Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,702 --> 00:00:03,402 BEN: A secret facility in Iran renews fears 2 00:00:03,437 --> 00:00:05,003 of a nuclear threat. 3 00:00:05,039 --> 00:00:08,373 The nations of the world must not permit the Iranian regime 4 00:00:08,409 --> 00:00:10,075 to gain nuclear weapons. 5 00:00:10,110 --> 00:00:12,511 A computer virus that has never been seen before. 6 00:00:12,546 --> 00:00:14,213 This isn't two kids in a basement in Kansas 7 00:00:14,248 --> 00:00:15,514 throwing some code together. 8 00:00:15,549 --> 00:00:18,317 The virus sabotages that secret facility. 9 00:00:18,352 --> 00:00:21,486 It used very advanced capabilities to cover itself 10 00:00:21,522 --> 00:00:23,255 or obfuscate itself. 11 00:00:23,290 --> 00:00:25,524 Who built it and why is a mystery. 12 00:00:25,559 --> 00:00:27,259 This was an act of war. 13 00:00:27,294 --> 00:00:29,461 It was an act of war without there being a war. 14 00:00:29,496 --> 00:00:32,497 Stuxnet is the world's first known cyberweapon. 15 00:00:34,602 --> 00:00:44,610 ♪ 16 00:00:53,954 --> 00:00:56,355 There are conflicts being waged all around us, 17 00:00:56,390 --> 00:00:58,190 ones we can't see. 18 00:00:58,225 --> 00:01:00,892 Hackers are poised to dominate the 21st century, 19 00:01:00,928 --> 00:01:03,595 reshaping geopolitical landscapes. 20 00:01:03,631 --> 00:01:05,697 Sometimes on behalf of terrorists, but often 21 00:01:05,733 --> 00:01:08,233 for governments, or just because they think it's right. 22 00:01:10,337 --> 00:01:12,237 As a reporter, I've been covering national security for 23 00:01:12,273 --> 00:01:15,741 VICE, and increasingly my job is to track these digital battles. 24 00:01:17,077 --> 00:01:18,877 There's one computer virus that really showed how far 25 00:01:18,912 --> 00:01:20,712 everything had come. 26 00:01:20,748 --> 00:01:23,382 In the early 2000s, the US began to fear that Iran, 27 00:01:23,417 --> 00:01:26,985 its sworn enemy since 1979, was secretly developing 28 00:01:27,021 --> 00:01:29,087 its own nuclear weapons. 29 00:01:29,123 --> 00:01:31,089 The UN responded with sanctions. 30 00:01:31,125 --> 00:01:33,158 The US and Israel threatened war. 31 00:01:33,193 --> 00:01:36,128 And then a mysterious computer virus dubbed Stuxnet 32 00:01:36,163 --> 00:01:38,563 appeared in June 2010. 33 00:01:41,468 --> 00:01:44,670 We're headed to Symantec - yes, the same company that's 34 00:01:44,705 --> 00:01:48,407 protecting your desktop from malware - to talk to an engineer 35 00:01:48,442 --> 00:01:51,710 and expert who forensically took apart Stuxnet and figured out 36 00:01:51,745 --> 00:01:54,846 that it wasn't just some run-of-the-mill Trojan virus. 37 00:01:58,886 --> 00:02:01,920 I got in touch with Symantec security researcher Eric Chien. 38 00:02:01,955 --> 00:02:04,122 He did some of the most in-depth analysis of the virus 39 00:02:04,158 --> 00:02:05,757 when it first appeared. 40 00:02:05,793 --> 00:02:08,527 The average threat that we look at can take us 5 to 20 minutes 41 00:02:08,562 --> 00:02:11,663 to look at, and we know exactly what it does. 42 00:02:11,699 --> 00:02:16,335 And Stuxnet took us months, more than 3 months to look at. 43 00:02:16,370 --> 00:02:19,938 So just-- can give you a sense of how difficult, 44 00:02:19,973 --> 00:02:23,342 how large and how complicated the threat was. 45 00:02:23,377 --> 00:02:26,111 So why don't you tell me how you discovered Stuxnet. 46 00:02:26,146 --> 00:02:29,047 So basically what happened was another security company 47 00:02:29,083 --> 00:02:32,517 that was based in Belarus found this binary, 48 00:02:32,553 --> 00:02:34,519 and it had something in it that was called a zero-day. 49 00:02:34,555 --> 00:02:36,121 Why don't you tell me what a zero-day is. 50 00:02:36,156 --> 00:02:39,358 A zero-day basically is when you have what's called 51 00:02:39,393 --> 00:02:41,960 a vulnerability, or you have a hole sort of in your computer, 52 00:02:41,995 --> 00:02:44,496 a bug of some sort that allows someone to 53 00:02:44,531 --> 00:02:46,965 execute code on your machine without you knowing it. 54 00:02:47,000 --> 00:02:49,468 Your computer just has to be on and maybe even connected 55 00:02:49,503 --> 00:02:51,069 to the internet, and that's it. 56 00:02:51,105 --> 00:02:53,138 You don't have to be logged in, you don't have to be browsing 57 00:02:53,173 --> 00:02:55,073 the web, you don't have to double click on any files, 58 00:02:55,109 --> 00:02:57,242 and so that means you have no way to protect yourself. 59 00:02:57,277 --> 00:02:58,744 What about it had you never seen before? 