WEBVTT - What was Stuxnet? Part One 0:00:03.880 --> 0:00:06.880 Get in touch with technology with tech Stuff from how 0:00:06.960 --> 0:00:14.040 stuff works dot com. Hey there, and welcome to tech Stuff. 0:00:14.080 --> 0:00:17.640 I'm your host, Jonathan Strickland. I'm an executive producer here 0:00:17.640 --> 0:00:21.520 at how Stuff Works. And yeah, I still kind of 0:00:21.600 --> 0:00:23.640 have a cold. You can kind of hear it. It's 0:00:23.680 --> 0:00:25.159 not as bad as it was last week when I 0:00:25.160 --> 0:00:28.640 was recording those earlier episodes though, So that's something. Uh, 0:00:28.800 --> 0:00:31.720 since I have a cold, you know, I thought my 0:00:31.800 --> 0:00:33.720 brain got on this little topic. It's sort of this 0:00:33.800 --> 0:00:38.440 free association thing technology colds viruses. How about I talk 0:00:38.479 --> 0:00:42.760 about a famous virus. So we're going to really dive 0:00:42.840 --> 0:00:48.160 in to the story behind stucks net, a famous piece 0:00:48.280 --> 0:00:52.960 of malware that made headlines in and I've talked about 0:00:52.960 --> 0:00:55.320 it before on this show. In fact, Chris Palette and 0:00:55.360 --> 0:00:58.440 I did an episode about stucks net several years ago, 0:00:58.760 --> 0:01:03.000 but at the time not as much information was available 0:01:03.040 --> 0:01:06.720 about what was going on. Tech Stuff technically launched two 0:01:06.840 --> 0:01:10.640 years before stocks Net made headlines. So this is actually 0:01:10.640 --> 0:01:13.440 an opportunity for me to look back at something that 0:01:13.560 --> 0:01:16.280 developed over the course of the history of this show 0:01:17.000 --> 0:01:21.039 and learn more about where it came from, what's purpose was, 0:01:21.720 --> 0:01:26.559 and how that whole story unfolded. Before I really dive 0:01:26.680 --> 0:01:30.840 into the story, I want to mention one of the 0:01:30.920 --> 0:01:36.039 sources I used when I was researching these two episodes. Uh, 0:01:36.080 --> 0:01:40.080 this would be a book titled Countdown to Zero Day, 0:01:40.200 --> 0:01:43.279 stucks Net and the Launch of the World's First Digital Weapon. 0:01:43.800 --> 0:01:46.920 The book goes into great detail regarding the story of 0:01:46.920 --> 0:01:52.160 stocks Net. It also gives wonderful background information on the 0:01:52.280 --> 0:01:59.400 key figures of cryptography researchers, cybersecurity researchers, all these people 0:01:59.440 --> 0:02:03.600 who were very much instrumental in discovering and uncovering stuck 0:02:03.680 --> 0:02:06.240 s net and figuring out what it did and and 0:02:06.280 --> 0:02:10.079 who was probably behind it since that was never something 0:02:10.080 --> 0:02:12.240 that was officially acknowledged, but come on, we know who 0:02:12.320 --> 0:02:14.920 it actually was. I'll talk about that in these episodes. 0:02:15.320 --> 0:02:18.040 That's a great book. If you want more information about 0:02:18.120 --> 0:02:21.800 stucks Net after this episode, go check that out, count 0:02:21.800 --> 0:02:24.360 Down to Zero Day, stucks Net and the Launch of 0:02:24.360 --> 0:02:28.400 the World's First Digital Weapon. It goes into way more 0:02:28.480 --> 0:02:32.160 detail than I'm going to cover in these episodes. Now, 0:02:32.840 --> 0:02:35.880 these episodes are also going to contain a lot of 0:02:36.000 --> 0:02:41.280 history and politics in them because stucks net, unlike many 0:02:41.360 --> 0:02:46.160 other examples of malware was not intended to be a 0:02:46.440 --> 0:02:51.600 type of uh computer virus to create monetary gain for 0:02:51.639 --> 0:02:56.920 the people who designed it, or even just make people irritated. 0:02:57.120 --> 0:02:59.880 It wasn't that kind of malware. You may have a 0:03:00.040 --> 0:03:03.200 counter and malware that was meant to try and extort 0:03:03.240 --> 0:03:07.480 money from someone where it locks down a computer and 0:03:07.600 --> 0:03:10.360 the only way to get access, at least according to 0:03:10.600 --> 0:03:15.160 the messengersy receive, is to pay a ransom to the hackers. 