70. Israel Attacks Iran: The Virus Spreads (Ep 3)

For exclusive interviews, bonus episodes, ad-free listening, early access to series, first look at live show tickets, a weekly newsletter, and discounted books, join the Declassified Club at therestisclassified.com.

This podcast is supported by Progressive, a leader in RV Insurance.

RVs are for sharing adventures with family, friends, and even your pets.

So if you bring your cats and dogs along for the ride, you'll want Progressive RV Insurance.

They protect your cats and dogs like family by offering up to $1,000 in optional coverage for vet bills in case of an RV accident, making it a great companion for the responsible pet owner who loves to travel.

See Progressive's other benefits and more when you quote RV Insurance at progressive.com today.

Progressive Casualty Insurance Company and affiliates, pet injuries, and additional coverage and subject to policy terms.

CRM was supposed to improve customer relationships.

Instead, it's shorthand for customer rage machine.

Your CRM can't explain why a customer's package took five detours, reboot your inner piece, and scream into a pillow.

It's okay.

On the ServiceNow AI platform, CRM stands for something better.

AI agents don't just track issues, they resolve them, transforming the entire customer experience.

So breathe in and breathe out.

Bad CRM was then.

This is ServiceNow.

A covert action has been launched against Iran's nuclear program, but this time on the rest is classified.

We look at how the Obama administration decides to accelerate the targeting of Iran's centrifuges in a way that ultimately leads it to going out of control.

There was no consensus within the Obama administration about how these weapons should be used.

Even while Obama was approving new strikes on the Iranian nuclear plant, he harbored his own doubts.

In meetings in the Situation Room in the first year of his presidency, Obama had repeatedly questioned whether the United States was setting a precedent using a cyber weapon to cripple a nuclear facility that the country would one day regret.

This was, he and others noted, exactly the kind of precision-guided weapon that other nations would someday learn to turn on us.

It was the right question, said one senior official who came into the administration after the Stuxton attacks were over.

But no one understood how quickly that day would come.

Well, welcome to the Rest is Classified.

I am David McCloskey.

And I'm Gordon Carrera.

And that is David Sanger writing in his book, The Perfect Weapon, about, of course, the Stuxnet virus, this effort by the, allegedly, Gordon, I guess, the United States and Israel to disrupt and delay Iran's nuclear program.

We have been looking over the last couple of episodes at the story of Iran's nuclear program and really some of the first concerted attempts to sabotage it and take it down, not with bombs, as we've seen recently, but with this cyber weapon.

And last time we looked at how the virus was kind of first unleashed, it was around 2007, caused this massive confusion inside the Iranian program as nobody could really work out what was going on.

The centrifuges that you so eloquently talked about, Gordon, sort of the scientific basis of how a centrifuge works.

These centrifuges had been, of course, used to enrich uranium.

They'd been more or less taken offline for periods of time by this cyber attack.

And this program program is about to take a turn as the iranians speed headlong toward a bomb and the united states and israel desperately try to stop them the cyber weapon had first been unleashed in 2007 under the bush administration but by the time you get to 2009 president obama is taking office and there is a handover which i'd love to sit in on by the way one day of all the secret operations that are underway the really secret stuff that only one president can brief another president about.

And I think at this time, one of those secret operations that are underway is this one called Olympic Games.

That's the code name for it.

Although, you know, the virus itself will become known as Stuxnet.

And it's interesting because President Bush explains the program and personally recommends to President Obama that he should keep it going because it's working because these Iranian centrifuges are blowing up.

You bring up a good point, though, which is that the program itself, this virus, this weapon, has come to be known as Stuxnet.

But nobody inside the United States government at this time would have called it that.

This would all have been done under this Olympic Games sort of covert action program.

Like literally nobody would have called it Stuxnet.

It's a name that will be given later by the people who research it out in the wild rather than the actual kind of teams behind it.

But it's interesting because President Obama is going to be very interested in this program when he takes office in 2009 and very focused on it.

The briefers bring out something called the horse blanket, which is a giant folding map of Iran's nuclear program.

So he could see, you know, what was being done to different centrifuge cascades at Natans and decide on next steps.

