When Nation-States Create Computer Viruses: “Diplomacy by Other Means” or Pandora’s Box? (Part 1 of 8)

This 8-part blog series examines the legality, justifications, and consequences of nation-state involvement in the creation of computer malware such as Stuxnet and Flame.

“Stuxnet” – A New Kind of Malware

On June 17, 2010, Belarusian antivirus company Virusblokada reported the existence of a new kind of computer worm it had discovered on Iranian computers it was supporting. [i] The new virus was unusual because it was much larger and more complex than typical malware.[ii] It was also divided into discrete modules, each with their own function, and was even digitally “signed” to look like trusted, legitimate software to the operating system. In short, it was designed like professional software.[iii]

More interesting than its technical complexity, however, was its target: the industrial control software which monitors and controls industrial plants and manufacturing processes.[iv]  Most malware either steals data, destroys it, or seizes control of the host computer to enlist it in an alternate purpose, such as sending spam emails.  Stuxnet went after real, physical infrastructure, not just information. This made Stuxnet a new–and terrifying–form of cyberattack.

As virus experts around the world began to dissect the complex code, it became clear that the ultimate target of Stuxnet was very defined—the programmable logic controllers (PLCs) which run industrial automation processes.[v] And, since the vast majority of infections occurred in Iran,[vi] experts eventually deduced that the target was the Natanz facility in Iran[vii], where uranium is enriched for use in power plants and/or atomic bomb-making.[viii]

The Natanz Facility in Iran

How Stuxnet Worked

The Stuxnet worm worked by exploiting several vulnerabilities in Windows so that it could propagate itself using local area networks and removable media such as USB thumb drives.[ix] Certain of these vulnerabilities were “known,” but as yet unpatched, and certain vulnerabilities were “zero-day,” meaning that they were unknown even to Microsoft at the time.[x] The virus was evidently programmed only to infect three machines before deleting itself from the removable device.[xi] This kept the virus from explosively multiplying, which would vastly increase the chance of detection.

Once on a computer, Stuxnet would check to see if the computer was running a particular type of software written by Siemens—the Step 7 programming software.[xii] Step 7 is itself used to program the software which controls the PLCs. Once Stuxnet had found a workstation running Step 7, it looked for projects related to the programming of a particular type of centrifuge (an older design called the P-1) used to enrich uranium.[xiii] Stuxnet then injected a different module of itself into the Step 7 software installed on the machine.[xiv] This module then waited until the Step 7 workstation was finally connected to the PLCs to update the centrifuge control software.[xv] The waiting period might be weeks or even months, because industrial systems are usually separated from the local network and from the Internet by an “air gap,” in order to increase security.[xvi]

Once finally connected, Stuxnet infected the PLC with a highly specialized module which performed two functions. The first was to change the speed and characteristics of the spinning of the centrifuges.[xvii] The centrifuges were reprogrammed, on timed intervals, to increase or decrease their speed well beyond the normal operating ranges.[xviii] The effect was to cause the centrifuges to become unbalanced and destroy themselves when materials contacted each other at high speed.[xix] The second function of the payload module was to disguise the changes in speed. A monitoring component surveyed the normal operating characteristics of the centrifuges for some time (days or weeks) before launching the attack, and then it would “play back” the normal readings to plant operators while the attack was occurring.[xx] This kept plant operators from intervening to shut down the centrifuges before they could be destroyed.

The President of Iran touring the centrifuges at Natanz

The effect of Stuxnet over the course of roughly a year, from June 2009-June 2010, was significant. It is estimated that Stuxnet destroyed about 1,000 centrifuges completely, and took thousands out of operation as plant operators diagnosed and inspected their systems, looking for flaws.[xxi] Iranian officials themselves admit that their program suffered major damage.[xxii] Many U.S. observers estimate the program was set back 12-18 months, but others have pointed out that the program quickly recovered and question the amount of damage truly caused.[xxiii]

Effect of Stuxnet on Iranian Centrifuge Operations

U.S. and Israeli Involvement

From the beginning, observers wondered who was behind Stuxnet, considering its sophistication and highly defined goals. Within a short time they concluded that the only group capable of such a concerted, targeted effort was a nation-state. In June 2012, journalist David Sanger reported on an 18-month long investigation in which he revealed that Stuxnet was part of a joint Israeli-U.S. operation originally commissioned under President George W. Bush called “Olympic Games.”[xxiv] This program continued under President Obama, who authorized its continuance even after Stuxnet was discovered.[xxv]

“Olympic Games” was a massive effort involving many programmers and technical experts from both countries. A mockup of the Natanz facility was even constructed using P-1 centrifuges handed over by Qaddafi in 2003. Further, according to a new book the software vendor Siemens (under the supervision of German intelligence) cooperated with both countries to assist in the development of the worm and in getting it installed on computers inside Iran.[xxvi]