0:03:15.240 --> 0:03:18.680 We call that ransomware. Stuck's Net was not that type 0:03:18.680 --> 0:03:22.720 of malware. Nor was it just some sort of capricious 0:03:22.840 --> 0:03:26.840 code that someone created in order to turn computer hard 0:03:26.960 --> 0:03:31.280 drives into giant concrete blocks. It was neither of those things. 0:03:31.280 --> 0:03:37.040 It had a very specific intent, and it was very 0:03:37.120 --> 0:03:40.760 much a at least all signs at least pointed to 0:03:40.840 --> 0:03:44.440 it being very much a state sponsored piece of software, 0:03:44.480 --> 0:03:49.640 meaning that some government agency or agencies was behind the 0:03:49.680 --> 0:03:53.240 development of this. So it sets it apart from a 0:03:53.240 --> 0:03:56.760 lot of other versions of malware. And in order to 0:03:56.840 --> 0:03:59.040 understand it, I think it's good to begin with a 0:03:59.120 --> 0:04:04.320 quick history lesson of Iran's nuclear program, because that was 0:04:04.480 --> 0:04:09.680 the ultimate target of stocks net back in the nineteen fifties. Iran, 0:04:09.920 --> 0:04:14.680 under the leadership of shaw Mohammad Reza PALAVII, had received 0:04:14.680 --> 0:04:18.400 the nod from the world community to pursue a nuclear 0:04:18.480 --> 0:04:22.320 power program. At that same time, nuclear powers like the 0:04:22.400 --> 0:04:25.839 United States, we're trying to discourage other nations from developing 0:04:25.920 --> 0:04:29.560 nuclear weapons. So they were essentially saying, hey, nuclear power, 0:04:29.920 --> 0:04:34.560 tots cool nuclear weapons, Let's not make this worse because 0:04:34.680 --> 0:04:40.159 nuclear proliferation was becoming a big fear among various powers 0:04:40.160 --> 0:04:42.480 in the world and of course populations in the world. 0:04:43.040 --> 0:04:46.000 So it was sort of an Atoms for Peace kind 0:04:46.040 --> 0:04:49.359 of initiative, saying, let's go and develop nuclear power for 0:04:49.400 --> 0:04:52.719 a country's that's great. That way you can generate electricity, 0:04:52.760 --> 0:04:57.440 but let's stay away from building the bombs. Iran's program 0:04:57.520 --> 0:05:00.559 was launched with the understanding that the country was only 0:05:00.600 --> 0:05:05.520 going to build these power plants, not weaponry, although all 0:05:05.560 --> 0:05:09.080 indications showed that the long term plan for Iran was 0:05:09.120 --> 0:05:13.360 in fact to develop nuclear weapons at some point. As 0:05:13.400 --> 0:05:16.400 part of this early agreement, the United States would sell 0:05:16.520 --> 0:05:20.040 to Iran the enriched uranium its power plants would need 0:05:20.080 --> 0:05:22.960 as fuel, so Iran wouldn't need to create its own 0:05:23.080 --> 0:05:27.679 uranium enrichment facilities. It would just purchase enriched uranium ready 0:05:27.760 --> 0:05:31.800 to go from the United States. And in fact, the US, Germany, 0:05:31.880 --> 0:05:37.400 and France were all totally supportive of Iran's efforts, perhaps 0:05:37.920 --> 0:05:41.760 because those countries also stood to benefit from it. They 0:05:41.760 --> 0:05:44.520 were all going to make a boatload of cash by 0:05:44.520 --> 0:05:48.279 selling equipment and fuel to Iran, so there was a 0:05:48.360 --> 0:05:54.400 financial incentive to support Iran's efforts to create nuclear power plants. 0:05:54.440 --> 0:05:57.080 All of this was despite the fact that the tools 0:05:57.200 --> 0:06:01.120 used to create nuclear power plants could receivably be put 0:06:01.160 --> 0:06:04.080 to use to build nuclear weapons. So you could have 0:06:04.160 --> 0:06:07.080 someone say, hey, I just need this technology because I 0:06:07.080 --> 0:06:09.800 want to make a power plant, but in reality they 0:06:09.880 --> 0:06:13.640 might be using that technology to make boom booms. So 0:06:14.240 --> 0:06:16.960 the thing that the U United States said that kind 0:06:16.960 --> 0:06:22.360 of justified their choice to support this program was, Hey, 0:06:22.520 --> 0:06:26.640 the Shah, he's awesome. We get along so well, we're 0:06:26.680 --> 0:06:32.040 like besties. And so there's no way that Iran, even 0:06:32.040 --> 0:06:34.520 if they did develop nuclear weapons, would be a threat 0:06:34.600 --> 0:06:38.000 to US, their their allies. So let's go ahead and 0:06:38.040 --> 0:06:40.360 go all in. Let's go ahead and make some money. 