And it's compared to President LBJ looking at maps of bombing targets in Vietnam.

You know, then it's about where do you want to bomb, Mr.

President.

Here it's which centrifuge cascade, you know, should we go for and how should we go for it using a cyber weapon.

But it's the same kind of thing with a briefer showing this map to the president what's on the map is it just pictures of the facilities or like i'm imagining it it's you know we talked in the very first episode of the enrichment facility beneath the ground in the tans the one they're building which got room for 50 000 centrifuges.

I'm guessing it's almost a map of that.

Maybe of other facilities as well.

But saying these are where these different cascades of centrifuges are.

And these are the ones we've already damaged and the Iranians are worried about.

And these are the ones we think we can take out with a new update to the cyber weapon.

I'm guessing that's what it is.

But he's also worried.

He understands, as we heard from that opening quote, that this is, you know, it's something new.

And we'll come back to how new it is.

But he understands there are risks to unleashing this kind of cyber weapon.

But he is going to accelerate it.

I mean, one of the reasons is that he actually wants to focus on diplomacy.

And so back to that idea of buying time, avoiding a military strike and the Israelis pushing him into action or taking action themselves by buying time for diplomacy through the kind of covert action side.

Well, that's interesting, right?

I mean, you look at the sort of campaign

Obama and then compare that to what he did.

There obviously was a sort of faith that developed in the administration about covert action, right?

And

honestly, I guess that is some of the allure of it is, well, it's pretty hard to conduct diplomacy if you're openly bombing a country, but if you're clandestinely, covertly sabotaging its nuclear program and they don't even quite know what's going on, that doesn't exactly rule out diplomacy.

You can sort of walk in chew gum at the same time.

So I can see why it would be blurring.

Although 2009, of course, it's a pretty big year inside Iran.

Yeah, it is.

I mean, President Obama's tried to send a message, I think, in March 2009.

He has a really unusual message to the Iranian people kind of holding out the hand of friendship and sends private letters.

And he kind of, they get rejected, nothing happens, but I think he knows that, but he feels he's got to try and open this diplomatic front.

But you're right, you know, 2009, big year inside Iran, because you have the protests against an election which Iranian people believe is rigged.

And, you know, they come out on the streets famously in this big movement.

The Green Movement.

Yeah, which is, you know, it's a big moment for Iran when people thought, could this topple a regime?

And it's interesting because President Obama doesn't support them.

He doesn't come out and give a statement of support.

He doesn't say the elections are rigged.

And I think some of the people around him will later say this is a regret for them that they didn't side with the protesters a bit more.

But I guess it's always that problem that if you side with them, then it allows the regime to say, well, you're all just, all the protesters are basically CIA puppets and being manipulated.

So, yeah, it's a difficult balancing act.

But yeah, there's a lot of change going on, I think, within Iran at that moment and challenge.

And I guess also an acceleration of the nuclear program at the same time, right?

Because there's more and more centrifuge installation, which you need to get to the quantities of enriched uranium for a bomb.

And then also, and I remember I didn't, I wasn't covering Iran at the agency at this time, but I remember in September of 2009, Fordow, a site that has just been bombed, was found and I think publicly revealed for the first time.

Yeah.

And that was a really big deal.

I remember it as well, because because you had a lot of Western leaders stand up together and say, we are going to reveal to the world that Iran has another secret site at Fordau.

It's really interesting, the backstory to this, because I think they'd known about it for some time.

This had been a revolutionary corps guards kind of base.

And Fordau, we should say, people might know about it because they've seen it in the news recently.

It's a mountain.

You know, it's a mountain which has been tunneled into.

And I'm pretty sure that it was a walk-in.

And maybe even on the British as well as American side, it's all very secretive, but at first kind of tipped them off about Iran building another secret nuclear facility.

And this is absolutely crucial to the story, and obviously to what's happened recently, because we've been talking about Natan's, you know, this place that the inspectors had first visited in 2003, where they're building the centrifuges.

But now, suddenly, it's being revealed that Iran had secretly also been building another enrichment facility covertly without telling anybody again

and doing it in a mountain.

It's a bad look.

The point is

that for your peaceful nuclear program.

