they release information like this,
and we will conduct thorough investigations
as we have in the past.
Gibney: The administration never filed charges,
possibly afraid that a prosecution
would reveal classified details about Stuxnet.
To this day, no one in the U.S. or Israeli governments
has officially acknowledged the existence
of the joint operation.
I would never compromise
ongoing operations in the field,
but we should be able to talk about capability.
We can talk about our...
Bunker busters, why not our cyber weapons?
I mean, the secrecy
of the operation has been blown.
Our friends in Israel took a weapon
that we jointly developed,
in part to keep Israel from doing something crazy,
and then used it on their own in a way
that blew the cover of the operation
and could have led to war.
And we can't talk about that?
Mowatt-Larssen: There's a way to talk about Stuxnet.
It happened.
That... to deny that it happened is... is foolish.
So the fact it happened
is really what we're talking about here.
What does... What are the implications
of the fact that we now are in a post-Stuxnet world?
What I said to David Sanger was,
"I understand the difference in destruction is dramatic,
but this has the whiff of August 1945."
Somebody just used a new weapon,
and this weapon will not be put back into the box.
I... I know no operational details
and don't know what anyone did or didn't do
before someone decided to use the weapon, all right.
I do know this.
If we go out and do something,
most of the rest of the world now thinks
that's the new standard
and it's something that they now feel legitimated to do as well.
But the rules of engagement,
international norms, treaty standards,
they don't exist right now.
Brown: The law of war, because it began to develop so long ago
is really dependent on thinking of things kinetically
and the physical realm.
So for example, we think in terms of attacks.
You know an attack when it happens in the kinetic world.
It's not really much of a mystery.
But in cyberspace it is sort of confusing to think,
how far do we have to go
before something is considered an attack?
So we have to take all the vocabulary
and the terms that we use in strategy
and military operations
and adapt them into the cyber realm.
Sanger: For nuclear we have these
extensive inspection regimes.
The Russians come and look at our silos.
We go and look at their silos.
Bad as things get between the two countries,
those inspection regimes have held up.
But working that our for... For cyber
would be virtually impossible.
Where do you send your inspector?
Inside the laptop of, you know...
How many laptops are there in the United States and Russia?
It's much more difficult in the cyber area
to construct an international regime
based on treaty commitments and rules of the road
and so forth.
Although, we've tried to have discussions with the Chinese
and Russians and so forth about that,
but it's very difficult.
Brown: Right now, the norm in cyberspace is
do whatever you can get away with.
That's not a good norm, but it's the norm that we have.
That's the norm that's preferred by states
that are engaging in lots of different kinds of activities
that they feel are benefiting their national security.
Yadlin: Those who excel in cyber
are trying to slow down the process
of creating regulation.
Those who are victims, we like the regulation
to be in the open as... As soon as possible.
Brown: International law in this area is written by custom,
and customary law requires a nation to say,
this is what we did and this is why we did it.
And the U.S. doesn't want to push the law in that direction
and so it chooses not to disclose its involvement.
And one of the reasons that I thought it was important
to tell the story of Olympic Games
was not simply because it's a cool spy story,
it is, but it's because as a nation...
We need to have a debate about how
we want to use cyber weapons
because we are the most vulnerable nation on earth
to cyber-attack ourselves.
McGurk: If you get up in the morning and turn off your alarm
and make coffee and pump gas and use the ATM,
you've touched industrial control systems.
It's what powers our lives.
And unfortunately, these systems are connected
and interconnected in some ways that make them vulnerable.
Critical infrastructure systems generally were built
years and years and years ago without security in mind
and they didn't realize how things were gonna change,
maybe they weren't even meant to be connected to the Internet.
And we've seen, through a lot of experimentation
and through also, unfortunately, a lot of attacks
that most of these systems are relatively easy
for a sophisticated hacker to get into.
Let's say you took over the control system
of a railway. You could switch tracks.
You could cause derailments of trains
carrying explosive materials.
What if you were in the control system of gas pipelines
and when a valve was supposed to be open,
it was closed and the pressure built up
and the pipeline exploded?
There are companies that run electric power generation
or electric power distribution
that we know have been hacked
by foreign entities that have the ability
to shut down the power grid.
Sanger: Imagine for a moment
that not only all the power went off on the east coast,
but the entire Internet came down.
Imagine what the economic impact of that is
even if it only lasted for 24 hours.
Newsreader: According to the officials,
Iran is the first country ever in the Middle East
to actually be engaged in a cyber war
with the United States and Israel.
If anything they said the recent cyber attacks
were what encouraged them to plan to set up
the cyber army, which will gather computer scientists,
programmers, software engineers...
Kiyaei: If you are a youth and you see assassination
of a nuclear scientist,
your nuclear facilities are getting attacked,
wouldn't you join your national cyber army?
Well, many did.
And that's why today, Iran has one of the largest...
Cyber armies in the world.
So whoever initiated this
and was very proud of themselves to see that little dip
in Iran's centrifuge numbers, should look back now
and acknowledge that it was a major mistake.
Very quickly, Iran sent a message
to the United States, very sophisticated message,
and they did that with two attacks.
First, they attacked Saudi Aramco,
the biggest oil company in the world,
and wiped out every piece of software,
every line of code, on 30,000 computer devices.
Then Iran did a surge attack on the American banks.
The most extensive attack on American banks ever
launched from the Middle East, happening right now.
Newsreader: Millions of customers
trying to bank online this week blocked, among the targets,
Bank of America, PNC, and Wells Fargo.
The U.S. suspects hackers in Iran may be involved.
NSA source: When Iran hit our banks,
we could have shut down their bot net,
but the state department got nervous,
because the servers weren't actually in Iran.
So until there was a diplomatic solution,
Obama let the private sector deal with the problem.
I imagine that in the White House situation room
people sat around and said...
Let me be clear, I don't imagine, I know.
People sat around in the White House situation room
and said, "the Iranians have sent us a message
which is essentially, 'stop attacking us in cyberspace
the way you did at Natanz with Stuxnet.
We can do it, too."'
Melman: There are unintended consequences
of the Stuxnet attack.
You wanted to cause confusion and damage to the other side,
but then the other side can do the same to you.
The monster turned against its creators,
and now everyone is in this game.
They did a good job in showing the world,
including the bad guys, what you would need to do
in order to cause serious trouble
that could lead to injuries and death.
It's inevitable that more countries will acquire
the capacity to use cyber,
both for espionage and for destructive activities.
And we've seen this in some of the recent conflicts
that Russia's been involved in.
If there's a war, then somebody will try to knock out
our communication system or the radar.
McGurk: State-sponsored cyber sleeper cells,
they're out there everywhere today.
It could be for communications purposes.
It could be for data ex-filtration.
It could be to, you know, shepherd in the next Stuxnet.
I mean, you've been focusing on Stuxnet,
but that was just a small part
of a much larger Iranian mission.
Gibney: There was a larger Iranian mission?
Nitro Zeus. NZ.
We spent hundreds of millions, maybe billions on it.
In the event the Israelis did attack Iran,
we assumed we would be drawn into the conflict.
We built in attacks on Iran's command-and-control system
so the Iranians couldn't talk to each other in a fight.
We infiltrated their IADS (Integrated Air Defense
System), military air defense systems,
so they couldn't shoot down our planes if we flew over.
We also went after their civilian support systems,
power grids, transportation,
communications, financial systems.
We were inside waiting, watching,
ready to disrupt, degrade, and destroy those systems
with cyber-attacks.
And in comparison,
Stuxnet was a back alley operation.
NZ was the plan for a full-scale cyber war
with no attribution.
The question is, is that the kind of world
we want to live in?
And if we don't, as citizens, how do we go about a process
where we have a more sane discussion?
We need an entirely new way of thinking about
how we're gonna solve this problem.
You're not going to get an entirely new way
of solving this problem
until you begin to have an open acknowledgment
that we have cyber weapons as well,
and that we may have to agree to some limits on their use
if we're going to get other nations to limit their use.
It's not gonna be a one-way street.
I'm old enough to have worked on nuclear arms control
and biological weapons arms control
and chemical weapons arms control.
And I was told in each of those types of arms control,
when we were beginning,
"It's too hard. There are all these problems.
It's technical. There's engineering.
There's science involved.
There are real verification difficulties.
You'll never get there."
Well, it took 20, 30 years in some cases,
but we have a biological weapons treaty
that's pretty damn good.
We have a chemical weapons treaty
that's pretty damn good.
We've got three or four nuclear weapons treaties.
Yes, it may be hard,
and it may take 20 or 30 years,
but it'll never happen unless you get serious about it,
and it'll never happen unless you start it.
Today, after two years of negotiations,
the United States, together with our international partners,
has achieved something that decades of animosity has not,
a comprehensive, long-term deal
with Iran that will prevent it from obtaining a nuclear weapon.
It was reached in Lausanne, Switzerland,
by Iran, the U.S., Britain, France,
Germany, Russia, and China.
It is a deal in which Iran will cut
its installed centrifuges by more than two thirds.
Iran will not enrich uranium with its advanced centrifuges
for at least the next ten years.
It will make our country, our allies,
and our world safer.
Netanyahu: Seventy years after the murder of 6 million Jews
Iran's rulers promised to destroy my country,
and the response from nearly every one of the governments
represented here has been utter silence.
Deafening silence.
Perhaps you can now understand
why Israel is not joining you in celebrating this deal.
History shows that America must lead,
not just with our might, but with our principles.
It shows were are stronger, not when we are alone,
but when we bring the world together.
Today's announcement marks one more chapter
in this pursuit of a safer and more helpful,
more hopeful world. Thank you.
God bless you, and God bless the United States of America.
NSA source: Everyone I know is basically
thrilled with the Iran deal.
Sanctions and diplomacy worked.
But behind that deal was a lot of confidence
in our cyber capability.
We were everywhere inside Iran. Still are.
I'm not gonna tell you the operational details
of what we can do going forward or where...
But the science fiction cyber war scenario is here.
That's Nitro Zeus.
But my concern and the reason I'm talking...
is because when you shut down a country's power grid...
It doesn't just pop back up, you know?
It's more like Humpty-Dumpty...
And if all the King's men can't turn the lights back on
or filter the water for weeks,
then lots of people die.
And something we can do to others,
they can do to us too.
Is that something that we should keep quiet?
Or should we talk about it?
Gibney: I've gone to many people in this film,
even friends of mine, who won't talk to me
about the NSA or Stuxnet even off the record
for fear of going to jail.
Is that fear protecting us?
No, but it protects me.