0:06:40.400 --> 0:06:44.640 Come on, capitalism, woo. It's not like Iran will ever 0:06:44.680 --> 0:06:48.400 have a problem with the United States. And then nineteen 0:06:48.480 --> 0:06:52.880 seventy nine happened. In nineteen seventy nine, the Ayatollah Ruala 0:06:53.000 --> 0:06:57.120 Kamaney overthrew the shop. Now Kamany did not share the 0:06:57.160 --> 0:07:01.200 Shah's opinion of the United States, and suddenly the U 0:07:01.440 --> 0:07:06.400 S was tugging at its collar and saying yikes. So 0:07:06.520 --> 0:07:10.320 Germany in the US withdrew their support for Iran's nuclear 0:07:10.320 --> 0:07:14.640 program and the Komani Aetola. Komani was not terribly interested 0:07:14.680 --> 0:07:19.160 in pursuing a nuclear power program either, so the power 0:07:19.200 --> 0:07:21.760 plants were pretty much abandoned for a few years. They 0:07:21.800 --> 0:07:26.560 were also the frequent target of bombing raids during various 0:07:27.000 --> 0:07:30.320 conflicts that Iran got into over the course of the eighties. 0:07:30.680 --> 0:07:34.680 Now that Aatola would eventually renew the nuclear program. In 0:07:34.720 --> 0:07:38.560 the nineteen eighties, after rumors spread that Iraq was developing 0:07:38.600 --> 0:07:42.640 nuclear weapons and Saddam Hussein, the leader of Iraq at 0:07:42.680 --> 0:07:46.800 the time, had already used chemical weapons against Iran during 0:07:46.840 --> 0:07:50.840 the Iran Iraq War, the Aetola hired on an engineer 0:07:50.880 --> 0:07:56.480 from Pakistan to help Iran, using plans for centrifuges that 0:07:56.560 --> 0:08:00.600 the engineer had stolen from European companies. So This engineer 0:08:00.600 --> 0:08:03.200 had worked on behalf of these European companies and then 0:08:03.320 --> 0:08:08.960 essentially did a little industrial theft, stealing the plans for 0:08:09.000 --> 0:08:13.280 centrifuges so that they could create a similar program in 0:08:13.400 --> 0:08:17.280 nations like Pakistan. This was all happening in secret, obviously, 0:08:17.720 --> 0:08:20.120 but Iran had gotten word of it, and so they 0:08:20.160 --> 0:08:25.040 contacted this Pakistani engineer who agreed to help out Iran. 0:08:25.440 --> 0:08:30.000 In nineteen Iran entered into a contract with Russia to 0:08:30.080 --> 0:08:34.000 complete a nuclear power reactor at Boucher. This site in 0:08:34.040 --> 0:08:36.760 Iran had been one of the original plan power plants 0:08:36.960 --> 0:08:41.040 way back in nineteen fifty seven, but the various conflicts 0:08:41.080 --> 0:08:43.880 between fifty seven and ninety five had delayed and even 0:08:43.920 --> 0:08:47.160 destroyed the work that had been done on the location. 0:08:47.559 --> 0:08:51.319 Iran and Russia were going to also build a uranium 0:08:51.440 --> 0:08:55.800 enrichment plant kind of co located with this nuclear power plant, 0:08:56.240 --> 0:08:59.000 but the United States stepped in and said to Russia, hey, 0:08:59.120 --> 0:09:03.440 we think that's like a bad idea man, and Russia 0:09:03.480 --> 0:09:07.800 eventually said dah and backed off. And that was supposedly that, 0:09:08.559 --> 0:09:12.640 except it totally wasn't just that. In two thousand, Iran 0:09:12.760 --> 0:09:17.959 started building a new facility at Natan's another site in Iran. 0:09:18.080 --> 0:09:25.400 Iranian officials claimed that this facility was a desert eradication location, 0:09:26.120 --> 0:09:29.680 but satellite imagery eventually showed that something else was up 0:09:29.880 --> 0:09:33.200 in that site. The design of the facility suggested it 0:09:33.240 --> 0:09:36.880 was going to house something super secret that was to 0:09:37.000 --> 0:09:40.720 be protected from missile strikes and air strikes. And the 0:09:40.760 --> 0:09:44.840 reason they were drawing this conclusion was that Iran was 0:09:44.880 --> 0:09:49.160 clearly excavating a lot of land building a large underground 0:09:49.200 --> 0:09:54.040 facility something that needed to be uh insulated from potential 0:09:54.080 --> 0:09:59.040 air attack, and the entrance hallway into the facility had 0:09:59.040 --> 0:10:01.480 a big U turn in it. It wasn't a straight 0:10:01.520 --> 0:10:05.280 shot down into the heart of the facility. That you 0:10:05.480 --> 0:10:08.760 turn was an indication that perhaps this was a way 0:10:09.000 --> 0:10:13.400 to avoid a smart missile flying down the entryway and 0:10:13.520 --> 0:10:16.080 hitting a target. If it had to turn nine degrees 0:10:16.240 --> 0:10:20.080 or eighty degrees, then chances are no missile would actually 0:10:20.080 --> 0:10:23.240 be able to do that, and it was thus a 0:10:23.360 --> 0:10:26.640 tactic to avoid damage in the case of an air strike. 