While the U.S. government has never formally acknowledged involvement or responsibility (it has little reason to do so), Israel’s Mossad trumpeted its successes to journalists in 2011.[xxvii]  Far from being troubled by the clandestine operation, Israel views the discovery of Stuxnet to be a “serious blow” which interrupted several future plans for the virus.[xxviii] Anonymous U.S. intelligence sources, for their part, blame overreaching by Israel’s team for the virus becoming more widespread than they had intended.[xxix]


In May 2012, another advanced malware toolkit was discovered. This time, Kaspersky Lab, the Russian antivirus firm, was called in to investigate when Iran reported that data on computers which run the Iranian oil industry was deleted.[xxx] The company noticed that the new malware they found contained some of the same code from Stuxnet.[xxxi]

“Flame”, as the new malware was dubbed, is more oriented toward espionage: recording Skype conversations, keyboard logging, taking screenshots of the infected computer’s screen, and eavesdropping on nearby Bluetooth-enabled telephones.[xxxii] Some believe that Flame may have predated Stuxnet, acting as Stuxnet’s intelligence-gathering component.[xxxiii] Flame thus allowed virus designers to develop the detailed knowledge of Iran’s computer infrastructure that was necessary to create Stuxnet.[xxxiv]

“Flame” Installation Script

In the coming week

Regardless of the technical nuances of Stuxnet and Flame, some of which may never be fully understood, there is little doubt that “Olympic Games” was carried out by state actors and that it achieved at least some of its objectives against what the U.S. and Israel consider to be a hostile power. Over the coming weeks, we will examine some of the legal, moral, and diplomatic ramifications of virus creation by nation-states.  Next week, we will consider the legality of nation-state virus creation under the laws of war and armed conflict.

[i] Nicholas Falliere et al., W32.Stuxnet Dossier 4 (Version 1.3, 2010), http://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf.

[ii] Id. at 1.

[iii] Id. at 3.

[iv] Id. at 2.

[v] Id. at 1.

[vi] Id. at 5.

[vii] An interesting video of virus expert Ralph Langner’s presentation at the January 2012 S4 security conference can be found at http://www.digitalbond.com/2012/01/31/langners-stuxnet-deep-dive-s4-video/. In minutes 22-29 he presents very convincing evidence that the virus was targeted at Natanz’s cascading centrifuge design.

[viii] It should be noted that there is no specific evidence of an Iranian nuclear weapons program. Many believe that Iran abandoned its program in 2003. Iran maintains that it is enriching nuclear fuel to use in its power plants. Nuclear weapons require +90% purity, while reactors require only 3-4% purity. However, national security officials in Israel and the United States are concerned that Iran’s having the facilities to enrich uranium is dangerous in itself, since those facilities could begin to do weapons-grade enrichment at any time merely by continuing to enrich existing, stored power-grade stockpiles.

[ix] Stuxnet: Leaks or Lies? (Interview with Larry Constantine). IEEE Spectrum (Sept. 4, 2012), http://spectrum.ieee.org/podcast/computing/embedded-systems/stuxnet-leaks-or-lies.

[x] Id. at 4. “Zero-day” exploits are highly prized by virus writers, because they allow malware to infect any machine and compromise it before anyone even knows the exploit exists. Once known, vendors usually act quickly to patch the software and push updates to vulnerable computers. Zero-day exploits are prized, but not particularly rare. In fact, they can even be purchased in shadow Internet markets, and several “Internet security firms” sell them to generate revenue.

[xi] Holger Stark, Mossad’s Miracle Weapon, Spiegel Online International (Aug. 8, 2011), http://www.spiegel.de/international/world/mossad-s-miracle-weapon-stuxnet-virus-opens-new-era-of-cyber-war-a-778912-2.html

[xii] Stuxnet: Leaks or Lies, supra note 9.

[xiii] Id.

[xiv] Id.

[xv] Id.

[xvi] Id.

[xvii] Id.

[xviii] Stark, supra note 11.

[xix] Id.

[xx] Id.

[xxi] Id.

[xxii] Id.

[xxiii] David E. Sanger, Obama Order Sped Up Wave of Cyberattacks Against Iran, N.Y. Times, June 1, 2012, available at http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?_r=1&pagewanted=all.

[xxiv] Id.

[xxv] Id.

[xxvi] See generally Dan Raviv & Yossi Melman, Spies Against Armageddon (2012).

[xxvii] Stark, supra note 11.

[xxviii] Id.