Yeah.

Because Natanz is like 30 feet below ground or something like that.

This is hundreds of feet below kind of rock and concrete.

So it's a completely different target.

It's interesting.

There was in some of the books about this, there's references that the end of the Bush presidency, where they'd first learned of it, there'd been some discussion about whether they could actually send a special forces team onto Iranian territory to try and sabotage it before it developed too much.

But they obviously decided against that might be a hugely risky operation to try and do.

So instead, they reveal it to the world in September 2009 that this new enrichment facility is being built.

And that then creates another big debate about the nuclear program because the Israelis fear that Fordau gives them a kind of zone of immunity where free from inspections, deep underground, Iran can quickly move towards a bomb and they won't have the intelligence or advance warning that they're doing this breakout that we talked about and making that final push towards a bomb.

So as you get to 2009, there's lots going on and Israel is also upping the pressure on the US as a result.

And it looks like they're kind of thinking, what else can we do to delay the Iranian program?

Assassinations will come back onto the agenda.

So 2009, 2010 is a big period of pressure.

And that's why it looks like there is this decision to accelerate Olympic Games, to push it, you know, to take it up a level, even from what it's been doing before.

And so taking it up a level in this context looks like targeting more of the Cascades more frequently.

Yeah.

I mean, there's this balance, right?

Now that you've got this, I mean, access, right?

You don't want to lose it.

And so you have to be, I guess you have to be careful.

how frequently you mess with them, because if you just are constantly doing it, eventually they might find the code.

They might discover that, you know, this is actually foreign actors doing this.

So you run a great risk, I guess, if you up the frequency or you start to target other pieces of these sites.

And I guess that's the decision-making and the debate which must be going on at the highest point.

The horse blanket, which is why you're pouring it out.

I guess that is the point of the horse blanket, isn't it?

It's going, okay, if we could take down these centrifuges by upping our game, but there is a risk that it will get discovered or that something will happen which will blow the program.

But they're going to up the game.

So the early attacks that we talked about from 2007, it's thought they target the valves which let the uranium gas in and out of the machine.

So this new set of attacks from around 2009 is instead going to target the frequency converters which supply power to the centrifuges.

Back to our centrifuge lesson.

Very delicate.

Have to spin at the right speed.

The power has to be maintained precisely to get them to spin at this supersonic speed.

So, if you mess with that power supply and with the power being delivered into the centrifuges, you can slow them down, you can speed them up, you can mess with them, and you can put kind of strains and stresses on the systems by making them spin faster and slower.

So, that's what the new code looks like.

The best account, by the way, of all the detail of how the code worked is in Kim Zetter's book, Countdown to Zero Day on Stuxnet, which is a brilliant book, which really gets deep into this.

And I'd really recommend that.

But again, what they do with this new set of code is they record what normal operations look like and feed it back in when the attack's underway so no one would spot anything.

So for 13 days, there's a recon stage where the code sits on the programmable logic controller, the thing that controls the power supply, recording the normal operations.

When it's got enough data, it moves to an attack phase, two-hour countdown.

Then it targets the frequency converters, which deliver the power for 15 minutes, slows down, speeds up the centrifuges, does it for just 15 minutes, and then goes back to normal.

I mean, it's wild this.

And then it waits for 26 days while recording normal processes again, and then goes back into another attack cycle, this time for 50 minutes rather than 15, and then alternates this 15, 50 minute attack cycle over 26 days.

So it's really interesting because, again, it's so precise because what they're trying to do is introduce stresses on the materials inside the centrifuges.

So they're not just like switching off the power or speeding it up to the point where the centrifuges crash.

They're stressing the centrifuges so that they break.

I mean, again, it is just amazing the amount of research and understanding of how these centrifuges work and what you can do with them in order to develop code to do it that precisely and to know you'll have an impact.

I just think it's amazing when you think about it.

I love this quote that you put in here, Gordon, which I think really captures it well.

It says the attackers were in a position where they could have broken the victim's neck, but they chose continuous periodic choking instead.

And I guess at this point, they've been in Natan's for a few years, messing with it, right?

I mean, which is also incredible.

is that they've just sort of been slowly sapping this facility's

productivity, right, for

years at this point.