Or should I say we?
I'm an actor playing a role
written from the testimony of a small number of people
from NSA and CIA,
all of whom are angry about the secrecy
but too scared to come forward.
Now, we're forward.
Well, forward-leaning.
of the pathways that we marched,
evil and good lived side by side.
And this is the nature of... Of life.
We are in an unbalanced
and inequivalent confrontation between democracies
who are obliged to play by the rules
and entities who think democracy is a joke.
You can't convince fanatics
by saying, "hey, hatred paralyzes you,
love releases you."
There are different rules that we have to play by.
Female newsreader: Today, two of Iran's top nuclear scientists
were targeted by hit squads.
Female newsreader 2: ...In the capital Tehran.
Male newsreader: ...The latest in a string of attacks.
Female newsreader 3: Today's attack has all the hallmarks
of major strategic sabotage.
Female newsreader 4: Iran immediately accused
the U.S. and Israel
of trying to damage its nuclear program.
I want to categorically deny any United States involvement
in any kind of act of violence inside Iran.
Covert actions can help,
can assist.
They are needed, they are not all the time essential,
and they, in no way, can replace political wisdom.
Alex Gibney: Were the assassinations in Iran
related to the Stuxnet computer attacks?
Uh, next question, please.
Male newsreader: Iran's infrastructure
is being targeted
by a new and dangerously powerful cyber worm.
The so-called Stuxnet worm is specifically designed,
it seems, to infiltrate and sabotage
real-world power plants and factories and refineries.
Male newsreader 2: It's not trying to steal information
or grab your credit card,
they're trying to get into some sort of industrial plant
and wreak havoc trying to blow up an engine or...
Male newsreader 4: No one knows
who's behind the worm
and the exact nature of its mission,
but there are fears Iran will hold Israel
or America responsible and seek retaliation.
Male newsreader 5: It's not impossible that
some group of hackers did it,
but the security experts that are studying this
really think this required the resource of a nation-state.
Man: Okay, and spinning.
Gibney: Okay, good. Here we go.
What impact, ultimately, did the Stuxnet attack have?
Can you say?
I don't want to get into the details.
Gibney: Since the event has already happened,
why can't we talk more openly and publicly about Stuxnet?
Yeah, I mean, my answer is because it's classified.
I... I won't knowledge... You know, knowingly
offer up anything I consider classified.
Gibney: I know that you can't talk much about Stuxnet,
because Stuxnet is officially classified.
You're right on both those counts.
Gibney: But there has been
a lot reported about it in the press.
I don't want to comment on this.
I read it in the newspaper, the media, like you,
but I'm unable to elaborate upon it.
People might find it frustrating
not to be able to talk about it when it's in the public domain,
but...
Gibney: I find it frustrating.
Yeah, I'm sure you do.
I don't answer that question.
Unfortunately, I can't comment.
I do not know how to answer that.
Two answers before you even get started, I don't know,
and if I did, we wouldn't talk about it anyway.
Gibney: How can you have a debate if everything's secret?
I think right now that's just where we are.
No one wants to...
Countries aren't happy about confessing
or owning up to what they did because they're not quite sure
where they want the system to go.
And so whoever was behind Stuxnet
hasn't admitted they were behind it.
Gibney: Asking officials about Stuxnet
was frustrating and surreal,
like asking the emperor about his new clothes.
Even after the cyber weapon had penetrated computers
all over the world,
no-one was willing to admit it was loose
or talk about the dangers it posed.
What was it about the Stuxnet operation
that was hiding in plain sight?
Maybe there was a way the computer code
could speak for itself.
Stuxnet first surfaced in Belarus.
I started with a call to the man who discovered it
when his clients in Iran began to panic
over an epidemic of computer shutdowns.
Had you ever seen anything quite so sophisticated before?
I have seen very sophisticated viruses before,
but they didn't have...
this kind of...
zero day.
It was the first time in my practice.
That led me to understand
that I should notify web security companies ASAP
about the fact that such a danger exists.
Eric Chien: On a daily basis, basically
we are sifting through
a massive haystack looking for that proverbial needle.
We get millions of pieces of new malicious threats
and there are millions of attacks going on
every single day.
And not only are we trying to protect people
and their computers and... And their systems
and countries' infrastructure
from being taken down by those attacks.
But more importantly, we have to find the attacks that matter.
When you're talking about that many,
impact is extremely important.
Eugene Kaspersky: Twenty years ago, the antivirus companies,
they were hunting for computer viruses
because there were not so many.
So we had, like, tens of dozens a month,
and there was just little numbers.
Now, we collect millions of unique attacks every month.
Vitaly Kamluk: This room we call a woodpecker's room
or a virus lab,
and this is where virus analysts sit.
We call them woodpeckers because they are
pecking the worms, network worms, and viruses.
And we see, like, three different groups of hackers
behind cyber-attacks.
They are traditional cyber criminals.
Those guys are interested only in illegal profit.
And quick and dirty money.
Activists, or hacktivists,
they are hacking for fun or hacking to push
some political message.
And the third group is nation-states.
They're interested in high-quality intelligence
or sabotage activity.
Chien: Security companies not only share information
but we also share binary samples.
So when this threat was found
by a Belarusian security company
on one of their customer's machines in Iran,
the sample was shared amongst the security community.
When we try to name threats, we just try to pick
some sort of string, some sort of words,
that are inside of the binary.
In this case, there was a couple of words in there
and we took pieces of each, and that formed Stuxnet.
I got the news about Stuxnet from one of my engineers.
He came to my office, opened the door,
and he said, "so, Eugene, of course you know that
we are waiting for something really bad.
It happened."
Gibney: Give me some sense of what it was like
in the lab at that time.
Was there a palpable sense of amazement
that you had something really different there?
Well, I wouldn't call it amazement.
It was a kind of a shock.
It went beyond our worst fears, our worst nightmares,
and this continued the more we analyzed.
The more we researched,
the more bizarre the whole story got.
We look at so much malware every day that
we can just look at the code and straightaway we can say,
"Okay, there's something bad going on here,
and I need to investigate that."
And that's the way it was
when we looked at Stuxnet for the first time.
We opened it up and there was just bad things everywhere.
Just like, okay, this is bad and that's bad,
and, you know, we need to investigate this.
And just suddenly we had, like,
a hundred questions straightaway.
The most interesting thing that we do is detective work
where we try to track down who's behind a threat,
what are they doing, what's their motivation,
and try to really stop it at the root.
And it is kind of all-consuming.
You get this new puzzle
and it's very difficult to put it down,
you know, work until, like, 4:00 am in the morning
and figure these things out.
And I was in that zone where I was very consumed by this,
very excited about it, very interested to know
what was happening.
And Eric was also in that same sort of zone.
So the two of us were, like, back and forth all the time.
Chien: Liam and I continued to grind at the code,
sharing pieces, comparing notes,
bouncing ideas off of each other.
We realized that we needed to do
what we called deep analysis, pick apart the threat,
every single byte, every single zero, one,
and understand everything that was inside of it.
And just to give you some context,
we can go through and understand every line of code
for the average threat in minutes.
And here we are one month into this threat
and we were just starting to discover what we call
the payload or its whole purpose.
When looking at the Stuxnet code,
it's 20 times the size of the average piece of code
but contains almost no bugs inside of it.
And that's extremely rare.
Malicious code always has bugs inside of it.
This wasn't the case with Stuxnet.
It's dense and every piece of code does something
and does something right in order to conduct its attack.
One of the things that surprised us
was that Stuxnet utilized what's called
a zero-day exploit, or basically,
a piece of code that allows it to spread
without you having to do anything.
You don't have to, for example, download a file and run it.
A zero-day exploit is an exploit that
nobody knows about except the attacker.
So there's no protection against it.
There's been no patch released.
There's been zero days protection,
you know, against it.
That's what attackers value,
because they know 100 percent
if they have this zero-day exploit,
they can get in wherever they want.
They're actually very valuable.
You can sell these on the underground
for hundreds of thousands of dollars.
Chien: Then we became more worried
because immediately we discovered more zero days.
And again, these zero days are extremely rare.
Inside Stuxnet we had, you know, four zero days,
and for the entire rest of the year,
we only saw 12 zero days used.
It blows all... everything else out of the water.
We've never seen this before.
Actually, we've never seen it since, either.
Seeing one in a malware you could understand
because, you know, the malware authors are making money,
they're stealing people's credit cards and making money,
so it's worth their while to use it,
but seeing four zero days, could be worth
half a million dollars right there,
used in one piece of malware,
this is not your ordinary criminal gangs doing this.
This is... This is someone bigger.
It's definitely not traditional crime,
not hacktivists. Who else?
It was evident on a very early stage
that just given the sophistication
of this malware...
Suggested that there must have been
a nation-state involved,
at least one nation-state involved in the development.
When we look at code that's coming from
what appears to be a state attacker
or state-sponsored attacker, usually they're scrubbed clean.
They don't... they don't leave little bits behind.
They don't leave little hints behind.
But in Stuxnet there were actually
a few hints left behind.
One was that, in order to get low-level access
to Microsoft Windows,
Stuxnet needed to use a digital certificate,
which certifies that this piece of code
came from a particular company.
Now, those attackers obviously couldn't go to Microsoft
and say, "Hey, test our code out for us.
And give us a digital certificate."
So they essentially stole them...
From two companies in Taiwan.
And these two companies have nothing to do with each other
except for their close proximity
in the exact same business park.
Digital certificates are guarded very, very closely
behind multiple doors
and they require multiple people to unlock.
Security: ...To the camera.
Chien: And they need to provide both biometrics
- and, as well, pass phrases.
It wasn't like those certificates were
just sitting on some machine connected to the Internet.
Some human assets had to be involved, spies.
O'Murchu: Like a cleaner who comes in at night
and has stolen these certificates
from these companies.
It did feel like walking onto the set
of this James Bond movie and you...
You've been embroiled in this thing that,
you know, you... You never expected.
We continued to search,
and we continued to search in code,
and eventually we found some other bread crumbs left
we were able to follow.
It was doing something with Siemens,
Siemens software, possibly Siemens hardware.
We'd never ever seen that in any malware before,
something targeting Siemens.
We didn't even know why they would be doing that.
But after googling, very quickly we understood
it was targeting Siemens PLCs.
Stuxnet was targeting a very specific hardware device,
something called a PLC or a programmable logic controller.
Langner: The PLC is kind of a very small computer
attached to physical equipment,
like pumps, like valves, like motors.
So this little box is running a digital program
and the actions of this program
turns that motor on, off, or sets a specific speed.