[xxix] Sanger, supra note 23. Not all technical experts are convinced that Sanger’s account of Stuxnet’s infection trajectory are accurate. Larry Constantine, a widely respected software engineer, recently gave an interview in which he disputed that Stuxnet was ever truly “in the wild.” He maintains that the virus’ inherent technical constraints prevent it from widespread Internet release in the manner Sanger outlined in his recent book. He believes the virus was spread by direct contact between Siemens engineers and technicians carrying USB drives between different collaborating facilities, and by the local area networks within those facilities. In fact, he believes the virus infected collaborating facilities first, and then spread over time to Natanz. See Stuxnet, supra note 9. Ralph Langner, while acknowledging certain technical inaccuracies in Sanger’s book, concludes that awareness about the larger issue of State-sponsored virus creation is most important. See Ralph Langner, The Contractor, Langner Blog, July 7, 2012, http://www.langner.com/en/2012/07/07/the-contractor/.

[xxx] Kim Zetter, Report: US and Israel Behind Flame Espionage Tool, Wired, June 19, 2012,  http://www.wired.com/threatlevel/2012/06/us-and-israel-behind-flame.

[xxxi] Id.

[xxxii] Id.

[xxxiii] Id.

[xxxiv] Kim Zetter, Researchers Connect Flame to US-Israel Stuxnet Attack, Wired, June 11, 2012,  http://www.wired.com/threatlevel/2012/06/flame-tied-to-stuxnet.


~ by K. Miller on September 16, 2012.

8 Responses to “When Nation-States Create Computer Viruses: “Diplomacy by Other Means” or Pandora’s Box? (Part 1 of 8)”

  1. We’ve now entered into an era where everyone is dependent on technology, at least in some way. Nation-states, of course, just like the rest of us, realize this dependency is profound and will try to exploit it for beneficial purposes. War is not an exception to this. The more technologically advanced a nation-state is, the more likely it is to use its proficiency to attack other nation-states.

    The legal and political ramifications of this kind of attack have yet to be seen, especially since the world and its legal systems are still trying to adapt to technological advances. Unfortunately, the law is slow to adapt to changes, which makes it especially difficult to restrict technological uses to legal and appropriate means. In situations such as this, where technological advances are used to attack or spy on other nation-states, it would be difficult to assess the kind of consequences it would have on global diplomacy. This is especially true since there are a limited amount of nation-states that have this kind of technological power. One can only assume that able governments will try to react quickly and with an equal, if not stronger, technological attack, without much regard for the standard rules of engagement.

    I feel like this new kind of “war” is significantly more dangerous than the kind of war we already know. Advanced governments, especially if they are cooperating, have the power to destroy other countries’ infrastructure. If they can create such a complex and stealthy virus to destroy centrifuges in nuclear factories, then it is not much of a stretch to believe that they also have the power to shut down another country’s network of communication and power supply. We are living in a time where cyber attacks, such as the one by rogue hacker collective, Anonymous, on the U.S. Department of Justice, brings more attention and concerns than a physical assault. It only seems logical that cyber attacks are the next step in a new age of war.

  2. I would agree with Amy. As exemplified in this post, the next step in warfare is cyber-weaponry and while my first reaction to this was that it was a preferable alternative to guns and mortars, I believe that the risks may be even greater than conventional warfare. At first glance, a battle involving computer worms and viruses may seem a preferable alternative to one involving tanks and soldiers. After all, the loss of a computer or network is far less than the loss of human life; however, when the fact that much of our modern tools of combat are run by computers is added to the equation, the risk of cyber-warfare becomes significantly more worrisome. Consider, for example, the Predator Unmanned Aerial Vehicle (UAV), a high-tech remote controlled aircraft, used as both a weapon and reconnaissance tool by the US in the War on Terror. A version of the Predator UAV, used in both Iraq and Afghanistan, is equipped with two Hellfire missiles and as demonstrated by a professor at the University of Austin is easily hacked using equipment that costs a mere $1,000. Even more troublesome is that while the U.S. was implementing Olympic Games, Iran was able to ground one of the Predator UAVs. Consider the potential consequences if our own weapons were able to be used against our military forces. The ability to hack into enemy weaponry would significantly lower the financial and manpower costs of combat, as instead of developing its own weapons, a nation or rouge terrorist group would need only to employ skilled hackers to take control of the weapons being used against them.

  3. On the civilian side, individual hackers and organized cybercriminals tend to be ahead of the curve on developing malware. A couple years ago, the worm “conficker” was so destructive because it had just about every method of changing its code to avoid detection and multiple methods built in to disable security programs. Some devious malware writers have developed code to hijack antimalware programs so they actually reproduce the infection.

