A DeclarationLast summer, the world’s top software-security experts were of Cyber-War panicked by the discovery of a drone-like computer virus, radically different from and far more sophisticated than any they’d seen. The race was on to figure out its payload, its purpose, and who was behind it. As the world now knows, the Stuxnet worm appears to have attacked Iran’s nuclear program. And, as MICHAEL JOSEPH GROSS reports, while its source remains something of a mystery, Stuxnet is the new face of 21st-century war: invisible, anonymous, and devastating 152 VANITY FAIR PHOTOGRAPHS BY JONAS FREDWALL KARLSSON APRIL 2011 A DeclarationLast summer, the world’s top software-security experts were of Cyber-War panicked by the discovery of a drone-like computer virus, radically different from and far more sophisticated than any they’d seen. The race was on to figure out its payload, its purpose, and who was behind it. As the world now knows, the Stuxnet worm appears to have attacked Iran’s nuclear program. And, as MICHAEL JOSEPH GROSS reports, while its source remains something of a mystery, Stuxnet is the new face of 21st-century war: invisible, anonymous, and devastating GAME OF SHADOWS Eugene Kaspersky, co-founder and C.E.O. of Kaspersky Lab— a Moscow-based computer-security company and an early investigator of Stuxnet—photographed on the Bolshoy Moskvoretsky Bridge, FOR DETAILS, GO TO VF.COM/CREDITS near the Kremlin. APRIL 2011 153 “PERSON OF INTEREST” Computer-security researcher Frank Rieger, one of the !rst to study the Stuxnet worm closely, at Berlin’s Chaos computer Club. Stuxnet’s code is diagrammed in the background. 154 VANITY FAIR www.vanityfair.com APRIL 2011 worm’s voluminous, intricate code on the Web. In terms of func- tionality, this was the largest piece of malicious software that most researchers had ever seen, and orders of magnitude more complex in structure. (Malware’s previous heavyweight champion, the Con- #cker worm, was only one-twentieth the size of this new threat.) During the next few months, a handful of determined people #- nally managed to decrypt almost all of the program, which a Mi- crosoft researcher named “Stuxnet.” On #rst glimpsing what they found there, they were scared as hell. “Zero Day” ne month before that midnight summons—on June 17—Sergey Ulasen, the head of the Anti- Virus Kernel department of VirusBlokAda, a small information-technology security com- ll over Europe, pany in Minsk, Belarus, sat in his o"ce read- smartphones rang in the middle of the night. Rolling over in bed, ing an e-mail report: a client’s computer in blinking open their eyes, civilians reached for the little devices and, Iran just would not stop rebooting. Ulasen got a copy of the in the moment of answering, were e!ectively drafted as soldiers. Ovirus that was causing the problem and passed it along to a They shook themselves awake as they listened to hushed descrip- colleague, Oleg Kupreev, who put it into a “debugger”—a soft- tions of a looming threat. Over the next few days and nights, in ware program that examines the code of other programs, in- mid-July of last year, the ranks of these sudden draftees grew, as cluding viruses. The men realized that the virus was infecting software analysts and experts in industrial-control systems gath- Microsoft’s Windows operating systems using a vulnerability eredA in makeshift war rooms in assorted NATO countries. Gov- that had never been detected before. A vulnerability that has ernment o"cials at the highest levels monitored their work. They not been detected before, and that a program’s creator does faced a crisis which did not yet have a name, but which seemed, not know exists, is called a “zero day.” In the world of com- at #rst, to have the potential to bring industrial society to a halt. puter security, a Windows zero-day vulnerability signals that A self-replicating computer virus, called a worm, was mak- the author is a pro, and discovering one is a big event. Such ing its way through thousands of computers around the world, $aws can be exploited for a variety of nefarious purposes, and searching for small gray plastic boxes called programmable-logic they can sell on the black market for as much as $100,000. controllers—tiny computers about the size of a pack of crayons, The virus discovered by Ulasen was especially exotic, because it IF THE FACTORIES SHUT DOWN, IF THE POWER PLANTS WENT DARK, HOW LONG COULD SOCIAL ORDER BE MAINTAINED? WHO WOULD WRITE A PROGRAM THAT COULD POTENTIALLY DO SUCH THINGS? which regulate the machinery in factories, power plants, and con- had a previously unknown way of spreading. Stick a $ash drive with struction and engineering proj ects. These controllers, or P.L.C.’s, the virus into a laptop and it enters the machine surreptitiously,, up- perform the critical scut work of modern life. They open and shut loading two #les: a rootkit dropper (which lets the virus do whatev- valves in water pipes, speed and slow the spinning of uranium er it wants on the computer—as one hacker explains, “ ‘Root’ means centrifuges, mete out the dollop of cream in each Oreo cookie, you’re God”) and an injector for a payload of malicious code that and time the change of tra"c lights from red to green. was so heavily encrypted as to be, to Ulasen, inscrutable. The most Although controllers are ubiquitous, knowledge of them is so unsettling thing about the virus was that its components hid them- rare that many top government o"cials did not even know they selves as soon as they got into the host. To do this, the virus used a existed until that week in July. Several major Western powers ini- digital signature, an encrypted string of bits that legitimate software tially feared the worm might represent a generalized attack on all programs carry to show that they come in peace. Digital signatures controllers. If the factories shut down, if the power plants went are like passports for software: proof of identity for programs dark, how long could social order be maintained? Who would crossing the border between one machine and the next. Viruses write a program that could potentially do such things? And why? sometimes use forged digital signatures to get access to computers, As long as the lights were still on, though, the geek squads stayed like teenagers using fake IDs to get into bars. Security consultants focused on trying to #gure out exactly what this worm intended to have for several years expected malware writers to make the leap do. They were joined by a small citizen militia of amateur and pro- from forged signatures to genuine, stolen ones. This was the #rst fessional analysts scattered across several continents, after private time it was known to have actually happened, and it was a doozy FOR DETAILS, GO TOmailing VF.COM/CREDITS lists for experts on malicious software posted copies of the of a job. With a signature somehow obtained from Realtek, one APRIL 2011 www.vanityfair.com VANITY FAIR 155 of the most trusted names in the business, the new virus Ulasen the #rst known acts of cyber-warfare was a DDoS attack on Estonia, was looking at might as well have been carrying a cop’s badge. in 2007, when the whole country’s Internet access was massively dis- What was this thing after that its creators would go to such ex- rupted. The source of such attacks can never be identi#ed with abso- travagant lengths? Ulasen couldn’t #gure that part out—what the lute certainty, but the overwhelming suspicion is that the culprit, in payload was for. What he did understand was the basic injection that instance, was Russia. It is not known who instigated the DDoS system—how the virus propagated itself—which alone demanded attacks on the industrial-control-security Web sites. Though one of an alert. Ulasen and Kupreev wrote up their #ndings, and on the sites managed to weather the attack, the other was overloaded July 5, through a colleague in Germany they sent a warning to with requests for service from a botnet that knocked out its mail the Microsoft Security Response Center, in Redmond, Washing- server, interrupting a main line of communication for power plants ton. Microsoft #rst acknowledged the vulnerability the next day. and factories wanting information on the new threat. Ulasen also wrote to Realtek, in Taiwan, to let them know about The secret of Stuxnet’s existence may have been blown, but clear- the stolen digital signature. Finally, on July 12, Ulasen posted ly someone—someone whose timing was either spectacularly lucky a report on the malware to a security message board. Within or remarkably well informed—was sparing no e!ort to #ght back. 48 hours, Frank Boldewin, an independent security analyst in Muenster, Germany, had decrypted almost all of the virus’s Omens of Doomsday payload and discovered what the target was: P.L.C.’s. Boldewin he volcanoes of Kamchatka were calling to Eugene posted his #ndings to the same security message board, trigger- Kaspersky. In the #rst week of July, the 45-year- ing the all-points bulletin among Western governments. old C.E.O. and co-founder of Kaspersky Lab, the world’s fourth-largest computer-security company, he next day, July 15, a tech reporter named Brian had been in his Moscow o"ce, counting the min- Krebs broke the news of the virus on his blog.