Chien: Those program module controllers
control things like power plants, power grids.
O'Murchu: This is used in factories,
it's used in critical infrastructure.
Critical infrastructure, it's everywhere around us,
transportation, telecommunications,
financial services, health care.
So the payload of Stuxnet was designed
to attack some very important part
of our world.
The payload is gonna be important.
What happens there could be very dangerous.
Langner: The next very big surprise came
when it infected our lab system.
We figured out that the malware was probing
for controllers.
It was quite picky on its targets.
It didn't try to manipulate any given controller in a network
that it would see.
It went through several checks, and when those checks failed,
it would not implement the attack.
It was obviously probing for a specific target.
You've got to put this in context that,
at the time, we already knew,
well, this is the most sophisticated piece of malware
that we have ever seen.
So it's kind of strange.
Somebody takes that huge effort to hit one specific target?
Well, that must be quite a significant target.
Chien: So at Symantec we have probes on networks
all over the world
watching for malicious activity.
O'Murchu: We'd actually seen infections of Stuxnet
all over the world, in the U.S., Australia,
in the U.K., in France, Germany, all over Europe.
Chien: It spread to any Windows machine in the entire world.
You know, we had these organizations
inside the United States who were in charge of
industrial control facilities saying,
"We're infected. What's gonna happen?"
O'Murchu: We didn't know if there was a deadline coming up
where this threat would trigger
and suddenly would, like, turn off all, you know,
electricity plants around the world
or it would start shutting things down
or launching some attack.
We knew that Stuxnet could have very dire consequences,
and we were very worried about
what the payload contained
and there was an imperative speed
that we had to race and try and, you know,
beat this ticking bomb.
Eventually, we were able to refine the statistics a little
and we saw that Iran was the number one
infected country in the world.
Chien: That immediately raised our eyebrows.
We had never seen a threat before
where it was predominantly in Iran.
And so we began to follow what was going on
in the geopolitical world,
what was happening in the general news.
And at that time, there were actually multiple explosions
of gas pipelines going in and out of Iran.
Unexplained explosions.
O'Murchu: And of course, we did notice that at the time
there had been assassinations of nuclear scientists.
So that was worrying.
We knew there was something bad happening.
Gibney: Did you get concerned for yourself?
I mean, did you begin to start looking over your shoulder
from time to time?
Yeah, definitely looking over my shoulder
and... and being careful about what I spoke about on the phone.
I was... pretty confident my conversations on my...
On the phone were being listened to.
We were only half joking
when we would look at each other
and tell each other things like,
"Look, I'm not suicidal.
If I show up dead on Monday, you know, it wasn't me."
We'd been publishing information about Stuxnet
all through that summer.
And then in November, the industrial control system
sort of expert in Holland contacted us...
And he said all of these devices that would be inside of
an industrial control system hold a unique identifier number
that identified the make and model of that device.
And we actually had a couple of these numbers in the code
that we didn't know what they were.
And so we realized maybe what he was referring to
was the magic numbers we had.
And then when we searched for those magic numbers
in that context,
we saw that what had to be connected
to this industrial control system that was being targeted
were something called frequency converters
from two specific manufacturers,
one of which was in Iran.
And so at this time, we absolutely knew
that the facility that was being targeted
had to be in Iran
and had equipment made from Iranian manufacturers.
When we looked up those frequency converters,
we immediately found out that they were actually
export controlled by the nuclear regulatory commission.
And that immediately lead us then
to some nuclear facility.
Gibney: This was more than a computer story,
so I left the world of the antivirus detectives
and sought out journalist, David Sanger,
who specialized in the strange intersection
of cyber, nuclear weapons, and espionage.
Sanger: The emergence of the code
is what put me on alert that an attack was under way.
And because of the covert nature of the operation,
not only were official government spokesmen
unable to talk about it, they didn't even know about it.
Eventually, the more I dug into it,
the more I began to find individuals
who had been involved in some piece of it
or who had witnessed some piece of it.
And that meant talking to Americans,
talking to Israelis, talking to Europeans,
because this was obviously the first, biggest,
and most sophisticated example of a state
or two states using a cyber weapon
for offensive purposes.
I came to this with a fair bit of history,
understanding the Iranian nuclear program.
How did Iran get its first nuclear reactor?
We gave it to them... Under the Shah,
because the Shah was considered an American ally.
Thank you again for your warm welcome, Mr. President.
Gary Samore: During the Nixon administration,
the U.S. was very enthusiastic about supporting
the Shah's nuclear power program.
And at one point, the Nixon administration
was pushing the idea that Pakistan and Iran
should build a joint plant together in Iran.
There's at least some evidence that
the Shah was thinking about acquisition of nuclear weapons,
because he saw, and we were encouraging him to see Iran
as the so-called policemen of the Persian Gulf.
And the Iranians have always viewed themselves
as naturally the dominant power in the Middle East.
Samore: But the revolution,
which overthrew the Shah in '79,
really curtailed the program
before it ever got any head of steam going.
Part of our policy against Iran after the revolution
was to deny them nuclear technology.
So most of the period when I was involved
in the '80s and the '90s
was the U.S. running around the world
and persuading potential nuclear suppliers
not to provide even peaceful nuclear technology to Iran.
And what we missed was the clandestine transfer
in the mid-1980s from Pakistan to Iran.
Rolf Mowatt-Larssen: Abdul Qadeer Khan
is what we would call
the father of the Pakistan nuclear program.
He had the full authority and confidence
of the Pakistan government from its inception
to the production of nuclear weapons.
I was a CIA officer for... For...
For over two decades, operations officer,
worked overseas most of my career.
The A.Q. Khan network is so notable
because aside from building
the Pakistani program for decades...
It also was the means by which other countries
were able to develop nuclear weapons,
including Iran.
Samore: A.Q. Khan acting on behalf
of the Pakistani government
negotiated with officials in Iran
and then there was a transfer which took place
through Dubai
of blueprints for nuclear weapons design
as well as some hardware.
Throughout the mid-1980s,
the Iranian program was not very well-resourced.
It was more of an R & D program.
It wasn't really until the mid-'90s
that it started to take off when they made the decision
to build the nuclear weapons program.
You know, we can speculate what,
in their mind, motivated them.
I think it was the U.S. invasion of Iraq
after Kuwait.
You know, there was an eight-year war
between Iraq and Iran,
we had wiped out Saddam's forces in a matter of weeks.
And I think that was enough to convince the rulers
in Tehran that they needed to pursue
nuclear weapons more seriously.
George Bush: States like these and their terrorist allies
constitute an axis of evil,
arming to threaten the peace of the world.
Samore: From 2003 to 2005
when they feared that the U.S. would invade them,
they accepted limits on their nuclear program.
But by 2006, the Iranians had come to the conclusion
that the U.S. was bogged down in Afghanistan and Iraq
and no longer had the capacity to threaten them,
and so they felt it was safe to resume their enrichment program
they started producing low enriched uranium,
producing more centrifuges, installing them
at the large-scale underground enrichment facility at Natanz.
Gibney: How many times have you been to Natanz?
Not that many, because I left few years ago, the IAEA,
but I was there quite... Quite a few times.
Natanz is just in the middle of the desert.
When they were building it in secret,
they were calling it desert irrigation facility.
For the local people,
you want to sell why you are building a big complex.
There is a lot of artillery and air force.
It's better protected against attack from air
than any other nuclear installation I have seen.
So this is deeply underground.
But then inside, Natanz is like any other centrifuge facility.
I have been all over the world, from Brazil to Russia, Japan,
so they are all alike with their own features,
their own centrifuges, their own culture,
but basically, the process is the same.
And so are the monitoring activities of the IAEA.
There are basic principles.
You want to see what goes in, what goes out,
and then on top of that you make sure that
it produces low enriched uranium
instead of anything to do with the higher enrichments
and nuclear weapon grade uranium.
Emad Kiyaei: Iran's nuclear facilities
are under 24-hour watch
of the United Nations nuclear watchdog,
the IAEA, the International Atomic Energy Agency.
Every single gram of Iranian fissile material...
is accounted for.
They have, like, basically seals they put
on fissile materials. There are IAEA seals.
You can't break it
without getting noticed.
Heinonen: When you look at the uranium
which was there in Natanz, it was a very special uranium.
This is called Isotope 236, and that was a puzzle to us,
because you only see this sort of uranium
in states which have had nuclear weapons.
We realized that they had cheated us.
This sort of equipment has been bought
from what they call a black market.
They never pointed out it to A.Q. Khan
at that point of time.
What I was surprised was the sophistication
and the quality control
and the way they have the manufacturing
was really professional.
It was not something, you know, you just create
in a few months' time.
This was a result of a long process.
A centrifuge, you feed uranium gas
in and you have a cascade, thousands of centrifuges,
and from the other end you get enriched uranium out.
It separates uranium based on spinning the rotors.
It spins so fast, 300 meters per second,
the same as the velocity of sound.
These are tremendous forces
and as a result, the rotor, it twists,
looks like a banana at one point of time.
So it has to be balanced
because any small vibration it will blow up.
And here comes another trouble.
You have to raise the temperature
but this very thin rotor was...
They are made from carbon fiber,
and the other pieces, they are made from metal.
When you heat carbon fiber, it shrinks.
When you heat metal, it expands.
So you need to balance not only that they spin,
they twist, but this temperature behavior
in such a way that it doesn't break.
So this has to be very precise.
This is what makes them very difficult to manufacture.
You can model it, you can calculate it,
but at the very end, it's actually based
on practice and experience.
So it's a... It's a piece of art, so to say.
Heinonen: Iranians are very proud of their centrifuges.
They have a lot of public relations videos
given up always in April when they have what they call
a national nuclear day.
Kiyaei: Ahmadinejad came into his presidency saying
if the international community wants to derail us
we will stand up to it.
If they want us to sign more inspections
and more additional protocols and other measures,
no, we will not. We will fight for our rights.
Iran is a signature to nuclear non-proliferation treaty,
and under that treaty, Iran has a right to a nuclear program.
We can have enrichment. Who are you, world powers,
to come and tell us that we cannot have enrichment?
This was his mantra,
and it galvanized the public.
Sanger: By 2007, 2008,
the U.S. government was in a very bad place with
the Iranian program.
President Bush recognized
that he could not even come out in public
and declare that the Iranians were building a nuclear weapon,
because by this time, he had gone through
the entire WMD fiasco in Iraq.
He could not really take military action.
Condoleezza Rice said to him at one point,
"You know, Mr. President, I think you've invaded
your last Muslim country, even for the best of reasons."
