True Spies: Episode 33: Olympic Games
Welcome to True Spies. Week by week, mission by mission, you’ll hear the true stories behind the world’s greatest espionage operations. You’ll meet the people who navigate this secret world. What do they know? What are their skills? And what would you do in their position?
This is True Spies Episode 33: Olympic Games.
LIAM O’MURCHU: There was this ticking time bomb aspect to it, where this could shut down electricity, it could shut down water, it could shut down airports, it could cause explosions… and it could do that anywhere in the world.
NARRATOR: In 2010, the discovery of a vicious computer virus announced the dawn of a new era of warfare, one that could be conducted without the firing of a single weapon, but where the capacity for destruction knew no bounds.
LIAM O’MURCHU: It could actually make equipment function differently and potentially cause explosions.
NARRATOR: This is the story of a piece of code - a series of 0s and 1s - that would transcend the digital realm and change the geopolitical landscape forever.
LIAM O’MURCHU: It was the first time we’d ever seen code that could affect change in the real world.
NARRATOR: It’s the story of a technological revolution, a watershed moment in the history of modern espionage, and yet the two characters at the heart of this tale are not spies. And for them, this story begins as every day does: with them sitting behind adjoining desks in a run-of-the-mill office space in Los Angeles, California.
LIAM O’MURCHU: My name’s Liam O’Murchu and I’m a director with Security Response with Symantec.
ERIC CHIEN: My name is Eric Chien and I’m a technical director at Symantec.
NARRATOR: Meet Eric Chien and Liam O’Murchu. Two cheerful code analysts working at Symantec, a company that sounds more likely to install your new computer than involve itself in games of international espionage. But you’d be making a big mistake if you were to judge this book by its cover. Symantec is a powerhouse in the murky world of cybersecurity. This private company deals in software that protects all of us from the constantly growing threat of digital infiltration and exploitation. Banks, governments, regulatory bodies that ensure the execution of fair elections - Symantec counts all of them amongst its clients. In this world, people like Eric and Liam are known as ‘defenders’.
ERIC CHIEN: In some ways, it is a little bit like the spy world. The best layman’s example I can give of what we’re doing on a day-to-day basis... it’s like we’re given some sort of package that is encrypted or encoded and we have to come up with tools to basically decipher it and figure out what is the content inside, what is the intention of this blob of data that has been received on your machine? And it’s not written in straightforward English. It’s literally in 0s and 1s. We’re taking 0s and 1s and translating them back into, sort of, real-world behaviors.
NARRATOR: This work may take place in the digital realm but it has more in common with traditional tradecraft than you might think.
LIAM O’MURCHU: Often we are tracking attackers where we’re trying to figure out where they are, where they’re located, why are they doing this, how much money are they making, and we’re trying to do this all undercover so that they don’t know that we’re so close to them or that we’re going to catch them.
NARRATOR: In 2010, Liam and Eric would discover just how high the stakes could climb in this digital game of cat and mouse when they stumbled directly into the most ambitious act of cyber warfare ever recorded. Yet this wasn’t always such an ominous business, and Liam and Eric never chose to enter into such a dangerous world.
LIAM O’MURCHU: So I started off interested in security when I was in college. This was around 1995. Another student in the university released a worm onto the university network, so when you went to use your workstation a window would pop up with 10 questions and they were questions from Lord of the Rings and things like that. And if you didn’t answer correctly you couldn’t get onto your computer. And I just thought this was absolutely fascinating and I started digging in to understand how did it work and who had written it and where had it originated and how could it spread and how could you defeat it? I got bitten by the bug at that stage of security and particularly viruses and analyzing code. That was it then, I just wanted to do that for my career.
NARRATOR: In their early years at Symantec, at the start of the 2000s, most of the threats that Eric and Liam encountered weren’t much more threatening than that Tolkien pop quiz.
ERIC CHIEN: The vast majority of things we were protecting people from were things like mass-mailing email worms or things that were trying to steal people’s credit card numbers. Ninety-nine of a hundred things were that, or even more. 999 of 1,000.
NARRATOR: These were the activities of cyber gangs and bored teenagers out to make a quick buck in the unregulated hinterland of this new, digital age.
ERIC CHIEN: But, we were starting to see, just on the edges, some different types of attacks. They were primarily coming out of China and they were probably believed to be the first sort of nation-state likely attacks.
NARRATOR: These attacks accounted for a tiny minority of cases but they taught Liam and Eric an important lesson. One that would prove crucial in the defining moments of their careers. It was becoming crucial that they could recognize these new, different kinds of attacks when they saw one.