0:10:27.040 --> 0:10:31.840 But why would you need that for some innocent desert 0:10:31.840 --> 0:10:35.160 eradication facility. Why would it need to be underground and 0:10:35.200 --> 0:10:38.600 have these kind of measures in place In two thousand two, 0:10:38.679 --> 0:10:42.600 some whistleblowers alerted the u N that this facility would 0:10:42.679 --> 0:10:52.360 actually be a uranium enrichment plant. Now, Iranian officials eventually said, okay, yeah, 0:10:52.520 --> 0:10:55.000 but we were gonna tell you about it. We just 0:10:55.040 --> 0:10:57.800 hadn't done that yet because there wasn't really any need to. 0:10:57.920 --> 0:11:02.240 Were still months away from going online, so it's not 0:11:02.400 --> 0:11:06.360 like there's any chance that this thing is is already 0:11:06.480 --> 0:11:10.560 producing enriched uranium. We just want to have a facility 0:11:10.800 --> 0:11:13.400 to create nuclear fuel that we're going to use for 0:11:13.400 --> 0:11:15.840 our power plants. We want to be self sufficient, is all. 0:11:15.880 --> 0:11:17.880 We don't want to have to buy our fuel from 0:11:17.960 --> 0:11:22.240 other nations. The u N stepped up inspections of the facility, 0:11:22.320 --> 0:11:25.600 or at least attempted to, although it initially encountered a 0:11:25.600 --> 0:11:28.439 lot of resistance from Iran. The u N would say, 0:11:28.440 --> 0:11:30.720 all right, well, we're ready to come in and investigate 0:11:30.760 --> 0:11:34.720 this facility, and then the people in Iran would say, sorry, 0:11:34.760 --> 0:11:36.960 it's not ready yet. Come back next month. And then 0:11:36.960 --> 0:11:38.600 they would come back next month and say, all right, 0:11:38.600 --> 0:11:40.120 we're ready to look at the facility and say, you 0:11:40.120 --> 0:11:41.760 know what, we lost the keys, don't know where the 0:11:41.840 --> 0:11:45.640 keys are. Could you come back maybe another day, and 0:11:45.679 --> 0:11:49.840 it became increasingly clear, at least to the the investigators, 0:11:49.880 --> 0:11:52.079 that something was up, and that there was a lot 0:11:52.120 --> 0:11:56.120 of activity going on, perhaps to cover tracks, perhaps to 0:11:56.160 --> 0:11:59.440 get rid of evidence, although it's impossible to say, because 0:11:59.520 --> 0:12:01.840 unless you actually are there to witness what is happening, 0:12:01.840 --> 0:12:05.760 you don't really know, but it seemed to imply that 0:12:05.800 --> 0:12:09.240 there was something hainky going on. Eventually they were able 0:12:09.320 --> 0:12:14.720 to set up a regular inspection schedule of this facility, 0:12:14.840 --> 0:12:18.360 and they were there to make sure that the uranium 0:12:18.360 --> 0:12:21.520 that was being produced was meant for nuclear power and 0:12:21.600 --> 0:12:26.040 not nuclear weapons. And meanwhile, countries like the United States 0:12:26.080 --> 0:12:30.520 were getting awfully antsy about Iran. On July six, two 0:12:30.520 --> 0:12:34.720 thousand nine, Wiki Leaks hosted a note written by founder 0:12:34.800 --> 0:12:39.920 Julian Assange that referenced some sort of serious nuclear accident 0:12:40.320 --> 0:12:43.720 that had happened at the uranium enrichment facility. Now this 0:12:43.720 --> 0:12:47.160 would have been shortly after the stux Net virus would 0:12:47.160 --> 0:12:50.640 initially be released, but at this time, no one outside 0:12:50.800 --> 0:12:54.719 of the people involved in stocks Net would have possibly 0:12:54.800 --> 0:12:59.839 known about the virus and become public knowledge. Yet, in January, 0:13:00.160 --> 0:13:04.520 a United Nations agency called the International Atomic Energy