60 00:02:58,779 --> 00:03:00,178 An average threat doesn't have 61 00:03:00,214 --> 00:03:01,713 any sort of exploit inside of it. 62 00:03:01,749 --> 00:03:04,149 This thing had four zero-days inside of it. 63 00:03:04,184 --> 00:03:05,884 What sets a zero-day apart 64 00:03:05,919 --> 00:03:08,653 is that it's a security flaw that there's no fix for. 65 00:03:08,689 --> 00:03:10,922 Zero-days are incredibly rare, and for that reason, 66 00:03:10,958 --> 00:03:13,024 incredibly valuable. 67 00:03:13,060 --> 00:03:16,094 What was the specifics of it that set off an alarm? 68 00:03:16,130 --> 00:03:18,163 ERIC: There was these SCADA strings inside. 69 00:03:18,198 --> 00:03:21,833 SCADA basically is technology that's controlling robots 70 00:03:21,869 --> 00:03:25,370 and automation, or power plants and things like that. 71 00:03:25,406 --> 00:03:26,938 And we had never seen a threat 72 00:03:26,974 --> 00:03:29,107 that mentioned anything to do with SCADA. 73 00:03:29,143 --> 00:03:31,443 This thing could actually be attacking some sort of 74 00:03:31,478 --> 00:03:32,844 national critical infrastructure. 75 00:03:32,880 --> 00:03:34,613 This isn't like two kids in a basement in Kansas 76 00:03:34,648 --> 00:03:36,014 throwing some code together. 77 00:03:36,049 --> 00:03:37,682 This thing had a full-on framework, 78 00:03:37,718 --> 00:03:39,684 clearly had quality assurance behind it. 79 00:03:39,720 --> 00:03:41,420 We're talking about something that is just 80 00:03:41,455 --> 00:03:44,022 orders of magnitude greater than we've ever seen before. 81 00:03:45,793 --> 00:03:48,360 As their investigation deepened, Eric and his team realized 82 00:03:48,395 --> 00:03:50,695 Stuxnet was designed to target computers 83 00:03:50,731 --> 00:03:54,433 using Siemens' proprietary software called STEP 7. 84 00:03:54,468 --> 00:03:59,137 What first caught our eye were all these strings like S7, 85 00:03:59,173 --> 00:04:02,040 and we began to sort of google those sorts of strings. 86 00:04:02,075 --> 00:04:04,876 We saw "WinCC" and we saw "STEP 7". 87 00:04:04,912 --> 00:04:07,412 And when we looked those up, we determined that this 88 00:04:07,448 --> 00:04:10,782 was actually software that would control PLCs. 89 00:04:10,818 --> 00:04:14,052 PLCs are Programmable Logic Controllers, computer systems 90 00:04:14,087 --> 00:04:17,122 used for converting digital code into physical commands 91 00:04:17,157 --> 00:04:19,991 that automate everything from factory machinery 92 00:04:20,027 --> 00:04:21,560 to heating and cooling systems. 93 00:04:24,097 --> 00:04:25,330 Eric now found himself 94 00:04:25,365 --> 00:04:27,165 in unknown territory, so he reached out to 95 00:04:27,201 --> 00:04:29,100 the international security community. 96 00:04:29,136 --> 00:04:32,103 We were sending out blogs all throughout that summer 97 00:04:32,139 --> 00:04:35,140 telling people if you are a PLC expert, if you're an expert 98 00:04:35,175 --> 00:04:37,742 in critical national infrastructure, contact us. 99 00:04:37,778 --> 00:04:40,512 Because we didn't even know what a PLC was at that time. 100 00:04:40,547 --> 00:04:42,013 Eric and his team learned that 101 00:04:42,049 --> 00:04:44,983 PLCs are extremely vulnerable to cyber attacks, 102 00:04:45,018 --> 00:04:48,153 but he still didn't know which machines were the targets. 103 00:04:48,188 --> 00:04:51,423 This sophisticated malware, or malicious code, was detected 104 00:04:51,458 --> 00:04:55,293 on industrial control systems around the world. 105 00:04:55,329 --> 00:04:56,995 Cybersecurity analysts were puzzled. 106 00:04:59,466 --> 00:05:01,700 At the same time, Homeland Security was also trying 107 00:05:01,735 --> 00:05:03,802 to understand the virus. 108 00:05:03,837 --> 00:05:05,871 Sean McGurk was the director of NCCIC, 109 00:05:05,906 --> 00:05:08,607 the cyber branch of the Department of Homeland Security, 110 00:05:08,642 --> 00:05:10,475 when Stuxnet was identified. 111 00:05:10,511 --> 00:05:13,612 What did your team see when they took it apart? 112 00:05:13,647 --> 00:05:16,314 Well, the first thing we saw was that it was very sophisticated 113 00:05:16,350 --> 00:05:17,949 in its communications capability. 114 00:05:17,985 --> 00:05:20,719 So if you think of Stuxnet like a kinetic device, 115 00:05:20,754 --> 00:05:24,523 like a missile, you had the delivery vehicle, 116 00:05:24,558 --> 00:05:27,859 that which put the payload on target if you will, 117 00:05:27,895 --> 00:05:29,494 and then the payload itself. 118 00:05:29,530 --> 00:05:31,663 And there were very unique characteristics to both. 119 00:05:32,933 --> 00:05:36,401 Stuxnet's ability to do digital reconnaissance without control, 120 00:05:36,436 --> 00:05:39,471 it was essentially a digital, you know, 121 00:05:39,506 --> 00:05:41,673 fire and forget type of approach. 