He didn't want to let the Israelis
conduct a military operation.
It's 1938, and Iran is Germany and it's racing...
To arm itself with atomic bombs.
Iran's nuclear ambitions must be stopped.
They have to be stopped. We all have to stop it, now.
That's the one message I have for you today.
- Thank you.
Israel was saying they were gonna bomb Iran.
And the government here in Washington
did all sorts of scenarios about what would happen
if that Israeli attack occurred.
They were all very ugly scenarios.
Our belief was that if they went on their own
knowing the limitations...
No, they're a very good air force, all right?
But it's small and the distances are great
and the target's disbursed and hardened, all right?
If they would have attempted a raid
on a military plane,
we would have been assuming that they were assuming
we would finish that which they started.
In other words, there would be many of us
in government thinking that the purpose of the raid
wasn't to destroy the Iranian nuclear system,
but the purpose of the raid was to put us at war with Iran.
Israel is very much concerned about
Iran's nuclear program, more than the United States.
It's only natural because of the size of the country,
because we live in this neighborhood,
America lives thousands and thousands miles away from Iran.
The two countries agreed on the goal.
There is no page between us
that Iran should not have a nuclear military capability.
There are some differences
on how to... How to achieve it
and when action is needed.
Yadlin: We are taking very seriously
leaders of countries who call to the destruction
and annihilation of our people.
If Iran will get nuclear weapons,
now or in the future...
It means that for the first time in human history
Islamic zealots, religious zealots,
will get their hand on
the most dangerous, devastating weapons,
and the world should prevent this.
Samore: The Israelis believe that the Iranian leadership
has already made the decision to build nuclear weapons
when they think they can get away with it.
The view in the U.S. is that the Iranians
haven't made that final decision yet.
To me, that doesn't make any difference.
I mean, it really doesn't make any difference,
and it's probably unknowable, unless you can put, you know,
supreme leader Khamenei on the couch and interview him.
I think, you know, from our standpoint,
stopping Iran from getting the threshold capacity
is, you know, the primary policy objective.
Once they have the fissile material,
once they have the capacity to produce nuclear weapons,
then the game is lost.
Hayden: President Bush once said to me, he said,
"Mike, I don't want any president ever to be faced
with only two options, bombing or the bomb."
Right?
He... He wanted options that... That made it...
Made it far less likely he or his successor
or successors would ever get to that point
where that's... That's all you've got.
We wanted to be energetic enough in pursuing this problem
that... that the Israelis would certainly believe,
"Yeah, we get it."
The intelligence cooperation between Israel
and the United States is very, very good.
And therefore, the Israelis went to the Americans
and said, "Okay, guys, you don't want us to bomb Iran.
Okay, let's do it differently."
And then the American intelligence community started
rolling in joint forces
with the Israeli intelligence community.
One day a group of intelligence and military officials showed up
in President Bush's office
and said, "sir, we have an idea.
It's a big risk.
It might not work, but here it is."
Langner: Moving forward in my analysis of the codes,
I took a closer look at the photographs
that had been published
by the Iranians themselves in a press tour from 2008
of Ahmadinejad and the shiny centrifuges.
Sanger: Well, photographs of Ahmadinejad
going through the centrifuges at Natanz
had provided some very important clues.
There was a huge amount to be learned.
First of all, those photographs showed
many of the individuals who were guiding Ahmadinejad
through the program.
And there's one very famous photograph that shows
Ahmadinejad being shown something.
You see his face, you can't see what's on the computer.
And one of the scientists who was behind him
was assassinated a few months later.
Langner: In one of those photographs,
you could see parts of a computer screen.
We... we refer to that as a SCADA screen.
The SCADA system is basically a piece of software
running on a computer.
It enables the operators to monitor the processes.
What you could see when you look close enough
was a more detailed view of the configuration
there were these six groups of centrifuges
and each group had 164 entries.
And guess what?
That was a perfect match to what we saw
in the attack code.
It was absolutely clear that this piece of code
was attacking an array of six different groups
of, let's just say, thingies, physical objects,
and in those six groups, there were 164 elements.
Gibney: Were you able to do any actual physical tests?
Or it was all just code analysis?
Yeah, so, you know, we obviously
couldn't set up our own sort of nuclear enrichment facility.
So... but what we did was we did obtain some pics
the exact models.
We then ordered an air pump, and that's what we used
sort of as our sort of proof of concept.
O'Murchu: We needed a visual demonstration
to show people what we discovered.
So we thought of different things that we could do,
and we... we settled on blowing up a balloon.
We were able to write a program that would inflate a balloon,
and it was set to stop after five seconds.
So it would inflate the balloon to a certain size
but it wouldn't burst the balloon
and it was all safe.
And we showed everybody, this is the code
that's on the PLC.
And the timer says, "stop after five seconds."
We know that's what's going to happen.
And then we would infect the computer with Stuxnet,
and we would run the test again.
Here is a piece of software
that should only exist in a cyber realm
and it is able to affect physical equipment
in a plant or factory and cause physical damage.
Real-world physical destruction.
At that time, things became very scary to us.
Here you had malware potentially killing people
and that was something that was always Hollywood-esque to us
that we'd always laugh at
when people made that kind of assertion.
Gibney: At this point, you had to have started developing
theories as to who had built Stuxnet.
It wasn't lost on us that
there were probably only a few countries
in the world that would want
and have the motivation to sabotage
Iran's nuclear enrichment facility.
The U.S. government would be up there.
Israeli government certainly would be... would be up there.
You know, maybe U.K., France, Germany,
those sorts of countries,
but we never found any information that
would tie it back 100 percent to... to those countries.
There are no telltale signs.
You know, the attackers don't leave a message inside
saying, you know, "It was me."
And even if they did, all of that stuff can be faked.
So it's very, very difficult to do attribution
when looking at computer code.
Gibney: Subsequent work that's been done
leads us to believe that this was the work of
a collaboration between Israel and the United States.
Yeah, yeah.
Gibney: Did you have any evidence
in terms of your analysis
that would lead you to believe that
that's correct also?
Nothing that I could talk about on camera.
Gibney: Well, can I ask why?
No.
Well, you can, but I won't answer.
Gibney: But even in the case of nation-states,
I mean, one of the concerns is...
Gibney: This was beginning to really piss me off.
Even civilians with an interest in telling the Stuxnet story
were refusing to address the role of Tel Aviv
and Washington. But luckily for me,
while D.C. is a city of secrets,
it is also a city of leaks.
They're as regular as a heartbeat
and just as hard to stop.
That's what I was counting on.
Finally, after speaking to a number of people on background,
I did find a way of confirming, on the record,
the American role in Stuxnet.
In exchange for details of the operation,
I had to agree to find a way
to disguise the source of the information.
- Gibney: We're good? - Man: We're on.
Gibney: So the first question I have to ask you
is about secrecy.
I mean, at this point, everyone knows about Stuxnet.
Why can't we talk about it?
It's a covert operation.
Gibney: Not anymore.
I mean, we know what happened, we know who did it.
Well, maybe you don't know as much as you think you know.
Gibney: Well, I'm talking to you because I want to
get the story right.
Well, that's the same reason I'm talking to you.
Gibney: Even though it's a covert operation?
Look, this is not a Snowden kind of thing, okay?
I think what he did was wrong.
He went too far. He gave away too much.
Unlike snowden, who was a contractor,
I was in NSA.
I believe in the agency, so what I'm willing to give you
will be limited, but we're talking
because everyone's getting the story wrong
and we have to get it right.
We have to understand these new weapons.
The stakes are too high.
Gibney: What do you mean?
We did Stuxnet.
It's a fact.
You know, we came so fucking close to disaster,
and we're still on the edge.
It was a huge multinational, inter-agency operation.
In the U.S. it was CIA,
NSA, and the military cyber command.
From Britain, we used Iran intel out of GCHQ,
but the main partner was Israel.
Over there, Mossad ran the show,
and the technical work was done by unit 8200.
Israel is really the key to the story.
Melman: Oh, traffic in Israel is so unpredictable.
Gibney: Yossi, how did you get into this whole Stuxnet story?
I have been covering the Israeli intelligence
in general, in the Mossad in particular
for nearly 30 years.
In '82, I was a London-based correspondent
and I covered a trial of terrorists,
and I became more familiar with this topic of terrorism,
and slowly but surely, I started covering it as a beat.
Israel, we live in a very rough neighborhood
where the... The Democratic values,
western values, are very rare.
But Israel pretends to be a free, Democratic,
westernized society,
posh neighborhoods, rich people,
youngsters who are having
almost similar mind-set to their American
or Western European counterparts.
On the other hand, you see a lot of scenes
and events which resemble the real Middle East,
terror attacks, radicals, fanatics, religious zealots.
I knew that Israel is trying to slow down
Iran's nuclear program,
and therefore, I came to the conclusion that
if there was a virus infecting Iran's computers,
it's... it's one more element in... in this larger picture
based on past precedents.
Yadlin: 1981 I was an F-16 pilot,
and we were told that, unlike our dream
to do dogfights and to kill MiGs,
we have to be prepared for a long-range mission
to destroy a valuable target.
Nobody told us what is
this very valuable strategic target.
It was 600 miles from Israel.
So we train our self to do the job,
which was very difficult. No air refueling at that time.
No satellites for reconnaissance.
Fuel was on the limit.
Pilot: What? Whoa! Whoa!
Yadlin: At the end of the day,
we accomplished the mission.
Gibney: Which was?
Yadlin: To destroy the Iraqi nuclear reactor
near Baghdad, which was called Osirak.
And Iraq never was able to accomplish
its ambition to have a nuclear bomb.
Melman: Amos Yadlin, General Yadlin,
he was the head of the military intelligence.
The biggest unit within that organization
was unit 8200.
They'd block telephones, they'd block faxes,
they're breaking into computers.
A decade ago, when Yadlin became
the chief of military intelligence,
there was no cyber warfare unit in 8200.
So they started recruiting very talented people,
hackers either from the military
or outside the military that can contribute
to the project of building a cyber warfare unit.
Yadlin: In the 19th century, there were only army and Navy.
In the 20th century, we got air power
as a third dimension of war.
In the 21st century,
cyber will be the fourth dimension of war.
It's another kind of weapon
and it is for unlimited range in a very high speed
and in a very low signature.
So this give you a huge opportunity...
And the superpowers have to change
the way we think about warfare.
Finally we are transforming our military
for a new kind of war that we're fighting now...
And for wars of tomorrow.