And I guess maybe there's a good chance to take a break.

When we come back, we'll see how this choking starts to get even tighter.

See you after the break.

Well, welcome back.

It is December of 2009, early 2010.

And Gordon, now We've got the return of our good friends at the IAEA,

the International Atomic Energy Agency, who are going to be this dance of inspectors coming into Iran and trying to get access to facilities.

We're back to this.

We're going to have inspectors crawling around, looking at Natans, looking at Fordow, all up in the Iranians' business while Stuxnet is going on in the background.

I love the idea of inspectors.

It makes it sound like, I imagine like kind of Inspector Cluso with like a, you know, a magnifying glass.

Definitely right.

They definitely have clipboards, a lot of clipboards and magnifying glasses.

I don't think that's what they really like.

I think they have like kind of high-tech samplers, but I just think this idea of international inspectors, but yeah, they're visiting the site late 2009, 2010.

They can see the Iranians are replacing centrifuges at a faster rate than normal, that some of them are getting damaged, that they don't know what's going on.

It looks like the Iranians are firing some of their engineers and they're running tests on the motors to find out why the speed's changing.

It's this whole confusion they've got, but they're still pressing forward.

So, in early 2010, it looks like US and Israel, who we assume are behind this, decide,

as people say, to swing for the fences, which I guess is a baseball thing.

That is a baseball thing.

It's a baseball thing.

I was trying to look at that because I read that in Kim's book.

I was thinking, swing for the fences.

You know, just take a big shot to get the home run.

Am I getting the language right?

You're going for the home run, try to clear your bases.

I don't know.

Anyway, I never understand baseball.

What you said there isn't technically wrong, but it doesn't sound right.

Like, you would not go for the home run as it is.

Okay.

But the other other analogy I like is that they supersize the virus, which is like you go into your McDonald's and you say, I want the Big Mac meal.

I supersize it.

So it's like

to go after, and they're going to supersize it to go after a specific array of a thousand centrifuges.

Now, here is the thing.

They're going to be more aggressive.

They want to move fast.

So they're upping their game.

And they still have this problem, which is getting over the air gap to get into the systems.

So you want to get your new virus into the systems to do the damage.

And of course, as we said before, these systems are not connected to the regular internet.

And previously, they'd use flash drives, giving them to lots of people, hoping they get in and then they spread.

Now they're going to slightly change, it looks like, the delivery mechanism for the virus, and they're going to use what's called a worm.

And the point about computer worms is they self-propagate.

They spread by themselves.

And this has been something that's known about for years: that you can do this with computer worms.

And some of the earliest computer worms are fascinating.

There is a great story about, I won't do the whole story here, about the Morris worm, which is the first computer worm, November 1988, where this student wants to test how far he can spread a worm.

So he launches it.

I think he goes to MIT to launch it to try and hide his tracks, even though he's not an MIT student.

And it spreads, and it basically takes down the entire internet because he's made some of his worms basically what are called immortal worms, which won't die.

And they spread.

And immortal worms are bad.

And they spread anyway.

And so it takes down the internet.

But here is the bit I love about the Morris worm story: is one of the people who gets the phone call to say it's a problem is the chief computer scientist at part of the NSA, America's signals intelligence agency, who works for the National Computer Security Center.

And his name is Robert Morris.

And it turns out it's his son who's

unleashed the worm

and you're always saying that's a bad day in the office when your son when you work at the NSA and your son has taken down the internet pretty fatherlike son though Gordon yeah come on yeah exactly he's an expert but that is the point about worms why are they self-propagating though like that that's an inherent feature of the code that makes it a worm is that it just

That is why it's a worm rather than a virus because it spreads by itself.

You don't need to just infect a host like a virus, but the worm, this is the idea of it in computer speak, cyberspeak, is that it will move from machine to machine by itself.

So it's got a life of its own, effectively.

That's the idea that you get it onto the network somehow, and then it can spread around the Iranian network, machine to machine, even in their local network, until it finds a way into the centrifuges you want to hit.

But, you know, the crucial thing is it's still very targeted in terms of what it's trying to actually do and who it actually unleashes its payload on.