122 00:05:41,708 --> 00:05:44,743 The fact that it used four zero-day vulnerabilities 123 00:05:44,778 --> 00:05:47,646 to gain access to the network is something that 124 00:05:47,681 --> 00:05:51,483 you had not seen in code before, someone willing to risk 125 00:05:51,518 --> 00:05:55,053 that many zero-days in order to get it on place. 126 00:05:55,088 --> 00:05:57,989 And then when we saw the payload part, which was actually 127 00:05:58,025 --> 00:06:01,259 specifically targeting an industrial control environment, 128 00:06:01,295 --> 00:06:05,931 that really for us became a very significant event. 129 00:06:05,966 --> 00:06:09,234 Because normal malware doesn't go after control systems, 130 00:06:09,269 --> 00:06:11,770 and this was specifically focused on control systems. 131 00:06:13,540 --> 00:06:15,340 ERIC: It was non-stop for weeks. 132 00:06:15,375 --> 00:06:17,842 This was all we thought about, all we worked on. 133 00:06:17,878 --> 00:06:20,612 And you can imagine, it was a really big shift 134 00:06:20,647 --> 00:06:22,881 from what we had done before. 135 00:06:22,916 --> 00:06:25,050 The average threat we would finish in 5 to 20 minutes. 136 00:06:25,085 --> 00:06:27,085 And here we were, sitting on the same threat, 137 00:06:27,120 --> 00:06:29,621 day after day, hour after hour, night after night. 138 00:06:29,656 --> 00:06:32,223 And, you know, we weren't getting bored. 139 00:06:32,259 --> 00:06:34,893 Every single day, every single week, 140 00:06:34,928 --> 00:06:36,761 we were discovering new little clues, 141 00:06:36,797 --> 00:06:39,064 new little breadcrumbs that kept us going, 142 00:06:39,099 --> 00:06:42,801 and kept us digging, and kept us looking until basically November 143 00:06:42,836 --> 00:06:45,370 when we finally figured out that this thing was indeed 144 00:06:45,405 --> 00:06:47,606 sabotage on Natanz. 145 00:06:49,076 --> 00:06:50,609 In what was basically an accident, 146 00:06:50,644 --> 00:06:52,310 Eric and his team found themselves embroiled 147 00:06:52,346 --> 00:06:54,879 in a real life international spy thriller. 148 00:06:54,915 --> 00:06:57,816 Complex malicious code had been written specifically 149 00:06:57,851 --> 00:07:00,552 to take out Iran's nuclear facilities, 150 00:07:00,587 --> 00:07:02,954 while its authors remained in the shadows. 151 00:07:08,795 --> 00:07:10,695 BEN: In 2002, the world discovered that Iran 152 00:07:10,731 --> 00:07:12,931 had been building a secret uranium enrichment facility 153 00:07:12,966 --> 00:07:14,666 near the town of Natanz. 154 00:07:16,703 --> 00:07:18,036 The Stuxnet computer virus 155 00:07:18,071 --> 00:07:20,005 has a direct link to this controversial plant. 156 00:07:20,040 --> 00:07:22,807 The fact that Iran never declared the plant 157 00:07:22,843 --> 00:07:24,275 made it suspicious. 158 00:07:24,311 --> 00:07:26,811 That was a breach of Iran's obligations. 159 00:07:26,847 --> 00:07:29,714 James Acton knows nuclear policy inside out. 160 00:07:29,750 --> 00:07:32,784 He also keeps tabs on the work of the IAEA, 161 00:07:32,819 --> 00:07:35,220 or the International Atomic Energy Agency, 162 00:07:35,255 --> 00:07:36,721 the world's nuclear watchdog. 163 00:07:36,757 --> 00:07:39,491 Can you tell me what the climate was 164 00:07:39,526 --> 00:07:41,626 around the discovery of Natanz? 165 00:07:41,662 --> 00:07:44,396 You know, Iran's a member of the Non-Proliferation Treaty. 166 00:07:44,431 --> 00:07:47,666 And one of the requirements of that is that you're allowed to 167 00:07:47,701 --> 00:07:50,468 do pretty much anything you'd like in the nuclear field 168 00:07:50,504 --> 00:07:53,471 short of building a bomb, but you have to declare it. 169 00:07:53,507 --> 00:07:56,675 And not declaring nuclear facilities 170 00:07:56,710 --> 00:07:59,811 is a violation of your agreement with the IAEA. 171 00:07:59,846 --> 00:08:01,713 They found activities that looked very much like 172 00:08:01,748 --> 00:08:03,682 what you want to do if you build a nuclear weapon. 173 00:08:03,717 --> 00:08:06,317 And why were they so interested in Natanz? 174 00:08:06,353 --> 00:08:08,486 Like why was it the straw that broke the camel's back? 175 00:08:08,522 --> 00:08:12,490 Natanz was a controversial plant because... you know, 176 00:08:12,526 --> 00:08:15,226 firstly, any enrichment is inherently sensitive. 177 00:08:15,262 --> 00:08:16,828 It's inherently dual use. 178 00:08:16,863 --> 00:08:19,497 You can use it for fuel production, 179 00:08:19,533 --> 00:08:21,866 or you can use it for nuclear weapons production. 180 00:08:21,902 --> 00:08:23,902 The size of the plant was suspicious. 181 00:08:23,937 --> 00:08:26,905 The plant's actually too small for a civilian plant. 182 00:08:26,940 --> 00:08:30,208 Military plants don't need to be as large as civilian plants. 