Agency 0:13:04.720 --> 0:13:07.920 or I a e A. Began to notice that something 0:13:07.960 --> 0:13:13.520 unusual was happening to the centrifuges at Iran's Natan's uranium 0:13:13.640 --> 0:13:16.880 enrichment plant. They saw that there was a failure rate 0:13:16.880 --> 0:13:20.800 that was unusually high. The agents would inspect the facilities 0:13:20.840 --> 0:13:23.440 at least once a month and then occasionally with some 0:13:23.520 --> 0:13:27.199 surprise inspections, and the whole point was just to make 0:13:27.200 --> 0:13:29.840 sure that nothing illegal was happening, that Iran was in 0:13:29.880 --> 0:13:33.160 fact not trying to stockpile enriched uranium in the effort 0:13:33.200 --> 0:13:39.920 to build bombs. This was an important uh thing that 0:13:39.960 --> 0:13:42.280 the U N was doing, but it also was not 0:13:42.360 --> 0:13:44.720 the most efficient way of doing it if you wanted 0:13:44.760 --> 0:13:51.200 to recognize trends, because they would swap out who went 0:13:51.360 --> 0:13:56.959 to investigate the facility each time. That kind of makes sense. 0:13:57.000 --> 0:14:01.080 You don't want one group to get compromised in any 0:14:01.120 --> 0:14:05.920 way or fooled in some way. Sending new people sends 0:14:06.000 --> 0:14:08.520 new sets of eyes. But it also meant that until 0:14:08.559 --> 0:14:11.839 you were looking at aggregated data, you could not necessarily 0:14:11.920 --> 0:14:16.400 see that something unusual is happening, And something unusual was 0:14:16.480 --> 0:14:20.480 happening specifically to the centrifuges. Now to understand that. It 0:14:20.720 --> 0:14:23.440 also helps to understand what the heck the centrifugures were 0:14:23.440 --> 0:14:25.480 being used for in the first place, Like what is 0:14:25.520 --> 0:14:30.240 their purpose in the process of refining uranium. Well, first, 0:14:30.720 --> 0:14:33.680 nuclear fuel needs to be made up of between three 0:14:33.760 --> 0:14:37.760 and a half to five percent uranium two thirty five isotope. 0:14:38.200 --> 0:14:41.840 So isotopes are two or more forms of the same element, 0:14:42.160 --> 0:14:45.080 in which the atoms of the different isotopes have a 0:14:45.080 --> 0:14:49.520 different number of neutrons. Chemically, the two atoms behave the 0:14:49.560 --> 0:14:53.080 same way, but they'll have different atomic masses because of 0:14:53.080 --> 0:14:56.080 the difference in neutrons uh, and they'll have different decay 0:14:56.160 --> 0:14:59.040 rates and things of that nature as well. So there 0:14:59.040 --> 0:15:03.760 are three may jr isotopes of uranium that occur naturally 0:15:04.320 --> 0:15:07.960 uh within the Earth's crust. So if you mine uranium, 0:15:07.960 --> 0:15:11.400 you're gonna come up with a mixture of different isotopes 0:15:11.520 --> 0:15:15.320 at different concentrations. Most of it, in fact, more than 0:15:15.440 --> 0:15:19.960 nine of the stuff that occurs naturally is uranium two 0:15:19.960 --> 0:15:23.600 thirty eight, less than one percent of it is uranium 0:15:23.680 --> 0:15:26.000 two thirty five, and then you get a ten ty 0:15:26.120 --> 0:15:29.520 tiny bit that's uranium two thirty four. If you want 0:15:29.520 --> 0:15:32.960 to make nuclear fuel, you need a much higher percentage 0:15:32.960 --> 0:15:35.480 of uranium two thirty five than what you find in nature. 0:15:35.520 --> 0:15:38.000 In nature it's less than a percent, and fuel you 0:15:38.040 --> 0:15:39.680 need it to be at least three and a half 0:15:39.800 --> 0:15:43.120 to five percent. By the time you're getting into the 0:15:43.240 --> 0:15:47.040 enrichment process. You need the uranium to be in gas form, 0:15:47.520 --> 0:15:51.200 so you would get uranium or you would refine that 0:15:51.360 --> 0:15:54.600 down to uranium oxide, and then you would take that 0:15:54.680 --> 0:15:57.680 to a conversion plant that would take the uranium oxide 0:15:57.720 --> 0:16:02.200 and turn it into a gas called uranium hexafluoride. This 0:16:02.320 --> 0:16:04.960 gas has various isotubes of uranium in it. You have 0:16:05.040 --> 0:16:08.280 both uranium two thirty eight and two thirty five, and 0:16:08.360 --> 0:16:10.720 you have it in the concentrations