Is the hope in this kind of new phase that they will reach other facilities?

Is that we're trying to get beyond Natan's to get into Fordow or like just different pieces of the cascade at Natan's?

I think it's more that pressure to up the game to get to the centrifuges you want and knowing that this could take quite a long time to get to them, and it could take quite a long time through the previous methods before the right USB hits the right computer, which is connected to the right computer.

So instead, you inject it into the system somehow through one person, and then you just let it spread until, and this is the crucial bit, until it finds the exact system that it's looking for.

And it's really interesting because it's really precisely engineered.

We talked before, you know, these are programmed to look for Siemens logic controllers, but in this case, it is looking for a a logic controller connected to a specific array of systems running Iranian centrifuges.

And if that very specific combination of different software and hardware packages is not in existence, then the code just sits there and does nothing.

It's quite interesting.

It's really, again, the complexity of it is amazing because it's got to contact its kind of controller when it infects a new system.

And whoever's designed this has set up fake football websites to act as the command and control server so when it reports back American football no I think it's I think it's proper football Davis okay

because the theory is that that will mask if someone is seen checking football results websites If that's spotted, it will just look like an engineer who's maybe checking how Real Madrid or someone are doing.

Yeah, that would be bad if it was American football because I can't imagine there's too many Dallas Cowboys Ronnie and nuclear engineers who are like, oh, let's go and check in on the Cleveland Browns scores today.

So it's really precisely engineered.

And if the exact conditions aren't met, it does nothing.

It just, it doesn't release its payload.

So it's so interesting because the whole aim of this is to avoid collateral damage to other systems.

So to avoid it.

hitting a different logic controller, a different industrial facility, and activating.

There's even, I mean, this is the next bit that's fascinating about it, an expiration date for it.

So every time it infects a new machine, it checks whether it's after June the 24th, 2012.

And if it is after that date, then it stops, doesn't do anything.

So the whole thing is

timed to self-destruct, as well as only actually affect one single target machine.

So you've got something which is going to spread across the Uranian network, but look...

for only one machine to be able to hit its target and even then only last for a couple of years.

Which I guess does market as

kind of a government program, right?

Because you'd figure if this is actually a group of hackers or something like that, that you wouldn't figure an expiration date being built in.

I think that, again, is one of the clues that will come out of the discovery of this virus, because

everything about the way this is engineered is to be precisely targeted.

And people I spoke to said, I remember I spoke to a U.S.

Cyber Czar guy called Richard Clark who did it.

And he said, it just says lawyers all over it.

Oh, I can't even imagine how many lawyers must have been all over this thing.

I mean, every covert action program is just covered in lawyers anyway, right?

And this seems with all of the potential risk that this weapon might get out.

Because when you put together a covert action finding, it's not a particularly complicated document to draw up, but you're, of course,

one of the sections you're going to list is like, what are the risks associated with this, right?

And I would think here, you not only have the risk that this thing gets out, right?

But you also have a risk when you're, if you're messing with an industrial facility, I guess you're taking a risk along the way that there'd be people who get killed in these accidents, right?

And so you're having to get a more elevated sort of authority to conduct attacks like this.

Even if the risk isn't particularly high, it still would have to be acknowledged as part of this.

So you're going to have lawyers all over this thing for sure.

Yeah.

And I think everything that you see about the code and the way it's designed suggests a real rigor and deep kind of oversight, accountability, lawyered process to put together that code.

You can see someone going, if you're releasing something which can take down industrial facilities, then it absolutely has to be totally targeted so that it will definitely only affect one place and affect one type of system.

And we want an expiration date so this doesn't last forever.

You know, it doesn't kind of take down the whole world and, you know, kind of self-propagate in that way.

So you can see actually, I think it's really interesting with the precision of the delivery system

and of

the kind of restraints and constraints which are put around it, that this is the result probably of quite a lot of arguing and interagency meetings.

And you can imagine, and we don't know the detail of it, but you can imagine President Obama going, I'm only going to sign this off, you know, this more aggressive attack, if I know it's not going to take down Iranian electricity grids or neighboring countries' electricity grids or come back to our electricity grids and take them down and do these kind of things.