183 00:08:30,243 --> 00:08:34,446 So it was scaled as though it was right for making 184 00:08:34,481 --> 00:08:37,115 enriched uranium for weapons, but wasn't the right size 185 00:08:37,150 --> 00:08:40,652 for enriched uranium for nuclear reactors. 186 00:08:40,687 --> 00:08:45,390 The discovery of the uranium program 187 00:08:45,425 --> 00:08:47,358 did cause a lot of concern. 188 00:08:47,394 --> 00:08:49,694 I mean, there were a lot of countries who were genuinely 189 00:08:49,730 --> 00:08:52,864 and are genuinely very fearful that Iran would get the bomb, 190 00:08:52,899 --> 00:08:55,300 and fearful of the consequences of it doing so. 191 00:08:55,335 --> 00:08:59,537 Iran aggressively pursues these weapons and exports terror. 192 00:08:59,573 --> 00:09:03,641 States like these and their terrorist allies constitute 193 00:09:03,677 --> 00:09:07,879 an axis of evil, arming to threaten the peace of the world. 194 00:09:07,914 --> 00:09:09,981 Iran denied that Natanz was being used 195 00:09:10,016 --> 00:09:11,916 to produce nuclear weapons. 196 00:09:11,952 --> 00:09:14,919 Still, its government bowed to pressure in 2003 and temporarily 197 00:09:14,955 --> 00:09:19,390 suspended uranium enrichment and processing activities at Natanz. 198 00:09:19,426 --> 00:09:23,561 Then in 2005, newly elected president Mahmoud Ahmadinejad 199 00:09:23,597 --> 00:09:26,064 defiantly restarted the program. 200 00:09:26,099 --> 00:09:28,266 Within months, the facility at Natanz was up and running, 201 00:09:28,301 --> 00:09:30,635 and enriching uranium all over again. 202 00:09:30,670 --> 00:09:33,772 Concerned, the UN imposed sanctions. 203 00:09:33,807 --> 00:09:37,275 By 2009, Israeli Prime Minister Benjamin Netanyahu 204 00:09:37,310 --> 00:09:39,911 challenged the US to stop Iran's nuclear program. 205 00:09:41,515 --> 00:09:46,584 The most urgent challenge facing this body today is to prevent 206 00:09:46,620 --> 00:09:50,855 the tyrants of Tehran from acquiring nuclear weapons. 207 00:09:50,891 --> 00:09:53,291 Netanyahu was privately considering air strikes 208 00:09:53,326 --> 00:09:54,859 on Natanz. 209 00:09:56,863 --> 00:09:58,797 It's during this high-stakes political stand-off 210 00:09:58,832 --> 00:10:02,100 that Stuxnet is detected in June 2010. 211 00:10:02,135 --> 00:10:05,470 In fact, Stuxnet was found in countries around the world, 212 00:10:05,505 --> 00:10:09,007 but infection rates in Iran were off the charts. 213 00:10:09,042 --> 00:10:11,810 And at the plant at Natanz, centrifuges were breaking down 214 00:10:11,845 --> 00:10:14,112 at unprecedented rates. 215 00:10:14,147 --> 00:10:16,447 Stuxnet's design is complex, 216 00:10:16,483 --> 00:10:19,150 but its operation is deceptively simple. 217 00:10:19,186 --> 00:10:22,020 Like a security camera, the virus records 30 days 218 00:10:22,055 --> 00:10:25,857 of normal centrifuge operation while it hides in the system. 219 00:10:25,892 --> 00:10:28,493 Then, when Stuxnet attacks the centrifuges, 220 00:10:28,528 --> 00:10:32,096 it plays back the pre-recorded data so operators on the outside 221 00:10:32,132 --> 00:10:34,833 can't see the infection raging within the centrifuges. 222 00:10:37,337 --> 00:10:39,537 ERIC: And those 30 days were not a coincidence. 223 00:10:39,573 --> 00:10:41,673 That's how long it takes basically for a cascade 224 00:10:41,708 --> 00:10:44,976 of centrifuges to basically get fully loaded with uranium gas. 225 00:10:45,011 --> 00:10:47,478 So they wanted to basically have their sabotage effects happen 226 00:10:47,514 --> 00:10:50,381 right at the peak moment and causing the most damage. 227 00:10:50,417 --> 00:10:54,152 So the centrifuges at Natanz normally will spin at 1,000 Hz, 228 00:10:54,187 --> 00:10:57,488 and what the threat did was spin up the centrifuges 229 00:10:57,524 --> 00:11:00,491 to either 1,400 Hz, to be really fast, 230 00:11:00,527 --> 00:11:03,428 or slow them down to 2 Hz, to be really slow. 231 00:11:03,463 --> 00:11:05,697 And what would happen is when they spin up 232 00:11:05,732 --> 00:11:07,832 really, really fast, the centrifuge will basically 233 00:11:07,868 --> 00:11:10,235 vibrate uncontrollably and just shatter. 234 00:11:10,270 --> 00:11:12,503 And you would have literally shards of aluminum flying 235 00:11:12,539 --> 00:11:14,939 across the room, maybe a domino effect of centrifuges falling 236 00:11:14,975 --> 00:11:18,109 and toppling on each other, and uranium gas leaking everywhere. 237 00:11:19,713 --> 00:11:21,112 Eventually they would hit the big red button 238 00:11:21,147 --> 00:11:22,447 to cause shutdown. 239 00:11:22,482 --> 00:11:24,782 Stuxnet was smart enough to also hijack that. 240 00:11:24,818 --> 00:11:27,218 That big red button went through a computer as well. 241 00:11:27,254 --> 00:11:30,355 And they hijacked that code, and basically would ignore it 242 00:11:30,390 --> 00:11:32,257 and allow their payload to take effect. 