We have made our military better trained,
better equipped, and better prepared
to meet the threats facing America today
and tomorrow and long in the future.
Sanger: Back in the end of the Bush administration,
people within the U.S. government
were just beginning to convince President Bush
to pour money into offensive cyber weapons.
Stuxnet started off in the defense department.
Then Robert Gates, Secretary of Defense,
reviewed this program and he said,
"This program shouldn't be in the defense department.
This should really be under the covert authorities
over in the intelligence world."
So the CIA was very deeply involved
in this operation,
while much of the coding work was done
by the National Security Agency
and unit 8200, its Israeli equivalent,
working together with a newly created military position
called U.S. cyber command.
And interestingly, the director of the National Security Agency
would also have a second role
as the commander of U.S. cyber command.
And U.S. cyber command is located
at Fort Meade in the same building as the NSA.
Col. Gary D. Brown: I was deployed for a year
giving advice on air operations in Iraq and Afghanistan,
and when I was returning home after that,
the assignment I was given was to go
to U.S. Cyber Command.
Cyber Command is a...
is the military command that's responsible for
essentially the conducting of the nation's military affairs
in cyberspace.
The stated reason the United States
decided it needed a Cyber Command
was because of an event called operation "Buckshot Yankee".
Chris Inglis: In the fall of 2008,
we found some adversaries inside
of our classified networks.
While it wasn't completely true
that we always assumed that we were successful
at defending things at the barrier,
at the... at the kind of perimeter that we might have
between our networks and the outside world,
there was a large confidence
that we'd been mostly successful.
But that was a moment in time when we came to
the quick conclusion that it... It's not really ever secure.
That then accelerated the department of defense's
progress towards what ultimately
became Cyber Command.
Good morning.
Good morning.
Good morning, sir. Cyber has one item for you today.
Earlier this week, Antok analysts
detected a foreign adversary using known methods
to access the U.S. military network.
We identified the malicious activity
via data collected through our information assurance
and signals from intelligence authorities
and confirmed it was a cyber adversary.
We provided data to our cyber partners within the DoD...
You think of NSA as an institution
that essentially uses its abilities in cyberspace
to help defend communications in that space.
Cyber Command extends that capability
by saying that they will then take responsibility to attack.
Hayden: NSA has no legal authority to attack.
It's never had it, I doubt that it ever will.
It might explain why U.S. cyber Command
is sitting out at Fort Meade on top of
the National Security Agency,
because NSA has the abilities to do these things.
Cyber Command has the authority to do these things.
And "these things" here refer to the cyber-attack.
This is a huge change
for the nature of the intelligence agencies.
The NSA was supposed to be a code-making
and code-breaking operation
to monitor the communications of foreign powers
and American adversaries
in the defense of the United States.
But creating a Cyber Command meant using
the same technology to do offense.
Once you get inside an adversary's computer networks,
you put an implant in that network.
And we have tens of thousands of foreign computers
and networks that the United States put implants in.
You can use it to monitor what's going across
that network and you can use it
to insert cyber weapons, malware.
If you can spy on a network, you can manipulate it.
It's already included.
The only thing you need is an act of will.
NSA source: I played a role in Iraq.
I can't tell you whether it was military or not,
but I can tell you
NSA had combat support teams in country.
And for the first time, units in the field
had direct access to NSA intel.
Over time, we thought more about offense
than defense, you know,
more about attacking than intelligence.
In the old days, SIGINT units would try to track radios,
but through NSA in Iraq,
we had access to all the networks
going in and out of the country.
And we hoovered up every text message,
email, and phone call.
A complete surveillance state.
We could find the bad guys, say, a gang making IEDs,
map their networks, and follow them in real time.
Soldier: Roger.
NSA source: And we could lock into cell phones
even when they were off and send a fake text
from a friend, suggest a meeting place,
and then capture...
Soldier: 1A, clear to fire.
...or kill.
Soldier: Good shot.
Brown: A lot of the people that came to Cyber Command,
the military guys, came directly from
an assignment in Afghanistan or Iraq,
'cause those are the people with experience
and expertise in operations,
and those are the ones you want looking at this
to see how cyber could facilitate
traditional military operations.
NSA source: Fresh from the surge,
I went to work at NSA in '07 in a supervisory capacity.
Gibney: Exactly where did you work?
NSA source: Fort Meade.
You know, I commuted to that massive complex
every single day.
I was in TAO-s321, "The ROC."
Gibney: Okay, the TAO, the ROC?
Right, sorry. TAO is Tailored Access Operations.
It's where NSA's hackers work.
Of course, we didn't call them that.
Gibney: What did you call them?
NSA source: On net operators.
They're the only people at NSA allowed to break in
or attack on the Internet.
Inside TAO headquarters is the ROC,
Remote Operations Center.
If the U.S. government wants to get in somewhere,
it goes to the ROC.
I mean, we were flooded with requests.
So many that we could only do about, mm,
30% of the missions that were requested of us at one time,
through the web
but also by hijacking shipments of parts.
You know, sometimes the CIA would assist
inputting implants in machines,
so once inside a target network,
we could just...
Watch...
Or we could attack.
Inside NSA was a strange kind of culture,
like, two parts macho military
and two parts cyber geek. I mean, I came from Iraq,
so I was used to, "Yes, sir. No, sir."
But for the weapons programmers
we needed more "think outside the box" types.
From cubicle to cubicle,
you'd see light-sabers, tribbles,
those Naruto action figures,
lots of Aqua Teen Hunger Force.
This one guy, they were mostly guys,
who liked to wear a yellow hooded cape,
he used a ton of gray Legos to build a massive Death Star.
Gibney: Were they all working on Stuxnet?
NSA source: We never called it Stuxnet.
That was the name invented by the antivirus guys.
When it hit the papers,
we're not allowed to read about classified operations,
even if it's in the New York Times.
We went out of our way to avoid the term.
I mean, saying "Stuxnet" out loud
was like saying "Voldemort" in Harry Potter.
The name that shall not be spoken.
Gibney: What did you call it then?
The Natanz attack, and this is out there already,
was called Olympic Games or OG.
There was a huge operation to test the code
on PLCs here are Fort Meade
and in Sandia, new Mexico.
Remember during the Bush era
when Libya turned over all the centrifuges?
Those were the same models the Iranians got
from A.Q. Khan. P1's.
We took them to Oak Ridge and used them
to test the code which demolished the insides.
At Dimona, the Israelis also tested on the P1's.
Then, partly by using our intel on Iran,
we got the plans for the newer models, the IR-2's.
We tried out different attack vectors.
We ended up focusing on ways to destroy the rotor tubes.
In the tests we ran, we blew them apart.
They swept up the pieces,
they put it on an airplane, they flew it to Washington,
they stuck it in the truck,
they drove it through the gates of the White House,
and dumped the shards out on the conference room table
in the situation room.
And then they invited President Bush
to come down and take a look.
And when he could pick up the shard
of a piece of centrifuge...
He was convinced this might be worth it,
and he said, "Go ahead and try."
Gibney: Was there legal concern inside the Bush administration
that this might be an act of undeclared war?
If there were concerns, I haven't found them.
That doesn't mean that they didn't exist
and that some lawyers somewhere
weren't concerned about it,
but this was an entirely new territory.
At the time, there were really very few people
who had expertise specifically on the law of war and cyber.
And basically what we did was looking at, okay,
here's our broad direction.
Now, let's look... Technically what can we do
to facilitate this broad direction?
After that, maybe the... I would come in
or one of my lawyers would come in and say,
"Okay, this is what we may do." Okay.
There are many things we can do,
but we are not allowed to do them.
And then after that, there's still a final level
that we look at and that's, what should we do?
Because there are many things that would be
technically possible and technically legal
but a bad idea.
For Natanz, it was a CIA-led operation,
so we had to have agency sign-off.
Gibney: Really?
Someone from the agency
stood behind the operator and the analyst
and gave the order to launch every attack.
Chien: Before they had even started this attack,
they put inside of the code the kill date,
a date at which it would stop operating.
O'Murchu: Cutoff dates, we don't normally see that
in other threats, and you have to think,
"well, why is there a cutoff date in there?"
And when you realize that, well, Stuxnet was probably
written by government and that there are laws
regarding how you can use this sort of software,
that there may have been a legal team who said, "no, you...
You need to have a cutoff date in there,
and you can only do this and you can only go that far
and we need to check if this is legal or not.
That date is a few days before Obama's inauguration.
So the theory was that this was an operation
that needed to be stopped at a certain time
because there was gonna be a handover
and that more approval was needed.
Are you prepared to take the oath, senator?
I am.
I, Barack Hussein Obama...
- I, Barack... - Do solemnly swear...
I, Barack Hussein Obama, do solemnly swear...
Sanger: Olympic Games was reauthorized by President Obama
in his first year in office, 2009.
It was fascinating because it was the first year of
the Obama administration and they would talk to you
endlessly about cyber defense.
Obama: We count on computer networks
to deliver our oil and gas, our power, and our water.
We rely on them for public transportation
and air traffic control.
But just as we failed in the past
to invest in our physical infrastructure,
our roads, our Bridges, and rails,
we failed to invest in the security
of our digital infrastructure.
Sanger: He was running east room events
trying to get people to focus on the need to
defend cyber networks
and defend American infrastructure.
But when you asked questions about the use of
offensive cyber weapons, everything went dead.
No cooperation.
White House wouldn't help, Pentagon wouldn't help,
NSA wouldn't help.
Nobody would talk to you about it.
But when you dug into the budget
for cyber spending during the Obama administration,
what you discovered was
much of it was being spent on offensive cyber weapons.
You see phrases like "Title 10 CNO."
Title 10 means operations for the U.S. military,
and CNO means Computer Network Operations.
This is considerable evidence
that Stuxnet was just the opening wedge
of what is a much broader U.S. government effort now
to develop an entire new class of weapons.
Chien: Stuxnet wasn't just an evolution.
It was really a revolution in the threat landscape.
In the past, the vast majority of threats that we saw
were always controlled by an operator somewhere.
They would infect your machines,
but they would have what's called a callback
or a command-and-control channel.
The threats would actually contact the operator
and say, what do you want me to do next?
And the operator would send down commands
and say, maybe, search through this directory,
find these folders, find these files,
upload these files to me, spread to this other machine,
things of that nature.
But Stuxnet couldn't have a command-and-control channel
because once it got inside in Natanz
it would not have been able to reach back out to the attackers.
The Natanz network is completely air-gapped
from the rest of the Internet.
It's not connected to the Internet.
It's its own isolated network.