ERIC CHIEN: We would see an infection in a hotel, or a bunch of hotels in a region, and we might just think: ‘Oh, I don’t know. They’re just going to go after some sort of money situation in that hotel, try to steal money from them.’
NARRATOR: That sounds plausible, right? There’s a lot of money coming in and out of expensive hotels. These attackers must be looking for an easy, lucrative payday. But before you put this case to bed perhaps you should dig a little deeper. Step outside the world of 0s and 1s for just a moment. Pick up a newspaper. Turn on the TV. You never know where you might find a new dimension to an open and shut case, like this one. Liam and Eric started to look more closely, and then…
ERIC CHIEN: You realize: ‘Oh wait a second, in that time period the G20 was meeting there.’ And suddenly you realize: ‘Wait a second, they’re not really going after the hotels; they’re going after the people who are staying in the hotels.’
NARRATOR: What Eric and Liam were seeing was the first fumbling gestures of a new breed of espionage. One that took place exclusively in the digital realm and offered nation-states unprecedented opportunities for gathering intel. This type of activity was, for the time being, an outlier in the digital realm. But it wouldn’t stay that way for long.
ERIC CHIEN: What really changed was about a decade ago we had this threat Stuxnet.
NARRATOR: In 2010, a new virus landed on the digital desk of Symantec where it was picked up by Eric and Liam.
LIAM O’MURCHU: I remember clearly receiving the file. It was a Friday afternoon and this report came in from Belarus that they had discovered a piece of software that was very unusual and that was able to spread via USBs.
NARRATOR: A quick malware 101, for the uninitiated. A virus usually spreads from computer to computer by tricking you into clicking a link or downloading a file. Once that file is opened, the malware runs and bingo, your device is in the hands of an unknown attacker. A terrifying thought, no? But what Liam is describing here is something even more ominous. This was no regular virus. This was a worm, a piece of malware that could spread itself from machine to machine without its victim needing to do anything at all. No clicking on a link, no opening a file. This worm simply writhed around undetected, infecting every Windows machine that stood in its path. And it looked like it could even spread via a USB key, one of those little drives you carry around on your keychain, to store photos and files. This was not normal malware behavior.
LIAM CHIEN: So we received this report. It had an initial analysis of what was happening and then we started to dig in and straight away red flags just went up everywhere as we analyzed the code.
NARRATOR: Eric and Liam spend all day, every day, looking at viruses. It takes something very special to capture their attention. This threat, which they dubbed ‘Stuxnet’ in reference to a couple of decipherable lines in its code, immediately piqued their interest.
ERIC CHIEN: The average threat, to be honest, we don’t even have to look at as humans. We have machines that can automate them, look at them, understand them and create protection for them automatically. We get in a million samples every day. Humans aren’t looking at everything. And even the average threat that a human has to look at takes us 10, 20 minutes, to look at, understand, create protection for and move onto the next thing. And Stuxnet, we spent - I don’t know how many hours. I mean, we ultimately spent six months looking at it. So you see the order of magnitude here is extraordinary. It’s really nothing we’ve ever seen before and since that time, nothing we’ve ever seen since.
NARRATOR: It wasn’t just the fact that this worm could spread via USB key that troubled Eric and Liam. As they began to scratch away at Stuxnet they found some troubling hints at the virus’s purpose.
ERIC CHIEN: One of the first things we do is we run something called strings, where we just try to find human, readable text inside these binary blobs, and we saw these strings that were saying things like Siemens, PLC, WinCC. You have no idea what these terms mean, but you just Google them. When you Google them you realize that it is specialized computers that are utilized for critical infrastructure: factories, power plants, all of that kind of stuff. So that immediately was like: ‘Wait, what is this?’
LIAM O’MURCHU: It was clear to us from the code that it was physical equipment that was being targeted. We had never seen this in code before, and it was clear that this piece of software was going to have a real, physical damage possibility in the real world, and that was kind of mind-blowing, to be honest with you.
NARRATOR: Take a moment here, to think about the world beyond the lines of code that are filling your screen. You’ve dealt with malware before but this is different. You recognize in this code a new breed of threat. This virus is targeting the machinery that controls energy grids, power plants, transport hubs. Do you have any idea what that means? The worm called Stuxnet might just breach the perimeters of cyberspace and cause real destruction in the physical world. So what would you do with this information? For Liam and Eric the answer was obvious. They looked for backup.
ERIC CHIEN: We cooperate in the security world, and we weren’t necessarily the only ones looking at this thing, and everyone else sort of immediately put it aside and thought: ‘Ah, this is probably some sort of espionage thing. They’re trying to steal some documents about how some factory works to improve their process.’
NARRATOR: At the other cybersecurity firms, Stuxnet had already been written off - just another case of corporate espionage. If Liam and Eric wanted to carry on pulling at this thread they had to be prepared to do it alone.
ERIC CHIEN: You know, we stuck with it and, ultimately, every single day, if not every single hour, there was something brand new that singularly by itself would have put this threat above and beyond anything we had ever seen.
NARRATOR: To understand the scale of some of those discoveries, you’ll need to know more about the shadowy space that hackers move in. In essence, what a cyber attacker does is look for flaws in software, little portals created in error that can be exploited to gain entrance to a victim’s machine. There are legions of defenders, just like Liam and Eric, whose job it is to find these portals and close them, ensuring they can never be exploited again. But some of those flaws remain unknown and are therefore vulnerable for attack. A code built to attack one of these previously unregistered flaws is what’s known as a zero-day exploit.
LIAM O’MURCHU: So you can get into someone’s computer very easily using these zero-days because essentially no one knows about them. You have a secret key to get on to anybody’s machine.
NARRATOR: A zero-day exploit allows an attacker to stay one step ahead of a defender and, as such, it is an extremely valuable piece of code. It is not uncommon for a new zero-day exploit to change hands on the dark web for hundreds of thousands of dollars. As such, it was extremely rare for Liam and Eric to come across even one new exploit in the course of their work.
ERIC CHIEN: In that year, that whole year, there were only 12 found in the whole landscape and four of them turned out to be in Stuxnet.
NARRATOR: Four zero-day exploits meant four opportunities to spread, infect, destroy - completely undetected. This was unprecedented. Never had so much value been invested into one single virus. It was becoming eminently clear to Eric and Liam that whoever had created Stuxnet had very deep pockets and a level of determination that far surpassed your run-of-the mill cyber gang.
LIAM O’MURCHU: We live to solve these puzzles. That’s what makes the job interesting. So as soon as we got Stuxnet it was very, very exciting immediately. I don’t think I slept hardly at all because I was so excited to get through these puzzles and find out what was going on. And it was very shortly after that it started to sink in that this was something that had some geopolitical associations and was written, likely, by a government. It was pretty clear that we were stumbling onto something that we had never done before, and this was new territory, and we didn’t really know how things would turn out.
NARRATOR: And while they still didn’t know who was behind this revolutionary new virus Eric and Liam were beginning to get an idea of who its target might be.
ERIC CHIEN: We have basically sensors all around the world, and we could see where the infections were popping up all over the world, and while they were all over the world they were - the vast, vast majority - coming out of Iran.
NARRATOR: Cast your mind back to the year 2010. If you picked up a newspaper on any given day that year you would have been likely to find some troubling story or another, making its way out of Iran. The country was still reeling from the previous year’s election, the highly contested results of which delivered a renewal of power for President Mahmoud Ahmadinejad. The leader of Iran was much maligned in the west for his hardline religious fundamentalism, his reversal of his predecessor’s human rights concession, and for his open hostility toward the US and its allies. The explicit purpose of Stuxnet remained shrouded in mystery but in the volatile political situation bubbling up in Iran, Liam and Eric sensed they might find the answers they were looking for.
ERIC CHIEN: So we began to follow the news in Iran, especially in regard to critical infrastructure. And one of our first guesses was obviously something to do with oil and gas. What happened during that time was there were actually multiple unexplained explosions of gas pipelines coming in and out of Iran.
NARRATOR: Stop to think this through for a second. You have just discovered a revolutionary new virus, one that you know has the capacity for real, physical destruction… and all signs indicate that this virus is targeting Iran. At the very same time, a series of unexplained explosions are devastating Iran’s gas pipelines. It doesn’t take a codebreaker to put two and two together here, now does it?
LIAM O’MURCHU: It was interesting analyzing Stuxnet because it was the first time we’d ever seen code that could affect change in the real world. It could actually make equipment function differently and potentially cause explosions. So when we started looking at what was happening in Iran and we saw explosions on oil pipelines, that lined up with what we expected from our initial analysis of the code.
NARRATOR: And just because Stuxnet was targeting Iran there were no guarantees its destruction could be contained by national borders.
LIAM O’MURCHU: We didn’t know that this code would only affect gas pipelines in Iran. We didn’t know if it would also affect nearby countries or, if spread to the US, would it also cause explosions at facilities all around the world? In the US? UK? Germany? So there was a real sort of ticking time bomb pressure on us to get the analysis done and to understand what was really happening.