243 00:11:32,292 --> 00:11:33,958 Once it was inside, it was unstoppable. 244 00:11:33,994 --> 00:11:35,393 They were doomed, yeah. 245 00:11:35,428 --> 00:11:37,128 The operators were doomed, the plant was doomed. 246 00:11:38,798 --> 00:11:40,531 Stuxnet was the first digital weapon known 247 00:11:40,567 --> 00:11:43,468 to have physically destroyed its targets. 248 00:11:43,503 --> 00:11:45,703 But the computer systems at Natanz 249 00:11:45,739 --> 00:11:48,006 weren't connected to the internet. 250 00:11:48,041 --> 00:11:50,275 So how did Stuxnet get inside the system? 251 00:11:54,514 --> 00:11:56,948 BEN: By 2010, it became evident that someone had decided 252 00:11:56,983 --> 00:11:59,584 that measures more drastic than sanctions 253 00:11:59,619 --> 00:12:01,886 - and less spectacular than air strikes - 254 00:12:01,922 --> 00:12:04,889 were needed to slow down Iran's nuclear program. 255 00:12:04,925 --> 00:12:07,258 Because out of nowhere, a mysterious super virus named 256 00:12:07,294 --> 00:12:11,062 Stuxnet was sabotaging an Iranian nuclear facility. 257 00:12:11,097 --> 00:12:13,564 But the computers in the facility weren't online, 258 00:12:13,600 --> 00:12:16,267 so the question remained how the virus got inside the system. 259 00:12:18,138 --> 00:12:21,139 I went to find Darknet J, an operational security expert, 260 00:12:21,174 --> 00:12:24,142 to understand how Stuxnet could've infected them. 261 00:12:24,177 --> 00:12:29,414 So how did Stuxnet jump the air gap and infect Natanz? 262 00:12:29,449 --> 00:12:32,917 It jumped the air gap by traveling on a USB stick 263 00:12:32,953 --> 00:12:35,687 that was placed into the computer from someone. 264 00:12:37,023 --> 00:12:39,190 Darknet J replicated the USB exploit to show me 265 00:12:39,225 --> 00:12:42,160 how Stuxnet infected the computers at Natanz. 266 00:12:42,195 --> 00:12:45,363 Alright, so what happens is you put in the USB. 267 00:12:47,701 --> 00:12:49,300 You open up the folder. 268 00:12:49,336 --> 00:12:51,669 Windows looks for an icon, which is a malicious payload 269 00:12:51,705 --> 00:12:53,438 that can write to system. 270 00:12:53,473 --> 00:12:55,273 I have it opening Calculator. 271 00:12:55,308 --> 00:12:59,310 So once the intended target opens the folder with Stuxnet 272 00:12:59,346 --> 00:13:01,612 inside of it, what happens next? 273 00:13:01,648 --> 00:13:03,481 Essentially it can have complete control over your computer, 274 00:13:03,516 --> 00:13:06,217 meaning that it can write anything to the hard disk, 275 00:13:06,252 --> 00:13:08,353 it can grab credentials from the internet 276 00:13:08,388 --> 00:13:09,620 if you put them in at the time. 277 00:13:09,656 --> 00:13:11,189 It can also propagate itself 278 00:13:11,224 --> 00:13:12,790 inside of your local area network. 279 00:13:12,826 --> 00:13:13,992 Wow. (Laughing) 280 00:13:14,027 --> 00:13:15,526 It's keys to the kingdom. 281 00:13:17,163 --> 00:13:19,163 That meant someone physically walked Stuxnet into the Iranian 282 00:13:19,199 --> 00:13:23,968 facility, likely an unwitting engineer with an infected USB. 283 00:13:24,004 --> 00:13:26,804 Inside, the virus wreaked havoc. 284 00:13:26,840 --> 00:13:30,074 Centrifuges were destroyed, and the Iranians were clueless. 285 00:13:30,110 --> 00:13:32,543 But then Eric Chien and his team at Symantec 286 00:13:32,579 --> 00:13:36,414 announced the details of Stuxnet to the world in a blog post. 287 00:13:36,449 --> 00:13:38,750 Then Natanz shut down. 288 00:13:38,785 --> 00:13:41,552 Most assumed Iranian authorities finally understood the mess 289 00:13:41,588 --> 00:13:43,554 they were in, and were trying to clean it up. 290 00:13:44,524 --> 00:13:46,891 After that, two Iranian nuclear scientists were targeted 291 00:13:46,926 --> 00:13:48,860 by motorcycle-riding assailants, 292 00:13:48,895 --> 00:13:51,729 who slipped a sticky bomb onto one of their cars. 293 00:13:51,765 --> 00:13:55,033 One was killed, the other seriously injured. 294 00:13:55,068 --> 00:13:58,736 It appeared whoever was behind Stuxnet went to Plan B. 295 00:13:58,772 --> 00:14:00,738 Soon after, the Iranian President admitted a virus 296 00:14:00,774 --> 00:14:02,440 caused the shutdown at Natanz. 297 00:14:07,113 --> 00:14:08,946 He blamed Israel, but couldn't back it up 298 00:14:08,982 --> 00:14:10,214 with any hard evidence. 299 00:14:10,250 --> 00:14:12,116 The assassination sent a chill through 300 00:14:12,152 --> 00:14:13,885 the cybersecurity community. 301 00:14:13,920 --> 00:14:15,453 Did it make you a little bit nervous? 302 00:14:15,488 --> 00:14:16,954 We would look in our rearview mirrors all the time. 303 00:14:16,990 --> 00:14:18,689 And you know, I would see a motorcycle 304 00:14:18,725 --> 00:14:20,191 and watch them closely. 