Generally, getting across an air gap is...
is one of the more difficult challenges
that attackers will face just because of the fact that
there... everything is in place to prevent that.
You know, everything, you know, the policies and procedures
and the physical network that's in place is
specifically designed to prevent you crossing the air gap.
But there's no truly air-gapped network
in these real-world production environments.
People gotta get new code into Natanz.
People have to get log files off of this network in Natanz.
People have to upgrade equipment.
People have to upgrade computers.
This highlights one of the major
security issues that we have in the field.
If you think, "Well, nobody can attack
this power plant or this chemical plant
because it's not connected to the internet,"
that's a bizarre illusion.
NSA source: The first time we introduced the code into Natanz
we used human assets,
maybe CIA, more likely Mossad,
but our team was kept in the dark about the trade craft.
We heard rumors in Moscow,
an Iranian laptop infected by a phony Siemens technician
with a flash drive...
A double agent in Iran with access to Natanz,
but I don't really know.
What we had to focus on was to write the code
so that, once inside, the worm acted on its own.
They built in all the code and all the logic
into the threat to be able to operate all by itself.
It had the ability to spread by itself.
It had the ability to figure out, do I have the right PLCs?
Have I arrived in Natanz? Am I at the target?
Langner: And when it's on target,
it executes autonomously.
That also means you... You cannot call off the attack.
It was definitely the type of attack
where someone had decided
that this is what they wanted to do.
There was no turning back once Stuxnet was released.
When it began to actually execute its payload,
you would have a whole bunch of centrifuges
in a huge array of cascades sitting in a big hall.
And then just off that hall
you would have an operators room,
the control panels in front of them, a big window
where they could see into the hall.
Computers monitor the activities
of all these centrifuges.
So a centrifuge, it's driven by an electrical motor.
And the speed of this electrical motor
is controlled by another PLC,
by another programmable logic controller.
Chien: Stuxnet would wait for 13 days
before doing anything,
because 13 days is about the time it takes
to actually fill an entire cascade of centrifuges
with uranium.
They didn't want to attack when the centrifuges essentially
were empty or at the beginning of the enrichment process.
What Stuxnet did was it actually would sit there
during the 13 days and basically record
all of the normal activities
that were happening and save it.
And once they saw them spinning for 13 days,
then the attack occurred.
Centrifuges spin at incredible speeds,
about 1,000 hertz.
Langner: They have a safe operating speed,
63,000 revolutions per minute.
Chien: Stuxnet caused the uranium enrichment centrifuges
to spin up to 1,400 hertz.
Langner: Up to 80,000 revolutions per minute.
What would happen was those centrifuges
would go through what's called a resonance frequency.
It would go through a frequency at which the metal would
basically vibrate uncontrollably
and essentially shatter.
There'd be uranium gas everywhere.
And then the second attack they attempted
was they actually tried to lower it to two hertz.
They were slowed down to almost standstill.
Chien: And at two hertz, sort of an opposite effect occurs.
You can imagine a toy top that you spin
and as the top begins to slow down, it begins to wobble.
That's what would happen to these centrifuges.
They'd begin to wobble and essentially shatter
and fall apart.
And instead of sending back to the computer
what was really happening, it would send back
that old data that it had recorded.
So the computer's sitting there thinking,
"yep, running at 1,000 hertz, everything is fine.
Running at 1,000 hertz, everything is fine."
But those centrifuges are potentially spinning up wildly,
a huge noise would occur.
It'd be like, you know, a jet engine.
So the operators then would know, "Whoa,
something is going wrong here."
They might look at their monitors and say, "Hmm,
it says it's 1,000 hertz," but they would hear that in the room
something gravely bad was happening.
Not only are the operators fooled into thinking
everything's normal,
but also any kind of automated protective logic
is fooled.
Chien: You can't just turn these centrifuges off.
They have to be brought down in a very controlled manner.
And so they would hit, literally, the big red button
to initiate a graceful shutdown,
and Stuxnet intercepts that code.
So you would have these operators
slamming on that button over and over again
and nothing would happen.
Yadlin: If your cyber weapon is good enough,
if your enemy is not aware of it,
it is an ideal weapon, because the enemy
even don't understand what is happening to it.
Gibney: Maybe even better if the enemy begins to doubt
- their own capability. - Absolutely.
Certainly one must conclude
that what happened at Natanz
must have driven the engineers crazy,
because the worst thing that can happen
to a maintenance engineer is not being able to figure out
what the cause of specific trouble is.
So they must have been analyzing themselves to death.
Heinonen: You know, you see centrifuges blowing up.
You look the computer screens, they go with the proper speed.
There's a proper gas pressure. Everything looks beautiful.
Sanger: Through 2009 it was going pretty smoothly.
Centrifuges were blowing up.
The International Atomic Energy Agency inspectors
would go in to Natanz and they would see that
whole sections of the centrifuges had been removed.
The United States knew from its intelligence channels
that some Iranian scientists and engineers
were being fired because the centrifuges were blowing up
and the Iranians had assumed that this was because
they had been making errors or manufacturing mistakes.
Clearly this was somebody's fault.
So the program was doing
exactly what it was supposed to be doing,
which was it was blowing up centrifuges
and it was leaving no trace
and leaving the Iranians to wonder
what they got hit by.
This was the brilliance of Olympic Games.
You know, as a former director of a couple of big
3-letter agencies,
slowing down 1,000 centrifuges in Natanz...
Abnormally good.
There was a need for... for... For buying time.
There was a need for slowing them down.
There was the need to try to push them
to the negotiating table.
I mean, there are a lot of variables at play here.
Sanger: President Obama would
go down into the situation room,
and he would have laid out in front of him
what they called the horse blanket,
which was a giant schematic
of the Natanz nuclear enrichment plan.
And the designers of Olympic Games
would describe to him what kind of progress they made
and look for him for the authorization
to move on ahead to the next attack.
And at one point during those discussions,
he said to a number of his aides,
"You know, I have some concerns
because once word of this gets out,"
and eventually he knew it would get out,
"the Chinese may use it as an excuse
for their attacks on us. The Russians might or others."
So he clearly had some misgivings,
but they weren't big enough to stop him
from going ahead with the program.
And then in 2010,
a decision was made to change the code.
Our human assets
weren't always able to get code updates into Natanz
and we weren't told exactly why,
but we were told we had to have a cyber solution
for delivering the code.
But the delivery systems were tricky.
If they weren't aggressive enough, they wouldn't get in.
If they were too aggressive, they could spread
and be discovered.
Chien: When we got the first sample,
there was some configuration information inside of it.
And one of the pieces in there was a version number, 1.1
and that made us realize,
well, look, this likely isn't the only copy.
We went back through our databases looking for
anything that looks similar to Stuxnet.
Chien: As we began to collect more samples,
we found a few earlier versions of Stuxnet.
O'Murchu: And when we analyzed that code,
we saw that versions previous to 1.1
were a lot less aggressive.
The earlier version of Stuxnet,
it basically required humans to do a little bit
of double clicking in order for it to spread
from one computer to another.
And, so, what we believe after looking at that code
is two things,
one, either they didn't get in to Natanz
with that earlier version,
because it simply wasn't aggressive enough,
wasn't able to jump over that air gap,
and/or two, that payload as well
didn't work properly, didn't work to their satisfaction,
maybe was not explosive enough.
There were slightly different versions
which were aimed at different parts
of the centrifuge cascade.
Gibney: But the guys at Symantec figured you changed the code
because the first variations couldn't get in
and didn't work right.
Bullshit.
We always found a way to get across the air gap.
At TAO, we laughed when people thought they were
protected by an air gap.
And for OG, the early versions of the payload did work.
But What NSA did...
Was always low-key and subtle.
The problem was that unit 8200, the Israelis,
kept pushing us to be more aggressive.
Chien: The later version of Stuxnet 1.1,
that version had multiple ways of spreading.
Had the four zero days inside of it, for example,
that allowed it to spread all by itself
without you doing anything.
It could spread via network shares.
It could spread via USB keys.
It was able to spread via network exploits.
That's the sample that introduced us
to stolen digital certificates.
That is the sample that, all of a sudden,
became so noisy
and caught the attention of the antivirus guys.
In the first sample we don't find that.
And this is very strange, because it tells us that
in the process of this development
the attackers were less concerned
with operational security.
Chien: Stuxnet actually kept a log inside of itself
of all the machines that it infected along the way
as it jumped from one machine to another
to another to another.
And we were able to gather up
all the samples that we could acquire,
tens of thousands of samples. We extracted all of those logs.
O'Murchu: We could see the exact path that Stuxnet took.
Chien: Eventually, we were able to trace back
this version of Stuxnet to ground zero,
to the first five infections in the world.
The first five infections are all outside a Natanz plant,
all inside of organizations inside of Iran,
all organizations that are involved in
industrial control systems and construction
of industrial control facilities,
clearly contractors who were working on the Natanz facility.
And the attackers knew that.
They were electrical companies. They were piping companies.
They were, you know, these sorts of companies.
And they knew... They knew the technicians
from those companies would visit Natanz.
So they would infect these companies
and then technicians would take their computer
or their laptop or their USB...
That operator then goes down to Natanz
and he plugs in his USB key, which has some code
that he needs to update into Natanz,
into the Natanz network,
and now Stuxnet is able to get inside Natanz
and conduct its attack.
These five companies were specifically targeted
to spread Stuxnet into Natanz
and that it wasn't that... that Stuxnet escaped out of Natanz
and then spread all over the world
and it was this big mistake and "oh, it wasn't meant
to spread that far but it really did."
No, that's not the way we see it.
The way we see it is that they wanted it to spread far
so that they could get it into Natanz.
Someone decided that we're gonna create something new,
something evolved,
that's gonna be far, far, far more aggressive.
And we're okay, frankly,
with it spreading all over the world to innocent machines
in order to go after our target.
The Mossad had the role, had the... the assignment
to deliver the virus to make sure that Stuxnet
would be put in place in Natanz to affect the centrifuges.
Meir Dagan, the head of Mossad,
was under growing pressure from the prime minister,
Benjamin Netanyahu, to produce results.
Inside the ROC,
we were furious.
The Israelis took our code for the delivery system
and changed it.
Then, on their own, without our agreement,
they just fucking launched it.
2010 around the same time
they started killing Iranian scientists...
And they fucked up the code!
Instead of hiding,
the code started shutting down computers,
so naturally, people noticed.
Because they were in a hurry, they opened Pandora’s Box.
They let it out
and it spread all over the world.