you would expect because 0:16:10.760 --> 0:16:13.520 it's from the stuff you mind from the ground. You 0:16:13.560 --> 0:16:18.680 then feed that gas into tubes inside a centrifuge. Centrifuges 0:16:18.760 --> 0:16:21.800 spin and they can spend it really high velocities. We're 0:16:21.800 --> 0:16:25.240 talking tens of thousands of revolutions per minute now. When 0:16:25.280 --> 0:16:29.520 they spin, it separates out the materials of different weight 0:16:29.800 --> 0:16:33.200 within those tubes. The heavy stuff moves towards the edges 0:16:33.240 --> 0:16:35.760 of the tubes, the sides of the tubes, and the 0:16:35.960 --> 0:16:39.040 lighter stuff will move towards the center. So if you 0:16:39.120 --> 0:16:43.320 spend the centrifugures at the right speed and you then 0:16:43.440 --> 0:16:47.200 effectively scoop out the middle of the tube, you can 0:16:47.320 --> 0:16:50.440 separate the uranium two thirty five from the uranium two 0:16:50.440 --> 0:16:52.320 thirty eight. Now you actually have to do this in 0:16:52.360 --> 0:16:55.600 a lot of different stages. You put them through one centrifuge, 0:16:55.640 --> 0:16:58.160 you do the scooping process, you doing about another centrifuge. 0:16:58.240 --> 0:16:59.920 You have to do this multiple times in order to 0:17:00.080 --> 0:17:04.679 really get the right concentrations. Eventually you can do this 0:17:04.840 --> 0:17:07.920 enough to manufacture the uranium pellets that you would use 0:17:08.119 --> 0:17:11.560 for nuclear fuel. If you wanted to make a nuclear weapon, 0:17:11.920 --> 0:17:15.359 you'd follow the same process, but you need way more 0:17:15.520 --> 0:17:19.360 uranium two thirty five. Nuclear weapons typically have a proportion 0:17:19.400 --> 0:17:23.320 of or more uranium two thirty five in them. Sometimes 0:17:23.320 --> 0:17:27.520 it's or greater, so you need a lot more uranium, 0:17:27.600 --> 0:17:29.360 and then you have to refine a lot of it 0:17:29.720 --> 0:17:31.400 and rich a lot of it in order to get 0:17:31.440 --> 0:17:35.919 to that level of uranium two thirty five. But it 0:17:36.040 --> 0:17:38.959 is exactly the same process, it's just a matter of 0:17:39.480 --> 0:17:43.920 more stuff. Centrifuges, as they turn out, are are delicate. 0:17:44.440 --> 0:17:47.560 They're the ones that Iran was using. We're supposed to 0:17:47.600 --> 0:17:52.160 have a ten year lifespan, but these are moving pieces 0:17:52.280 --> 0:17:55.919 of machinery. They have mechanical parts, and they work at 0:17:56.000 --> 0:18:00.280 high speeds, so eventually they'll fail. They may fail because 0:18:00.320 --> 0:18:04.400 of mechanical error, human error, all sorts of different stuff 0:18:04.440 --> 0:18:07.880 could cause them to break down. And because of that, 0:18:08.040 --> 0:18:11.879 typically in a year you might have to replace about 0:18:11.920 --> 0:18:15.280 ten of the centrifugures you have, even if they're brand new. 0:18:16.200 --> 0:18:19.400 But the thing that the i a e A. Discovered 0:18:20.080 --> 0:18:24.000 eventually after they looked at aggregated data, was that the 0:18:24.119 --> 0:18:27.680 number of centrifuges that they were replacing at this uranium 0:18:27.680 --> 0:18:32.400 and enrichment facility was much higher than that they had 0:18:32.400 --> 0:18:35.240 centrifugures at this point, So you would expect about eight 0:18:35.280 --> 0:18:38.200 hundred and seventy of them need to be replaced every year, 0:18:38.560 --> 0:18:41.240 but apparently the number was actually much higher than that, 0:18:41.280 --> 0:18:44.560 perhaps as high as two thousand or more, although the 0:18:44.600 --> 0:18:48.359 actual figures were never published. But the i a e A. 0:18:48.600 --> 0:18:51.600 Was keeping track of this stuff. They just didn't notice 0:18:51.640 --> 0:18:55.159 the trend until they were looking at again a sequence 0:18:55.359 --> 0:18:58.160 of these visits and then realized, hey, that that seems 0:18:58.200 --> 0:19:01.400 like a pretty high number to place that many centrifuges. 