305 00:14:20,226 --> 00:14:22,794 It definitely wasn't lost on us that we were in the middle 306 00:14:22,829 --> 00:14:25,563 of some big geopolitical affair. 307 00:14:25,598 --> 00:14:28,099 Iran openly accused Israel and the US of being 308 00:14:28,134 --> 00:14:30,301 the masterminds of Stuxnet. 309 00:14:30,336 --> 00:14:32,904 (Thundering) 310 00:14:34,808 --> 00:14:36,741 I went to talk to someone who was trying to stop the crisis 311 00:14:36,776 --> 00:14:38,109 from escalating further. 312 00:14:39,846 --> 00:14:41,079 BEN: Beautiful day. 313 00:14:41,114 --> 00:14:42,447 (Chattering) 314 00:14:42,482 --> 00:14:44,816 Jamal Abdi is a foreign policy analyst 315 00:14:44,851 --> 00:14:47,151 for the National Iranian American Council, 316 00:14:47,187 --> 00:14:50,321 and has advised congressional members on relations with Iran. 317 00:14:50,356 --> 00:14:52,723 People like myself who were trying to broker 318 00:14:52,759 --> 00:14:54,625 a diplomatic solution, trying to figure out 319 00:14:54,661 --> 00:14:56,961 an off-ramp from these escalatory moves, 320 00:14:56,996 --> 00:15:00,131 I really thought this is an extremely bad turn. 321 00:15:00,166 --> 00:15:02,333 What was the reception of Stuxnet in Iran? 322 00:15:02,368 --> 00:15:03,968 How did people feel about it? 323 00:15:04,003 --> 00:15:06,637 I think the Iranians very credibly believed 324 00:15:06,673 --> 00:15:08,106 that Israel was behind this. 325 00:15:08,141 --> 00:15:10,341 And then there was also just the fact that 326 00:15:10,376 --> 00:15:12,243 there were all these other sabotage efforts 327 00:15:12,278 --> 00:15:14,479 that they believed Israel was connected to. 328 00:15:15,482 --> 00:15:18,249 Israel was in many regards 329 00:15:18,284 --> 00:15:22,153 the driving force against Iran's nuclear program. 330 00:15:22,188 --> 00:15:24,989 And then you have a hardline government like Ahmadinejad 331 00:15:25,024 --> 00:15:27,258 that's essentially enflaming the issue. 332 00:15:27,293 --> 00:15:30,828 It was: How do we slow that down as much as possible? 333 00:15:30,864 --> 00:15:32,930 Because we know we can't stop it. 334 00:15:34,234 --> 00:15:35,700 But it wasn't until two years later 335 00:15:35,735 --> 00:15:38,302 that The New York Times published an explosive story, 336 00:15:38,338 --> 00:15:40,805 revealing the US was behind Stuxnet. 337 00:15:40,840 --> 00:15:42,707 Unnamed officials told the paper 338 00:15:42,742 --> 00:15:45,276 the US created the virus with help from Israel. 339 00:15:45,311 --> 00:15:49,380 It was part of a covert operation dubbed Olympic Games. 340 00:15:49,415 --> 00:15:52,350 The allegations set off a political firestorm, 341 00:15:52,385 --> 00:15:55,520 so a federal probe was launched to investigate the leak. 342 00:15:55,555 --> 00:15:58,789 But in 2015, the investigation was put on ice over US fears 343 00:15:58,825 --> 00:16:01,325 of what might come out in court. 344 00:16:01,361 --> 00:16:02,894 For me, it always comes down to the leak investigation. 345 00:16:02,929 --> 00:16:04,529 You don't launch a leak investigation 346 00:16:04,564 --> 00:16:06,130 for a covert operation you didn't do. 347 00:16:06,166 --> 00:16:08,566 Kim Zetter has been covering the Stuxnet story for Wired 348 00:16:08,601 --> 00:16:11,169 since the virus was first discovered. 349 00:16:11,204 --> 00:16:13,571 The United States likely did Stuxnet. 350 00:16:13,606 --> 00:16:14,872 I don't think that there's a question that 351 00:16:14,908 --> 00:16:16,307 the US is behind it. 352 00:16:16,342 --> 00:16:17,475 I mean, it's not even something that I think that we, 353 00:16:17,510 --> 00:16:19,510 you know, have to sort of debate. 354 00:16:19,546 --> 00:16:21,045 Stuxnet was a precision weapon, 355 00:16:21,080 --> 00:16:22,914 so it would never destroy anything except 356 00:16:22,949 --> 00:16:25,483 what matched this very specific configuration. 357 00:16:25,518 --> 00:16:28,219 And you can see lawyers' fingerprints 358 00:16:28,254 --> 00:16:29,654 are all over Stuxnet. 359 00:16:29,689 --> 00:16:31,355 I think that's the first time I've heard someone say 360 00:16:31,391 --> 00:16:33,057 that lawyers' fingerprints were all over Stuxnet. 361 00:16:33,092 --> 00:16:36,160 Yeah, you can see that as they were designing this, 362 00:16:36,196 --> 00:16:38,362 the lawyers would've had very tight restrictions 363 00:16:38,398 --> 00:16:40,031 for controlling this. 364 00:16:40,066 --> 00:16:41,866 They would've told the developers, 365 00:16:41,901 --> 00:16:43,834 "This can only affect the systems that are targeted. 366 00:16:43,870 --> 00:16:45,736 You have to write this in such a way." 367 00:16:45,772 --> 00:16:48,105 It likely blocks out two major nation states 368 00:16:48,141 --> 00:16:50,107 that could've done it, China and Russia. 