Gibney: The worm spread quickly
but somehow it remained unseen
until it was identified in Belarus.
Soon after, Israeli intelligence confirmed
that it had made its way into the hands
of the Russian federal security service,
a successor to the KGB.
So it happened that the formula for a secret cyber weapon
designed by the U.S. and Israel
fell into the hands of Russia
and the very country it was meant to attack.
Kiyaei: In international law,
when some country or a coalition of countries
targets a nuclear facility, it's a act of war.
Please, let's be frank here.
If it wasn't Iran,
let's say a nuclear facility in United States...
Was targeted in the same way...
The American government
would not sit by and let this go.
Gibney: Stuxnet is an attack in peacetime
on critical infrastructures.
Yes, it is. I'm... Look, when I read about it,
I read it, I go, "whoa, this is a big deal."
Yeah.
Sanger: The people who were running this program,
including Leon Panetta,
the director of the CIA at the time,
had to go down into the situation room
and face President Obama,
Vice President Biden and explain that this program
was suddenly on the loose.
Vice President Biden,
at one point during this discussion,
sort of exploded in Biden-esque fashion
and blamed the Israelis.
He said, "It must have been the Israelis
who made a change in the code
that enabled it to get out."
Richard Clarke: President Obama said to the senior leadership,
"You told me it wouldn't get out of the network. It did.
You told me the Iranians would never figure out
it was the United States. They did.
You told me it would have a huge affect
on their nuclear program, and it didn't."
Sanger: The Natanz plant is inspected every couple of weeks
by the International Atomic Energy Agency inspectors.
And if you line up what you know about the attacks
with the inspection reports, you can see the effects.
Heinonen: If you go to the IAEA reports,
they really show that all of those centrifuges
were switched off and they were removed.
As much as almost couple of thousand got compromised.
When you put this altogether,
I wouldn't be surprised if their program got delayed
by the one year.
But go then to year 2012-13
and looking how the centrifuges started to come up again.
Kiyaei: Iran's number of centrifuges
went up exponentially,
to 20,000, with a stockpile of low enriched uranium.
This isn't... These are high numbers.
Iran's nuclear facilities expanded
with the construction of Fordow
and other highly protected facilities.
So ironically, cyber warfare...
Assassination of its nuclear scientists,
economic sanctions, political isolation...
Iran has gone through "a" to "x"
of every chorus of policy that the U.S., Israel,
and those who ally with them have placed on Iran,
and they have actually made Iran's nuclear program
more advanced today than it was ever before.
Mossad operative: This is a very
very dangerous minefield that we are walking,
and nations who decide
to take these covert actions
should be taking into consideration
all the effects, including the moral effects.
I would say that this is the price
that we have to pay in this... In this war,
and our blade of righteousness
shouldn't be so sharp.
Gibney: In Israel and in the United States,
the blade of righteousness cut both ways,
wounding the targets and the attackers.
When Stuxnet infected American computers,
the Department of Homeland Security,
unaware of the cyber weapons launch by the NSA,
devoted enormous resources trying to protect Americans
from their own government.
We had met the enemy and it was us.
Sean Paul McGurk: The purpose of the watch stations that
you see in front of you is to aggregate the data
- coming in from multiple feeds
of what the cyber threats could be,
so if we see threats
we can provide real-time recommendations
for both private companies, as well as federal agencies.
Male journalist: Can you give us a
readout on this Stuxnet virus?
Yep, absolutely. We'd be more than happy to discuss that.
Female journalist: Sean, is it...
McGurk: Early July of 2010 we received a call
that said that this piece of malware was discovered
and could we take a look at it.
When we first started the analysis,
there was that "Oh, crap" moment, you know,
where we sat there and said, this is something
that's significant.
It's impacting industrial control.
It can disrupt it to the point where it could cause harm
and not only damage to the equipment,
but potentially harm or loss of life.
We were very concerned because Stuxnet
was something that we had not seen before.
So there wasn't a lot of sleep that night.
Basically, light up the phones, call everybody we know,
inform the secretary, inform the White House,
inform the other departments and agencies,
wake up the world, and figure out what's going on
with this particular malware.
Good morning, chairman Lieberman,
ranking member Collins.
Something as simple and innocuous as this
becomes a challenge for all of us to maintain
accountability control of our critical infrastructure systems.
This actually contains the Stuxnet virus.
I've been asked on a number of occasions,
"did you ever think this was us?"
And at... at no point did that ever really cross our mind,
because we were looking at it from the standpoint of,
is this something that's coming after the homeland?
You know, what... what's going to potentially impact,
you know, our industrial control based
here in the United States?
You know, I liken it to, you know, field of battle.
You don't think the sniper that's behind you
is gonna be shooting at you,
'cause you expect him to be on your side.
We really don't know who the attacker was
in the Stuxnet case.
So help us understand a little more
what this thing is
whose origin and destination we don't understand.
Gibney: Did anybody ever give you any indication
that it was something that they already knew about?
No, at no time did I get the impression from someone
that that's okay, you know, get the little pat on the head,
and... and scooted out the door.
I never received a stand-down order.
I never... no one ever asked, "Stop looking at this."
Do we think that this was a nation-state actor
and that there are a limited number of nation-states
that have such advanced capacity?
Gibney: Sean McGurk, the director of cyber
for the Department of Homeland Security,
testified before the senate about how he thought
Stuxnet was a terrifying threat to the United States.
Is that not a problem?
I don't... and... and how... How do you mean?
That Stuxnet was a bad idea?
Gibney: No, no, no, just that before he knew what it was
- and what it attacks... - Oh, I... I get it.
- Gibney: Yeah... - Yeah,
he was responding to something that we...
Gibney: He thought it was a threat
to critical infrastructure in the United States.
Yeah. The worm is loose!
Gibney: The worm is loose. I understand.
But there's... There's a further theory
having to do with whether or not,
following upon David Sanger...
I got the subplot, and who did that?
Was it the Israelis? And, yeah, I...
I truly don't know, and even though I don't know,
I still can't talk about it, all right?
Stuxnet was somebody's covert action, all right?
And the definition of covert action
is an activity in which you want to have the hand
of the actor forever hidden.
So by definition, it's gonna end up in this
"We don't talk about these things" box.
Sanger: To this day, the United States government
has never acknowledged
conducting any offensive cyber attack anywhere in the world.
But thanks to Mr. Snowden, we know that in 2012
President Obama issued an executive order
that laid out some of the conditions
under which cyber weapons can be used.
And interestingly, every use of a cyber weapon
requires presidential sign-off.
That is only true in the physical world
for nuclear weapons.
Clarke: Nuclear war and nuclear weapons are vastly different
from cyber war and cyber weapons.
Having said that, there are some similarities.
And in the early 1960s,
the United States government suddenly realized
it had thousands of nuclear weapons,
big ones and little ones,
weapons on jeeps, weapons on submarines,
and it really didn't have a doctrine.
It really didn't have a strategy.
It really didn't have an understanding
at the policy level about how he was going to use
all of these things.
And so academics
started publishing unclassified documents
about nuclear war and nuclear weapons.
Sanger: And the result was
more than 20 years, in the United States,
of very vigorous national debates
about how we want to go use nuclear weapons.
And not only did that cause the congress
and people in the executive branch in Washington
to think about these things,
it caused the Russians to think about these things.
And out of that grew nuclear doctrine,
mutual assured destruction,
all of that complicated set of nuclear dynamics.
Today, on this vital issue at least,
we have seen what can be accomplished
when we pull together.
We can't have that discussion in a sensible way right now
about cyber war and cyber weapons
because everything is secret.
And when you get into a discussion
with people in the government, people still in the government,
people who have security clearances,
you run into a brick wall.
Trying to stop Iran
is really the... my number one job, and I think...
Host: And let me ask you, in that context,
about the Stuxnet computer virus potentially...
You can ask, but I won't comment.
Host: Can you tell us anything?
No.
What do you think has had the most impact
on their nuclear decision-making,
the Stuxnet virus?
I can't talk about Stuxnet.
I can't even talk about the operation of Iran centrifuges.
Was the U.S. involved in any way
in the development of Stuxnet?
It's hard to get into any kind of comment on that
till we've finished any... Our examination.
But, sir, I'm not asking you
if you think another country was involved.
I'm asking you if the U.S. was involved.
And we're... This is not something
that we're gonna be able to answer at this point.
Look, for the longest time, I was in fear that
I couldn't actually say the phrase
"computer network attack."
This stuff is hideously over classified,
and it gets into the way of a...
Of a mature public discussion
as to what it is we as a democracy
want our nation to be doing up here in the cyber domain.
Now, this is a former director of NSA and CIA
saying this stuff is over classified.
One of the reasons this is highly classified as it is
this is a peculiar weapons system.
This is a weapons system that's come out of
the espionage community,
and... and so those people have a habit of secrecy.
Secrecy is still justifiable in certain cases
to protect sources or to protect national security
but when we deal with secrecy, don't hide behind it
to use as an excuse to not disclose something properly
that you know should be
or that the American people
need ultimately to see.
Gibney: While most government officials refused
to acknowledge the operation,
at least one key insider did leak parts of the story
to the press.
In 2012, David Sanger wrote a detailed account
of Olympic Games that unmasked the extensive joint operation
between the U.S. and Israel
to launch cyber attacks on Natanz.
Sanger: The publication of this story
coming at a time that turned out that there were
a number of other unrelated national security stories
being published, lead to the announcement
of investigations by the Attorney General.
Gibney: In... into the press and into the leaks?
Into the press and into the leaks.
Gibney: Soon after the article,
the Obama administration targeted
General James Cartwright in a criminal investigation
for allegedly leaking
classified details about Stuxnet.
Journalist: There are reports of cyber attacks
on the Iranian nuclear program that you ordered.
What's your reaction to this information getting out?
Well, first of all, I'm not gonna comment on the...
The details of... what are...
Supposed to be classified items.
Since I've been in office, my attitude has been
zero tolerance for these kinds of leaks.
We have mechanisms in place
where, if we can root out folks who have leaked,
they will suffer consequences.
It became a significant issue
and a very wide-ranging investigation
in which I think most of the people who were cleared
for Olympic Games at some point
had been, you know, interviewed and so forth.
When Stuxnet hit the media,
they polygraphed everyone in our office,
including people who didn't know shit.
You know, they polyed the interns, for god's sake.
These are criminal acts
when they release information like this,
and we will conduct thorough investigations
as we have in the past.
Gibney: The administration never filed charges,
possibly afraid that a prosecution
would reveal classified details about Stuxnet.