0:19:01.480 --> 0:19:06.359 Wonder what's happening with this? Well, while this was going on, uh, 0:19:06.520 --> 0:19:10.280 there were other things happening that we're indicating that something 0:19:10.400 --> 0:19:14.919 unusual had been unleashed in the world of computers. The 0:19:14.960 --> 0:19:17.000 folks at I A e A at this point did 0:19:17.040 --> 0:19:20.760 not suspect any kind of computer virus. They weren't sure 0:19:20.800 --> 0:19:23.040 what was causing the centrifuges to fail. It could have 0:19:23.080 --> 0:19:26.400 just been that they were really bad centrifugus, that Iran 0:19:26.520 --> 0:19:30.159 had purchased them from a bad source, although Iran was 0:19:30.240 --> 0:19:32.959 stating that they had actually made the whole thing themselves, 0:19:33.000 --> 0:19:36.080 that the centrifugures were based off their own design, although 0:19:36.080 --> 0:19:41.479 again the United Nations officials the investigators were not buying it. 0:19:41.640 --> 0:19:44.400 They said, wow, these things look an awful lot like 0:19:45.080 --> 0:19:47.160 the ones that were being used in Europe a few 0:19:47.240 --> 0:19:49.120 years ago. In fact, if I didn't know any better, 0:19:49.160 --> 0:19:51.600 I would say that these were direct copies of that 0:19:51.680 --> 0:19:55.920 and that they were based off stolen information. But Iran's 0:19:55.920 --> 0:19:59.520 messaging was that no, these were of our design and 0:19:59.720 --> 0:20:02.480 we built them at any rate. I A e A 0:20:02.640 --> 0:20:06.520 wasn't sure why these centrifuges were starting to fail at 0:20:06.520 --> 0:20:09.760 that same time, or actually a little bit later. In June, 0:20:10.760 --> 0:20:14.840 there was a cybersecurity professional named Seragei Ulasson in Belarus 0:20:15.119 --> 0:20:18.880 who was investigating some really weird computer behavior that had 0:20:18.920 --> 0:20:23.119 been reported in an Iranian computer. The computer in question 0:20:23.240 --> 0:20:28.400 was caught in an endless crash and reboot cycle and 0:20:29.280 --> 0:20:32.639 they weren't really sure what was causing it. The culprit 0:20:33.240 --> 0:20:36.400 looked like it might have been the anti virus software 0:20:36.640 --> 0:20:40.040 that was on the computer, that something was not compatible, 0:20:40.680 --> 0:20:44.600 and the antivirus software came from the company that uh 0:20:44.720 --> 0:20:47.840 Sarageulawson was working for. He was working for this company 0:20:47.840 --> 0:20:52.520 called virus Block Ada. The Iranian computer had that anti 0:20:52.600 --> 0:20:55.760 virus program on it. It was purchased originally from a reseller, 0:20:55.880 --> 0:20:58.840 so it wasn't purchased directly from the Belarus company, but 0:20:59.000 --> 0:21:02.920 rather an Ira Auny and company that had the right 0:21:03.119 --> 0:21:07.840 to re sell this anti virus software, and originally the 0:21:07.840 --> 0:21:10.800 person who owned the computer or the the agency that 0:21:10.920 --> 0:21:15.840 owned the computer contacted the reseller and said, I'm getting 0:21:15.880 --> 0:21:18.480 this error. It's the computer just keeps crashing and trying 0:21:18.480 --> 0:21:22.640 to reboot. What's going on the reseller eventually fielded that 0:21:23.119 --> 0:21:28.199 question up to Lawson. Lawson got permission to log into 0:21:28.240 --> 0:21:31.560 this problematic computer using a remote log in, and he 0:21:31.640 --> 0:21:33.520 began to look around to see what the heck was 0:21:33.560 --> 0:21:37.840 going on, and he eventually suspected the machine had been 0:21:37.880 --> 0:21:41.679 infected by some malware and that this malware included a 0:21:41.800 --> 0:21:46.440 root kit quick refresher. A root kit is software that 0:21:46.520 --> 0:21:51.160 gives an unauthorized party access to control of a computer system. 