369 00:16:50,143 --> 00:16:51,242 I'm not sure they were scared too much 370 00:16:51,277 --> 00:16:52,376 about the legal implications! 371 00:16:52,412 --> 00:16:54,178 Exactly, so this was one of the reasons 372 00:16:54,214 --> 00:16:56,547 that people were so certain it was the US. 373 00:16:57,717 --> 00:16:59,917 All of the available clues suggested that Stuxnet was 374 00:16:59,953 --> 00:17:03,254 a joint US/Israeli operation, but government officials 375 00:17:03,289 --> 00:17:05,256 have gone to great lengths not to acknowledge it. 376 00:17:06,626 --> 00:17:07,892 So the evidence is lacking? 377 00:17:07,927 --> 00:17:12,930 I think that there is no clear, complete evidence 378 00:17:12,966 --> 00:17:15,733 or even complete indication 379 00:17:15,768 --> 00:17:18,536 that it was one country or another. 380 00:17:19,739 --> 00:17:21,939 To this day, the US government will not confirm or deny 381 00:17:21,975 --> 00:17:23,474 its role in Stuxnet. 382 00:17:25,144 --> 00:17:27,311 Stuxnet's architects might want to stay in the shadows, 383 00:17:27,347 --> 00:17:29,447 but around the world other governments took notice 384 00:17:29,482 --> 00:17:31,582 of the cyberweapon they'd unleashed. 385 00:17:36,489 --> 00:17:38,122 BEN: When security researchers found Stuxnet 386 00:17:38,157 --> 00:17:41,092 and publicized the discovery of the destructive malware, 387 00:17:41,127 --> 00:17:43,027 they inadvertently brought a covert operation 388 00:17:43,062 --> 00:17:44,328 to a premature end. 389 00:17:46,165 --> 00:17:48,633 By the time we discovered Stuxnet, it's believed that 390 00:17:48,668 --> 00:17:50,768 it already had delivered its payload at least once. 391 00:17:50,803 --> 00:17:53,904 So I'm sure the attackers would prefer that it wasn't uncovered, 392 00:17:53,940 --> 00:17:57,508 because maybe they could've continued or continued further 393 00:17:57,543 --> 00:18:00,311 operations, but it at least accomplished its goal. 394 00:18:00,346 --> 00:18:02,913 At least according to the IEA documents that showed that 395 00:18:02,949 --> 00:18:07,518 a few thousand centrifuges were destroyed just before 2010. 396 00:18:09,355 --> 00:18:11,322 But what effect did it have on its nuclear standoff 397 00:18:11,357 --> 00:18:13,991 between Iran, Israel and the West? 398 00:18:14,027 --> 00:18:15,359 You know, looking back on this, 399 00:18:15,395 --> 00:18:18,029 there's no question that it slowed down the program. 400 00:18:18,064 --> 00:18:19,964 Was it a successful attack in that sense? 401 00:18:19,999 --> 00:18:22,366 It kind of partially depends what you mean by "success". 402 00:18:22,402 --> 00:18:24,969 I think Stuxnet probably played a role in convincing Israel 403 00:18:25,004 --> 00:18:27,838 not to attack Iran and giving diplomacy more of a chance. 404 00:18:29,375 --> 00:18:31,676 Stuxnet may have just slowed down Iran's nuclear weapons 405 00:18:31,711 --> 00:18:35,980 program by 6 months to 2 years, buying time for diplomacy, 406 00:18:36,015 --> 00:18:39,317 but it didn't exactly stop Iran from pursuing the bomb. 407 00:18:39,352 --> 00:18:41,185 Do you think it was effective? 408 00:18:41,220 --> 00:18:44,121 It was, you know, one step forward, two steps back. 409 00:18:44,157 --> 00:18:46,390 It delayed Iran's program certainly, I think, 410 00:18:46,426 --> 00:18:50,461 by several months, maybe a year, but it also politically... 411 00:18:50,496 --> 00:18:53,631 it convinced Iran that they were under siege. 412 00:18:53,666 --> 00:18:57,668 It made an argument, a case for why Iran needed to have 413 00:18:57,704 --> 00:19:00,671 capabilities to counter cyberwarfare as well as 414 00:19:00,707 --> 00:19:02,506 capabilities to defend the country. 415 00:19:02,542 --> 00:19:04,675 If Iran wants to develop nuclear weapons, 416 00:19:04,711 --> 00:19:06,510 they can develop nuclear weapons. 417 00:19:06,546 --> 00:19:08,245 This is not a technical decision, 418 00:19:08,281 --> 00:19:10,047 it's a political decision. 419 00:19:10,083 --> 00:19:13,217 And Stuxnet was a technical response that maybe on a 420 00:19:13,252 --> 00:19:15,853 technical level slowed the program down, but on a 421 00:19:15,888 --> 00:19:18,923 political level actually helped to accelerate the program. 422 00:19:18,958 --> 00:19:21,325 So I think in that regard, if you're looking at actually 423 00:19:21,361 --> 00:19:23,694 preventing Iran from developing nuclear weapons or convincing 424 00:19:23,730 --> 00:19:26,597 them to not go down that route, Stuxnet was a failure. 425 00:19:28,634 --> 00:19:31,702 Finally, after years of crippling UN sanctions, 426 00:19:31,738 --> 00:19:34,505 Iran agreed to limit their nuclear program in 2015 427 00:19:34,540 --> 00:19:37,174 in exchange for a partial lifting of sanctions. 