The Korea Stuxnet Story: Part I
Rarely do we like to cross-post on a single news story, but in this case it is warranted. In an excellent piece of journalism, Reuters’ Joseph Menn has broken the story that the United States tried to deploy a version of the Stuxnet computer virus to attack North Korea's nuclear weapons program five years ago. The effort failed. As always, the usual caveats. The evidence ultimately comes from a single “U.S. intelligence source.” But in this case it is also backed from circumstantial but compelling evidence provided by members of the cybersecurity community and particularly by Kaspersky Lab.
The latter source is complicated, but is extremely important to the story and not explained clearly by Menn. For some time, Kaspersky Lab—headquartered in Moscow and with strong ties to the Russian government and firms—has had an interest in poking into NSA shenanigans. For over a year, they have been piecing together the elements of an extraordinarily sophisticated set of surveillance platforms that they have labeled successively EquationLaser, EquationDrug, GrayFish and finally just the Equation Group. The release of the Kaspersky Lab report has been a bombshell because of the global scope of the operations, their use of destructive malware (including software related to Stuxnet), and the effective claim—although not made directly--that the project is run by the NSA. The Kaspersky Lab report thus confirms the Snowden leaks (see my initial arbitrage from Snowden to North Korea here and my piece with Jon Lindsay on the Sony Hack here).
According to the Menn story, Costin Raiu—a respected analyst who heads Kaspersky’s advanced threat analytic cell GREAT—claims that a piece of software related to Stuxnet had turned up in North Korea. How did he know? Apparently the malware had been submitted to the analysis site VirusTotal from an electronic address in China. But Raiu told Menn that he had evidence from unnamed informants that it had originated in North Korea, where it infected a computer in March or April 2010. The malware was digitally signed with one of the same stolen certificates that had been used to install Stuxnet on Iranian computers. In effect, the Iran and North projects had been launched around the same time.
In principle, the malware could have affected North Korean control systems which ultimately depend on Siemens and Microsoft software just as the Iranian control systems did; Wired has a good exposition of this side of the story that provides more context for the Menn account. According to Wired and earlier speculation by David Albright at the time of the Iranian attack, North Korea was similarly vulnerable. “The programmable logic controllers are small computers that control the speed at which the centrifuges spin as well as valves through which the uranium hexaflouride gas flows into and out of the centrifuges. The Step7 software is used to program the PLCs, while the WinCC [ie. Microsoft] software is used to monitor the PLCs and centrifuges to ensure that they’re operating correctly.” Stuxnet was never designed to stop the enrichment effort altogether; but in the words of my co-author Jon Lindsay, it was designed to “increase the marginal error rate in an already error prone system.” It also served to send a signal that was more directly tied to the offense—the enrichment program itself—than broader sanctions do.
So why did the attack succeed in Iran and not in North Korea? Again, the Wired story and Kasperskiy Lab reports are clearer on this than the Menn account. Since the control systems are obviously not linked directly to the web for security purposes, the challenge is how to place the malware onto them. According to Wired, they achieved this objective in Iran “by infecting five Iranian companies that are in the business of installing Siemens and other brands of industrial control systems at Natanz and other facilities throughout Iran. The attackers targeted these companies with the hope that contractors working at Natanz would carry the weapon into the well-guarded facility.”
It worked in Iran. The story is only partly right, however, that the attack in North Korea did not work because of lack of connection to the worldwide web (see for example, The Diplomat). The North Korean effort failed either because security was tighter in North Korea, or more likely because there is no equivalent of a private or even state-owned contractor that could access the facility while simultaneously being vulnerable; it is the lack of domestic connections and a market economy as well as lack of international connections that mattered.
What to make of all this? The first point to note is that the NSA got caught out. But that may be inevitable. The cyber game is—not coincidentally—like a virus or bacteria; it has effect, is treated, mutates and has to be treated with a new anti-viral or antibiotic agent. Given the depth of the analytic and cybersecurity community, these cat-and-mouse games are continually being watched and parsed. But whatever we think of Snowden’s revelations about domestic surveillance, it seems increasingly necessary for the government to maintain not only robust cyber defenses but a robust capacity to attribute and deter as well. And if North Korea is continuing to develop its nuclear capacity and is unwilling to negotiate over it, I don’t lose much sleep over more direct efforts to slow it down.
More on the Kapersky Lab report in subsequent posts. For those with journal access, more on Stuxnet from my colleague Jon Lindsay at Security Studies and on the China angle in a new Oxford University Press book.