0:21:51.520 --> 0:21:55.040 Hackers use this to get a back door access and 0:21:55.080 --> 0:21:57.960 get information on computers, or they do it to create 0:21:58.080 --> 0:22:02.000 boton nets. Moreover, a root kit masks this activity. It 0:22:02.240 --> 0:22:05.639 acts as like a shield to hide it from the 0:22:05.640 --> 0:22:08.800 host computer in an effort to escape detection. So a 0:22:08.840 --> 0:22:12.000 good root kit is doing all this allowing someone to 0:22:12.160 --> 0:22:16.920 remotely access your computer, but you can't tell because it's 0:22:17.040 --> 0:22:20.640 hiding all that activity from you. Well, like all malware, 0:22:20.720 --> 0:22:23.719 root kits are only useful if the targeted machine doesn't 0:22:23.720 --> 0:22:26.959 have suitable anti virus protection on it. It could be 0:22:27.280 --> 0:22:30.040 out of date, or it might not have antivirus software 0:22:30.040 --> 0:22:33.240 on it at all, or it might be so new 0:22:33.960 --> 0:22:38.639 that antivirus software doesn't yet have a profile on that 0:22:38.720 --> 0:22:41.240 type of root kit. Which means that it will escape 0:22:41.280 --> 0:22:44.960 the anti virus software's detection because it doesn't know to 0:22:45.040 --> 0:22:48.760 look for it. Once anti virus software companies learn of 0:22:48.800 --> 0:22:51.520 a piece of malware, they can then adjust their software 0:22:51.640 --> 0:22:54.480 to identify and block those programs. But if there is 0:22:54.520 --> 0:22:58.160 a gap there, the malware can go for a while 0:22:58.240 --> 0:23:01.399 without detection, and it means that all machines can be 0:23:01.480 --> 0:23:04.919 vulnerable to those attacks until someone catches on. And that 0:23:05.040 --> 0:23:08.240 seems to be what was going on in this case. 0:23:08.680 --> 0:23:11.080 Now I have a lot more to say about the 0:23:11.160 --> 0:23:13.760 early detection of stucks net, but before I get into that, 0:23:13.880 --> 0:23:23.959 let's take a quick break to thank our sponsor. Alright, 0:23:24.000 --> 0:23:28.960 So a lawson realized that whomever was responsible for creating 0:23:29.000 --> 0:23:33.679 this malware that was causing this this computer to crash repeatedly, 0:23:34.280 --> 0:23:37.600 had done so by finding what is called a zero 0:23:37.920 --> 0:23:42.400 day exploit. A zero day exploit is a vulnerability within 0:23:42.480 --> 0:23:46.040 a piece of software code that has not yet been 0:23:46.080 --> 0:23:51.080 identified by anybody else, including the people who made the 0:23:51.160 --> 0:23:54.400 software code in the first place. The software coders are 0:23:54.440 --> 0:23:57.560 likely completely unaware of it. In fact, that's that's really 0:23:57.600 --> 0:24:00.879 what makes it zero day is the fact that you know, 0:24:00.920 --> 0:24:02.879 you come out with like a new version of of 0:24:02.880 --> 0:24:05.919 an operating system, for example, and you are not aware 0:24:06.000 --> 0:24:09.680 that that part of that operating system has this glaring 0:24:09.760 --> 0:24:14.280 flaw in it that uh could be exploited. That's a 0:24:14.400 --> 0:24:18.240 zero day exploit, and that ignorance is an incredibly powerful 0:24:18.240 --> 0:24:21.879 weapon for hackers. They will end up writing code that 0:24:22.040 --> 0:24:24.600 can exploit this vulnerability, and they know that there's no 0:24:24.640 --> 0:24:28.679 protection against it because the responsible parties for the software 0:24:28.960 --> 0:24:33.240 have not even realized that there's a potential for exploitation. 0:24:33.600 --> 0:24:36.000 The lawson figured out that the malware had to have 0:24:36.080 --> 0:24:40.919 been distributed by a USB thumb drive initially. Later on, 0:24:41.200 --> 0:24:43.480 researchers would figure out that the code would allow up 0:24:43.480 --> 0:24:47.320 to three machines to be infected by the same USB 0:24:47.560 --> 0:24:51.040 flash drive before the malware would prompt a computer to 0:24:51.119 --> 0:24:54.800 delete the contents of the flash drive, so it's kind 0:24:54.800 --> 0:24:58.040 of like a self destruct button. After three infections, the 0:24:58.160 --> 0:25:01.520 drive would be wiped. F a propagation could happen across 0:25:01.560 --> 0:25:05.760 a compromised network through computer computer connections, and later on 0:25:06.119 --> 0:25:10.080 they discovered even other different ways that the virus can 0:25:10.080 --> 0:25:12.920 move from computer to computer. It did not, however, move 0:25:13.000 --> 0:25:17.560 across the Internet. This was a piece of malware that 0:25:17.640 --> 0:25:21.920 was designed to infect computers that were on local networks 0:25:21.920 --> 0:25:25.240 but perhaps not connected to the Internet at large. So 0:25:25.680 --> 0:25:28.560