You could imagine that that will be the

stipulation which is put on unleashing this new COVID action, more aggressive COVID action as part of the program.

But of course, I guess you can put an expiration date on it and you can write up the legal kind of language however you like.

But the reality with a self-propagating computer worm is that you really have no control where it's going to end up.

Right.

So at some point, presumably, you know, spoiler alert, it's going to escape.

Yeah.

And I think the idea was it would just remain within this Iranian network.

of Natants and look for the configuration it was after and then act.

But.

Oops.

Oops.

The problem with a self-propagating worm is that it's a self-propagating worm and you can't control where it goes.

So, just like you know, Robert Morris, this kid in the 80s, who didn't plan to crash the entire US internet at that time, there are unintended consequences when you release something onto the internet.

And so, it looks like, I mean, we can't know exactly what happens, but there must have been a moment where perhaps an Iranian scientist whose laptop had been infected with this worm then plugs into the internet, you know, with maybe the same laptop.

And at that point, the worm escapes.

I just have this vision of a kind of big, kind of cyber-y worm.

A giant steer worm.

A giant sand worm.

Yeah.

Like in G.

Yeah.

I just imagined it tunneling through a fiber optic cable and going, I'm free.

And it's free at the internet.

Yeah, it's free at last.

And it's out.

And it looks like it is a mistake in the code.

It looks like there wasn't intended to get out onto the general general internet, but it is going to escape all around the world.

And so in the summer of 2010, suddenly it's appearing and it's appearing on machines, this bit of code everywhere.

And it is the most sophisticated piece of malicious software any cybersecurity researcher has ever seen in the history of the world.

And it's out there on all these machines.

And yet it's it's not doing stuff to their machines.

The one person who had their laptop connected to a a Siemens PLC

was shocked to see what was happening.

And it's going to take them months to understand.

But also in the White House as well, as soon as they realize this, which is in the summer of 2010,

there's panic.

There's an emergency meeting of top U.S.

officials in the situation room once they realize it's out in the wild.

And it's really interesting because they agree that this isn't going to be secret for long.

People are going to work out what it is.

And so they're actually going to roll the dice again and give it another chance to do as much damage as possible before the Iranians work out what it is.

So it looks like they actually, at that point, inject two more versions into the system to try and hit the thousand centrifuges they really want to take out.

They're going to swing for the fences again as a kind of last swing.

They're going for the home run.

Before you get caught out.

Is that what happens?

Before they catch you out and they catch the ball?

Is that a good analogy?

I don't know.

No, no, that's that one sounds...

That one doesn't work.

But one question that I have is, so

this virus, this worm, I mean, sat on computers inside the Iranian nuclear program now at this point for three years and wasn't discovered.

Why is it that as soon as it gets out, it's seen right away?

It must be something to do with that specific bit of code because the original code was also really carefully designed to be encrypted, to also not show up when you do a kind of virus scanning system, to be hidden in all those ways.

But at this point, it is out.

It is a larger bit of code than anything that's ever been seen before.

And it is starting to sit on systems.

And on some systems, it does kind of muck around with them a bit.

So in a few places, it doesn't quite switch them off.

But you can start to see that there's a big block of code sitting on a system and doing something, even if you don't understand what it is and so now the race is on because you've got the code unleashed you've got the Iranians perhaps about to realize that there might be a link between what's happening and the problems in their nuclear program and all these researchers in the outside world from the summer of 2010 trying to pick it apart and understand what's happening.

So we are really reaching the final stages now of this covert action.

That sounds like a great cliffhanger, Gordon, to end our third episode on Stuxnet and Olympic Games and look toward the thrilling climax in which the U.S.

and Israel allegedly will double down yet again on the power of this cyber weapon and a whole host of cybersecurity researchers are going to start to unpack what exactly is this worm that has escaped and look at this kind of history-changing cyber weapon as it gets out into the wild.

But of course, you don't have to wait for that episode.

You can join the Declassified Club at the Restisclassified at goalhanger.com.

Get early access to all of these wonderful episodes, get bonus content.

There's so many reasons to do it.

We hope to see you there, and we'll see you next time.

See you next time.