To this day, no one in the U.S. or Israeli governments
has officially acknowledged the existence
of the joint operation.
I would never compromise
ongoing operations in the field,
but we should be able to talk about capability.
We can talk about our...
Bunker busters, why not our cyber weapons?
I mean, the secrecy
of the operation has been blown.
Our friends in Israel took a weapon
that we jointly developed,
in part to keep Israel from doing something crazy,
and then used it on their own in a way
that blew the cover of the operation
and could have led to war.
And we can't talk about that?
Mowatt-Larssen: There's a way to talk about Stuxnet.
It happened.
That... to deny that it happened is... is foolish.
So the fact it happened
is really what we're talking about here.
What does... What are the implications
of the fact that we now are in a post-Stuxnet world?
What I said to David Sanger was,
"I understand the difference in destruction is dramatic,
but this has the whiff of August 1945."
Somebody just used a new weapon,
and this weapon will not be put back into the box.
I... I know no operational details
and don't know what anyone did or didn't do
before someone decided to use the weapon, all right.
I do know this.
If we go out and do something,
most of the rest of the world now thinks
that's the new standard
and it's something that they now feel legitimated to do as well.
But the rules of engagement,
international norms, treaty standards,
they don't exist right now.
Brown: The law of war, because it began to develop so long ago
is really dependent on thinking of things kinetically
and the physical realm.
So for example, we think in terms of attacks.
You know an attack when it happens in the kinetic world.
It's not really much of a mystery.
But in cyberspace it is sort of confusing to think,
how far do we have to go
before something is considered an attack?
So we have to take all the vocabulary
and the terms that we use in strategy
and military operations
and adapt them into the cyber realm.
Sanger: For nuclear we have these
extensive inspection regimes.
The Russians come and look at our silos.
We go and look at their silos.
Bad as things get between the two countries,
those inspection regimes have held up.
But working that our for... For cyber
would be virtually impossible.
Where do you send your inspector?
Inside the laptop of, you know...
How many laptops are there in the United States and Russia?
It's much more difficult in the cyber area
to construct an international regime
based on treaty commitments and rules of the road
and so forth.
Although, we've tried to have discussions with the Chinese
and Russians and so forth about that,
but it's very difficult.
Brown: Right now, the norm in cyberspace is
do whatever you can get away with.
That's not a good norm, but it's the norm that we have.
That's the norm that's preferred by states
that are engaging in lots of different kinds of activities
that they feel are benefiting their national security.
Yadlin: Those who excel in cyber
are trying to slow down the process
of creating regulation.
Those who are victims, we like the regulation
to be in the open as... As soon as possible.
Brown: International law in this area is written by custom,
and customary law requires a nation to say,
this is what we did and this is why we did it.
And the U.S. doesn't want to push the law in that direction
and so it chooses not to disclose its involvement.
And one of the reasons that I thought it was important
to tell the story of Olympic Games
was not simply because it's a cool spy story,
it is, but it's because as a nation...
We need to have a debate about how
we want to use cyber weapons
because we are the most vulnerable nation on earth
to cyber-attack ourselves.
McGurk: If you get up in the morning and turn off your alarm
and make coffee and pump gas and use the ATM,
you've touched industrial control systems.
It's what powers our lives.
And unfortunately, these systems are connected
and interconnected in some ways that make them vulnerable.
Critical infrastructure systems generally were built
years and years and years ago without security in mind
and they didn't realize how things were gonna change,
maybe they weren't even meant to be connected to the Internet.
And we've seen, through a lot of experimentation
and through also, unfortunately, a lot of attacks
that most of these systems are relatively easy
for a sophisticated hacker to get into.
Let's say you took over the control system
of a railway. You could switch tracks.
You could cause derailments of trains
carrying explosive materials.
What if you were in the control system of gas pipelines
and when a valve was supposed to be open,
it was closed and the pressure built up
and the pipeline exploded?
There are companies that run electric power generation
or electric power distribution
that we know have been hacked
by foreign entities that have the ability
to shut down the power grid.
Sanger: Imagine for a moment
that not only all the power went off on the east coast,
but the entire Internet came down.
Imagine what the economic impact of that is
even if it only lasted for 24 hours.
Newsreader: According to the officials,
Iran is the first country ever in the Middle East
to actually be engaged in a cyber war
with the United States and Israel.
If anything they said the recent cyber attacks
were what encouraged them to plan to set up
the cyber army, which will gather computer scientists,
programmers, software engineers...
Kiyaei: If you are a youth and you see assassination
of a nuclear scientist,
your nuclear facilities are getting attacked,
wouldn't you join your national cyber army?
Well, many did.
And that's why today, Iran has one of the largest...
Cyber armies in the world.
So whoever initiated this
and was very proud of themselves to see that little dip
in Iran's centrifuge numbers, should look back now
and acknowledge that it was a major mistake.
Very quickly, Iran sent a message
to the United States, very sophisticated message,
and they did that with two attacks.
First, they attacked Saudi Aramco,
the biggest oil company in the world,
and wiped out every piece of software,
every line of code, on 30,000 computer devices.
Then Iran did a surge attack on the American banks.
The most extensive attack on American banks ever
launched from the Middle East, happening right now.
Newsreader: Millions of customers
trying to bank online this week blocked, among the targets,
Bank of America, PNC, and Wells Fargo.
The U.S. suspects hackers in Iran may be involved.
NSA source: When Iran hit our banks,
we could have shut down their bot net,
but the state department got nervous,
because the servers weren't actually in Iran.
So until there was a diplomatic solution,
Obama let the private sector deal with the problem.
I imagine that in the White House situation room
people sat around and said...
Let me be clear, I don't imagine, I know.
People sat around in the White House situation room
and said, "the Iranians have sent us a message
which is essentially, 'stop attacking us in cyberspace
the way you did at Natanz with Stuxnet.
We can do it, too."'
Melman: There are unintended consequences
of the Stuxnet attack.
You wanted to cause confusion and damage to the other side,
but then the other side can do the same to you.
The monster turned against its creators,
and now everyone is in this game.
They did a good job in showing the world,
including the bad guys, what you would need to do
in order to cause serious trouble
that could lead to injuries and death.
It's inevitable that more countries will acquire
the capacity to use cyber,
both for espionage and for destructive activities.
And we've seen this in some of the recent conflicts
that Russia's been involved in.
If there's a war, then somebody will try to knock out
our communication system or the radar.
McGurk: State-sponsored cyber sleeper cells,
they're out there everywhere today.
It could be for communications purposes.
It could be for data ex-filtration.
It could be to, you know, shepherd in the next Stuxnet.
I mean, you've been focusing on Stuxnet,
but that was just a small part
of a much larger Iranian mission.
Gibney: There was a larger Iranian mission?
Nitro Zeus. NZ.
We spent hundreds of millions, maybe billions on it.
In the event the Israelis did attack Iran,
we assumed we would be drawn into the conflict.
We built in attacks on Iran's command-and-control system
so the Iranians couldn't talk to each other in a fight.
We infiltrated their IADS (Integrated Air Defense
System), military air defense systems,
so they couldn't shoot down our planes if we flew over.
We also went after their civilian support systems,
power grids, transportation,
communications, financial systems.
We were inside waiting, watching,
ready to disrupt, degrade, and destroy those systems
with cyber-attacks.
And in comparison,
Stuxnet was a back alley operation.
NZ was the plan for a full-scale cyber war
with no attribution.
The question is, is that the kind of world
we want to live in?
And if we don't, as citizens, how do we go about a process
where we have a more sane discussion?
We need an entirely new way of thinking about
how we're gonna solve this problem.
You're not going to get an entirely new way
of solving this problem
until you begin to have an open acknowledgment
that we have cyber weapons as well,
and that we may have to agree to some limits on their use
if we're going to get other nations to limit their use.
It's not gonna be a one-way street.
I'm old enough to have worked on nuclear arms control
and biological weapons arms control
and chemical weapons arms control.
And I was told in each of those types of arms control,
when we were beginning,
"It's too hard. There are all these problems.
It's technical. There's engineering.
There's science involved.
There are real verification difficulties.
You'll never get there."
Well, it took 20, 30 years in some cases,
but we have a biological weapons treaty
that's pretty damn good.
We have a chemical weapons treaty
that's pretty damn good.
We've got three or four nuclear weapons treaties.
Yes, it may be hard,
and it may take 20 or 30 years,
but it'll never happen unless you get serious about it,
and it'll never happen unless you start it.
Today, after two years of negotiations,
the United States, together with our international partners,
has achieved something that decades of animosity has not,
a comprehensive, long-term deal
with Iran that will prevent it from obtaining a nuclear weapon.
It was reached in Lausanne, Switzerland,
by Iran, the U.S., Britain, France,
Germany, Russia, and China.
It is a deal in which Iran will cut
its installed centrifuges by more than two thirds.
Iran will not enrich uranium with its advanced centrifuges
for at least the next ten years.
It will make our country, our allies,
and our world safer.
Netanyahu: Seventy years after the murder of 6 million Jews
Iran's rulers promised to destroy my country,
and the response from nearly every one of the governments
represented here has been utter silence.
Deafening silence.
Perhaps you can now understand
why Israel is not joining you in celebrating this deal.
History shows that America must lead,
not just with our might, but with our principles.
It shows were are stronger, not when we are alone,
but when we bring the world together.
Today's announcement marks one more chapter
in this pursuit of a safer and more helpful,
more hopeful world. Thank you.
God bless you, and God bless the United States of America.
NSA source: Everyone I know is basically
thrilled with the Iran deal.
Sanctions and diplomacy worked.
But behind that deal was a lot of confidence
in our cyber capability.
We were everywhere inside Iran. Still are.
I'm not gonna tell you the operational details
of what we can do going forward or where...
But the science fiction cyber war scenario is here.
That's Nitro Zeus.
But my concern and the reason I'm talking...
is because when you shut down a country's power grid...
It doesn't just pop back up, you know?
It's more like Humpty-Dumpty...
And if all the King's men can't turn the lights back on
or filter the water for weeks,
then lots of people die.
And something we can do to others,
they can do to us too.
Is that something that we should keep quiet?
Or should we talk about it?
Gibney: I've gone to many people in this film,
even friends of mine, who won't talk to me
about the NSA or Stuxnet even off the record
for fear of going to jail.
Is that fear protecting us?
No, but it protects me.
Or should I say we?
I'm an actor playing a role
written from the testimony of a small number of people
from NSA and CIA,
all of whom are angry about the secrecy
but too scared to come forward.
Now, we're forward.
Well, forward-leaning.