    I don’t know how isolated the networks for things like nuclear silos or air traffic control are. Even if they can’t directly be accessed, there is a risk that terrorist groups could hack into the information systems and cause enough confusion to result in a strike. Bobby Johnson, Terrorists could use internet to launch nuclear attack: report, THEGUARDIAN, (July 24, 2009), http://www.guardian.co.uk/technology/2009/jul/24/internet-cyber-attack-terrorists.

    Can nation-states effectively respond against others who sponsor cyberterrorist attacks?

  4. The boundaries of acceptable and unacceptable hacking do not appear to be established at all. This is more apparent after hearing that the person behind the virus in the Iranian computers was actually the United States of America. At first I was shocked that the culprit behind these crimes was actually my own country, but to consider it as an act of war makes the crime seem much more acceptable. “All is fair in love and war.”

    The Chinese woman who stole technology from Motorola appears to have been sentenced for stealing trade secrets. But after reading about what we, the United States, were doing to the Iranian companies, stealing information from an American company to help China’s military systems seems to me to be more like an act of war than it does about stealing trade secrets. I agree with the earlier posts about the difficulties of this new kind of “war” being potentially more dangerous than the wars that we have become accustomed to hearing about in the past.

    It seems to me that there may come a time when the motive behind the theft of trade secrets would become important. Here, a Chinese woman intended to play a role in assisting China’s military. But, what if the theft of trade secrets was to boost the technology and sales of a competing US company? Or what if the theft of trade secrets was simply to further the understanding of the technology for educational purposes? Depending on what the information is to be used for, it seems like it would make sense to punish these crimes differently.

  5. The fact that Nation-states are attempting to, and succeeding, in “technological warfare” is, while scary, not surprising. Great military leaders have always known that the only way to defeat an opposing force is to disrupt and, if possible, control their infrastructure. If the enemy cannot re-supply or rebuild, then they will not have the means to effectively wage war. Technology, specifically being on the forefront of developing technology, has played a significant role in almost all recent conflicts. Two examples are WWII, when code breaking technology, and later atomic weaponry, played a large role, and the Cold War, when the technological “arms race” lead to an avoidance of war because any conflict would probably have ended with the mutual destruction of all involved.

    It is not surprising that technology is being developed and used by Nation-states against other Nation-states. What is surprising, and problematic for many reasons, is the fact that multi-national corporations who operate in, and profit from, many developed countries would assist one Nation-state in waging “technological warfare” against another Nation-state. This is problematic for many reasons, but one that I want to mention specifically is the potential for corporate profiteers. There is potential for multinational technological corporations to become mercenaries, or technological guns for hire. It is also a little frightening to think about the possibility of large technological corporations being able to dictate conflicts and foreign policy based on what is best for potential profit.

  6. I think that the most freighting aspect of cyber warfare is that it allows small players to have a big impact. A rogue state or even a well organized radical group could cause devastation through the use of cyber attacks. Most people look to the big targets like nuclear power plants, dams, stock exchanges and defense systems as potential targets of cyber attacks, but it is the unnoticed systems we take for granted, such as a city transportation grid, or cell phone service that are the most vulnerable. The network security in place in the big targets while not up to par is still pretty substantial, enough so to weed out all but the most advanced hackers. However, it is the small targets that have only slightly better security than home networks that are vulnerable. This is especially true as people become more and more reliant on digitally controlled services.

    Imagine the repercussions if the traffic systems were disabled in just one city for just one day. The city would grind to a halt. Car accidents would be widespread and traffic would slow productivity to a crawl, resulting in huge financial losses. While this scenario is not that terrifying alone it could be repeated over and over across different systems causing billions of dollars in financial damages.

  7. I share similar sentiments with most of the responses that cyber warfare seems to be the inevitable future of warfare. It is unsettling to think that such a small weapon could cause such widespread destruction. I agree that the casualty of a network or computer system is far less devastating than the loss of a human life, however, the ramifications of cyber warfare could be vast and widespread. What’s even more troubling is that such a war could be waged overnight, erupting in a virtual battle in the blink of an eye. Furthermore, while such a battle would begin in cyberspace, it could quickly find its way to the physical world as computers are commonly, if not exclusively, used to control weapons of mass destruction. If such a cyber war could begin overnight, so could the threat of physical attack. A physical attack of that sort could be launched with no time for preparation or evacuation. Cyber warfare may begin on a harmless machine but it could quickly amount to the most destructive warfare to date.

  8. Learning how Stuxnet worked was fascinating. I am curious if there was a chance that Stuxnet could have caused a catastrophic incident when it was modifying the spin of the centrifuges? Seems like a great way to disturb the enrichment process but would have been an international incident of great proportions had something gone awry and blown up the facility. Maybe it wasn’t much of a risk.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: