The world’s new battle began on an office building’s eighth level.
VirusBlokAda, a local antivirus developer, got an assistance request. Their Iranian customer had random industrial control computer reboots.
They suspected a problem, Windows misconfiguration, or software conflict. They reinstalled Windows. It persisted.
The stakes increased.
Not a Windows programming error. Malicious intent. The business researcher, Sergei Ulasen, soon located suspicious files on the rogue computer.
He uncovered a revelation in their code that rocked information security. Seeing this code on a USB drive inserted into a computer might quietly launch and execute a program. A devastating new exploit.
One plugged-in drive infected one machine. It was horrifyingly effective. The obvious question was how far it had spread.
58% of Iranian devices have this harmful malware. A mysterious developer has found an existential vulnerability on 58% of the nation’s PCs. Nobody understood what this code would accomplish, making this gloomy envelopment even more frightening.
Nobody knew why a talented hacker disseminated a pioneering worm to 58% of Iran’s PCs. VirusBlokAda’s finding did not elevate the virus.
It became famous after a modest Belarusian antivirus business uncovered a new era. Advanced, focused, and competent cyberwarfare was arrived.
Zero-day made this new age conceivable and, more crucially, lucrative. For decades, national spy organizations and malevolent freelance spies collected information in transit. Instead of slipping into the embassy or bugging the phone, you intercepted the courier and tapped the transmission line. Capturing data on the go was easier than at its origin or destination.
This MO persisted into the digital age, but manufacturers caught up. Apple, Microsoft, Google, and others encrypted data when it left devices. By this time, encryption was flawless, hiding information behind complex mathematical algorithms.
Digital espionage methods have to alter because spies required a new route in. Cryptography is flawless, but humans are not.
Phones, computers, servers, and more are human-made. Devices have holes. Zero-day holes exist. Any program is vulnerable. Most will be found before release, some soon after and patched, and a tiny fraction will go unreported for weeks, months, or years. Hobbyist hackers spent nights searching code for these issues in the early 2000s.
Many would share their results on internet forums after being threatened by software developers.
Early information security businesses repackaged this information and included it in a digital danger warning service for organizations and agencies to advise them of software vulnerabilities not yet patched by the developer. In 2002, iDefense failed because it sold the same information to the same customers with no competitive edge. They made one.
iDefense started bribing hackers to keep quiet. iDefense would then notify the software provider and its consumers before rival information security businesses. Information in trusted hands reduced the risk of a vulnerability being exploited.
iDefense was a huge success because it provided hackers their first chance to make money from their pastime in an ethical, productive way. From weeks behind on payroll to industry leader in months. Calls began. Local area codes.
Government contractors throughout the Washington beltway sought to acquire Chantilly, Virginia’s exploits. The callers were prepared to pay six figures for iDefense’s zero-days as long as the firm kept quiet and the buyer was the only one who knew about them. iDefense answered no, but their market was eventually priced out.
Black-market bounties bought sportscars they couldn’t compete with, while awards paid for vacations. The American military saw the incredible potential of a single software vulnerability. Cyberwarfare may secretly fulfill America’s strategic aims if they learned about these zero-days. The market has grown exponentially since then.
Western players like the US buy zero-day vulnerabilities from corporations that don’t disguise what they’re doing, especially for sales to nations with poor human rights records.
Zerodium announces their price list. The business will pay up to $10,000 on router software for a remote code execution vulnerability.
WordPress costs $100,000, Windows $1,000,000 for the same functionality. Zerodium is even offering a temporarily higher $400,000 payout for a remote code execution zero-day on Microsoft Outlook, presumably implying that someone really needs the exploit for a cyberweapon under development.
Remote code execution zero-days are the ultimate. They can give almost complete access to another system. Zero-days are useless today since software developers patch them immediately.
Hence, Stuxnet’s remote code execution vulnerability, which could be sold for hundreds of thousands of dollars, showed that it was planned to accomplish something as lucrative. The.lnk exploit was not alone.
Another remote code execution attack topped that. Stuxnet was supposed to embed itself into the file that provides metadata to printers on a local network, but this zero-day allowed that file to spread silently and fast from a single machine to a large office, institution, factory, or other organization.
To finish spreading, the code leveraged two escalation-of-privilege zero-days for distinct operating systems to obtain access to a whole workstation when installed on a single user account.
Four zero-days, four exploits, each worth life-changing sums of money—this was a hacking gadget of unparalleled size. Never before had code so neatly combined four undiscovered exploits. Whoever was behind this had spent enormous resources on this single, one-megabyte piece of code, but even as VirusBlokAda combed through it, even as it set the information security industry ablaze, even as it propagated from machine to machine in Iran and beyond, the most important question remained unanswered: what was Stuxnet designed to do?
By mid-2010, the Natanz nuclear plant was the site of the world’s most advanced cyberweapon, unknown to Iranian officials or global information security. This uranium enrichment facility is purposely secluded on the boundary of Iran’s central desert under the shadow of the Karkas mountains, hours from Tehran by vehicle. Digital isolation outweighs geographic isolation. Iran air-gapped Natanz to shield its sensitive centrifuges from an earlier intrusion.
Manually planting a worm mettled the outside. An unwary factory worker, spy, or mole put a tainted USB stick into a Windows PC in 2009. Getting the virus across the air gap was only the start. Then, exploiting the.lnk zero-day, the worm went from USB to machine undetected. Using the printer zero-day vulnerability, the worm propagated over the enrichment plant’s local network. The malicious malware kept its payload and searched the Natanz network for a specific victim undetected.
Cyber weapons are simple. These weapons have a carrier and a payload, like most others. So, every cyberweapon has code that allows it to enter a computer or network and code that controls its behavior once inside. Stuxnet has access to everything going on in the administrative and monitoring portions of the plant, including the enrichment process’ infrastructure.
The malware’s payload and creators weren’t interested in crashing the plant’s communication networks or delivering a one-time denial of service. Instead, they pursued something more permanent. The code wanted this:
where real centrifuges separated undesirable isotopes and created uranium-235. Nevertheless, programmable logic controllers—industrial control equipment—ran these centrifuges, adding another obstacle for the infection. Ultimately, utilizing stolen security certificates and zero-day vulnerabilities in Siemens software, a German firm whose PLCs controlled 164 Iranian centrifuges apiece, the carrier found its destination, performed its job, and discharged its payload. One of this evil code’s many brilliance and scary potentials is what it didn’t accomplish. After getting access to the PLCs controlling Iran’s centrifuges, the nuclear program’s heart, the payload did nothing except monitor RPMs for days.
After almost two weeks, the code temporarily accelerated the centrifuges to 1,400 hertz, much over their regular 800–1100 range. Weeks later, the code briefly slowed them to two hertz, causing wear and failure. As the machines self-destructed at a little above-average pace, the worm told monitoring that the centrifuges were spinning at average RPMs and there was nothing to observe.
Stuxnet may have crippled Iran’s nuclear aspirations for years, possibly decades, before detection if it hadn’t escaped the plant. Hence, before June 2010, the code was undetectable and physically damaging, killing hundreds of vital Iranian centrifuges. Stuxnet was discovered almost a decade ago.
No one has claimed this first-of-its-kind weapon. Due to its size and complexity, the code cannot have been written by one individual.
Stuxnet used four zero-days, although even the most capable hackers seldom acquire one. This was not done by hacktivists or a tiny nation-state. Stuxnet’s megabyte size dwarfed any previous viruses. It was vast and precise, lying dormant on computers throughout the world and only weaponizing when coupled to Siemens Step 7 software linked to a PLC running exactly 164 centrifuges.
Its magnitude indicated a weapon created over years, but such clinical accuracy indicated the code was written with future litigation in mind. In summary, the worm’s design led specialists throughout the world to believe that a major global power, or many powers, with the time and resources to undertake such an unprecedented project and that was unfriendly to Iran had to have created it. The programming and geopolitical background aren’t the only indications to who did this. Since the infection surfaced, cybersecurity professionals have performed countless background interviews and combed through exposed papers. Stuxnet was regarded as a third alternative between doing nothing to halt Iran’s nuclear development and bombing the enrichment facilities.
As an alternative, President Bush, Israeli authorities, and President Obama all endorsed its use. The journalists reported that the US and Israel had launched a new era of state-led cyberattacks that caused physical damage. Before this, the US’s NSA and Israel’s Unit 8200 deployed cyber divisions to guard and spy.
They now attacked. The US and Israel unlocked Pandora’s box by crossing the Rubicon and getting caught. Iran claimed participation, but major US banks were attacked in 2013. Iran’s vengeance and growing cyber capabilities alarmed American intelligence. Nevertheless, 2013 was just the start. Since Stuxnet, several nations have closed the cyberweapon gap, many of which the US has a tense relationship with. In 2014, North Korea’s Lazarus Group infiltrated Sony Pictures, and in 2017, its Wannacry ransomware forced the UK’s National Health Service to use paper.
China’s cyberwarfare section increases each year from talent spotted and zero-days found at the Tianfu Cup, where hackers breach Google, Microsoft, and Apple software. Russian cyberattacks crippled Ukrainian banks, utilities, and governments in 2017. Ransomware blocked the Colonial Pipeline in 2021. American weapons are expanding, accelerating the world’s catch-up. The Shadow Brokers leaked the US NSA’s hacking tools in 2017, making them available to the public. Now, experts agree that catastrophic cyberwarfare is more likely than ever, affecting current and future battles.
Traditional weapons harm aggressors. Mutually assured destruction would require the target nation to respond quickly to a Russian nuclear attack. Cyberweapons vary. It took years for prominent media outlets to start pointing to the US and Israel as the powers behind Stuxnet, and most of the proof came from implicit acknowledgment by American and Israeli government officials. Secrecy rises with stakes.
Cyberwarfare may destroy without repercussions. On this new battlefield, there are no rules of engagement or Geneva conventions—just cutting-edge aggressors and susceptible targets who don’t comprehend what they’ve opened. Analysts feel today is a waiting phase.
The weapons exist, have been built, and may already be in the world’s machines, waiting to be activated. Nevertheless, that moment is not yet. The nation-states and groups behind these weapons have yet to unleash a genuinely devastating strike on a significant nation to bring the world up to the truly existential character of this new battlefield. Nevertheless, the big one is approaching.
Conflicts in distant nations will no longer be overlooked by turning off the TV. Technology will be used to fight them. The backdrop of Iran’s nuclear program, and hence the Americans’ creation and deployment of Stuxnet, dates back to the 1950s.