428 00:19:38,811 --> 00:19:41,045 But by deploying Stuxnet, the US and Israel had triggered 429 00:19:41,080 --> 00:19:42,713 a different kind of arms race. 430 00:19:44,884 --> 00:19:47,451 This was an act of war, and it was an act of war 431 00:19:47,487 --> 00:19:49,687 without... without there being a war. 432 00:19:49,722 --> 00:19:51,088 If you drop a bomb on someone, 433 00:19:51,124 --> 00:19:53,057 they know that they've been attacked, right? 434 00:19:53,092 --> 00:19:54,392 But in digital warfare, 435 00:19:54,427 --> 00:19:56,360 you may never know that you're under attack. 436 00:19:56,396 --> 00:19:58,396 The US opened a door 437 00:19:58,431 --> 00:19:59,897 that everyone is going to walk through now. 438 00:20:02,602 --> 00:20:05,903 In Iran, was Stuxnet seen as an act of war? 439 00:20:05,938 --> 00:20:07,938 In Iran it was, it was seen as an act of war. 440 00:20:07,974 --> 00:20:10,241 And there was sort of a question that was opened up: 441 00:20:10,276 --> 00:20:13,444 did the United States just declare war on Iran? 442 00:20:13,479 --> 00:20:15,312 It's such a grey area though. 443 00:20:15,348 --> 00:20:18,149 So I think that even now people are still kind of trying to 444 00:20:18,184 --> 00:20:20,785 figure out whether this constitutes war or not, 445 00:20:20,820 --> 00:20:22,653 but technically... technically it was. 446 00:20:22,688 --> 00:20:25,089 And I think inside of Iran it was really viewed that way. 447 00:20:25,124 --> 00:20:26,891 And I think it really opened a lot of eyes inside 448 00:20:26,926 --> 00:20:29,560 the establishment of Iran that they needed to get savvy 449 00:20:29,595 --> 00:20:32,730 in this field to be able to defend as well as attack. 450 00:20:32,765 --> 00:20:36,066 And so you've got, you know, the formation of the cyber army 451 00:20:36,102 --> 00:20:38,436 inside of Iran that was initially really... 452 00:20:38,471 --> 00:20:40,604 really aimed at activists inside the country. 453 00:20:40,640 --> 00:20:43,407 But then after Stuxnet, it became even more formalized, 454 00:20:43,443 --> 00:20:46,177 all kinds of money was poured into it because this was now 455 00:20:46,212 --> 00:20:48,145 not just an internal threat but an external threat. 456 00:20:49,315 --> 00:20:51,615 BEN: It spurred Iran to be more offensive? 457 00:20:51,651 --> 00:20:53,250 It spurred everyone to be more offensive. 458 00:20:53,286 --> 00:20:54,685 That's the thing, it's not Iran. 459 00:20:54,720 --> 00:20:57,855 There are other people to be worried about than Iran. 460 00:20:57,890 --> 00:21:00,691 All of that together has created this arms race 461 00:21:00,726 --> 00:21:02,159 of other countries. 462 00:21:02,195 --> 00:21:05,196 Would you agree that it was the dawn of a new chapter 463 00:21:05,231 --> 00:21:07,097 in cyberwarfare? 464 00:21:07,133 --> 00:21:09,767 The expected response is that a lot of other countries now 465 00:21:09,802 --> 00:21:13,137 are establishing offensive cyber operations. 466 00:21:13,172 --> 00:21:14,972 They don't wanna be left behind. 467 00:21:16,309 --> 00:21:19,777 Stuxnet had launched the race to militarize cyberspace. 468 00:21:19,812 --> 00:21:21,946 And the more the world is connected, 469 00:21:21,981 --> 00:21:23,647 the more targets there are for attack. 470 00:21:25,718 --> 00:21:27,785 Countries around the world are racing to design new malware 471 00:21:27,820 --> 00:21:29,954 for the next generation of warfare. 472 00:21:29,989 --> 00:21:32,890 Do you think it's going to become another tool 473 00:21:32,925 --> 00:21:34,492 in the toolbox of war? 474 00:21:34,527 --> 00:21:35,559 Absolutely. 475 00:21:35,595 --> 00:21:37,194 Stuxnet to me was a Trinity moment, 476 00:21:37,230 --> 00:21:39,363 and by that I mean the first Trinity explosion, 477 00:21:39,398 --> 00:21:43,501 demonstration of a nuclear detonation in New Mexico. 478 00:21:43,536 --> 00:21:46,504 We demonstrated a capability that you could have 479 00:21:46,539 --> 00:21:50,007 devastating physical impacts by cyber means. 480 00:21:50,042 --> 00:21:51,509 It was a bit like the bomb. 481 00:21:51,544 --> 00:21:54,178 Once the secret was out, people started 482 00:21:54,213 --> 00:21:56,013 getting it for themselves. 483 00:21:56,048 --> 00:21:58,415 We started recognizing that there's no putting this back. 484 00:21:58,451 --> 00:22:00,684 You know, the key was turned, the lid was opened, 485 00:22:00,720 --> 00:22:03,153 and everything in Pandora's Box was now out in the open, 486 00:22:03,189 --> 00:22:05,189 and there was no way to get it back in. 487 00:22:08,561 --> 00:22:11,829 Stuxnet was the world's first known cyberweapon. 488 00:22:11,864 --> 00:22:13,998 It set the stage for a new kind of war, 489 00:22:14,033 --> 00:22:16,200 one that will play out on a digital battlefield. 47328