NARRATOR: The truth is Liam and Eric’s pipeline theory was still exactly that: a theory. And until they could definitively prove Stuxnet’s purpose they couldn’t rest.
ERIC CHIEN: At this point, it becomes scary because we know the capabilities are in the software but we really don’t know the actual target. So even if the target was Iran, and it could make something blow up in Iran, and literally kill people, we didn’t know if it was designed properly. Maybe it had a bug in it, a mistake in the code that would cause the same thing, for example, to happen in the US. We had customers calling us, going: ‘Hey look, I found an infection on my Windows computer in my plant. Is it going to shut my plant down? Is it going to cause the pipeline to go off? Is it going to shut the power off?’ The reality is we didn’t have the answer to that question at that time.
NARRATOR: You’ll remember that Eric described the process of unpicking malware as a sort of game of translation where a package of 0s and 1s must be converted into their real-world intentions. The real-world intentions of Stuxnet, when translated, appeared to correspond to a machine known as a PLC, or a Programmable Logic Controller.
ERIC CHIEN: These are basically specialized tiny computers that are used to control all kinds of critical infrastructures, flipping on pressure switches, or adjusting even the lights, or making a robot arm move. That kind of thing.
NARRATOR: These tiny computers play a part in everything from air traffic control to the safe operation of amusement park rides. Though Liam and Eric knew that PLCs were the principal target of Stuxnet they had no idea in which context those PLCs were being targeted. Did the architects of Stuxnet want to shut down the power grid? Did they want to bring planes crashing out of the sky? The truth is Eric and Liam simply did not know.
ERIC CHIEN: What we were able to figure out at that point was, it’s going to set this variable, this setting, to 1064. But what does that mean? Does that mean the gas pressure is going to go to 1064? Does that mean a motor is going to spin up to 1064? We could see that it sets these two things to ‘off’ and these two things to ‘on’, and then it waits a period of time. So we could map out all of the code and exactly what it would do to a computer but what that computer was connected to and what that real-world effect was we didn’t know yet.
NARRATOR: As is so often the case in stories like these, their breakthrough, when it came, had as much to do with the winds of fortune as anything else.
ERIC CHIEN: What happened was we were publishing all of our reports online, every week.
NARRATOR: All the while that Liam and Eric were investigating Stuxnet, the virus was spreading to far corners of the world, cropping up in factories and warehouses. As part of their effort to keep their clients up to speed, Eric and Liam were releasing their findings on a weekly basis.
ERIC CHIEN: And at the bottom of each of our little reports, we would have a little call to people out there saying: ‘If anybody knows anything about critical infrastructure and PLCs, contact us.’ Because we weren’t experts in that space, and to be honest no one really contacted us, except for one guy.
NARRATOR: One guy who happened to be something of an expert when it came to PLCs.
ERIC CHIEN: And he had a throwaway line in his email. It wasn’t even the purpose of his email, and he just said: ‘Every device that’s connected to these PLCs, has a magic code, a 16-bit identifier, like a little fingerprint code.’ I was reading this mail in my cube, and Liam sits next to me in his cube, and when we stand up we can see into each other’s cubes and I popped right up and I said: ‘Hey, read this.’
NARRATOR: Eric and Liam had been puzzling over one such 16-bit code, something they’d uncovered in their initial analysis of Stuxnet but hadn’t been able to understand until now.
ERIC CHIEN: And then when we looked that up, it mapped to these frequency converters, and those frequency converters were used to spin centrifuges.
NARRATOR: Centrifuges? Frequency converters? You’ll be forgiven for missing out on the eureka moment buried within this discovery. But type the make and model of this specific frequency converter into Google, and you will find a revealing detail.
LIAM O’MURCHU: We saw that it had an export control license so if you wanted to buy this piece of equipment you needed to have a license in order to sell that to certain countries.
NARRATOR: Why on earth would something as benign-sounding as a frequency converter require such strict regulation?
LIAM O’MURCHU: And that was when we discovered that this is a piece of equipment that can specifically be used for uranium enrichment.
NARRATOR: Finally, things begin to fall into place. Since the day this virus landed on your desk you have known it has a real-world target. You have traced its violent path through Windows computers to tiny critical infrastructure controllers. You have followed this worm through a little-known frequency converter, regulated internationally, and finally you have found its destination. Stuxnet’s target is the centrifuge that is employed, in nuclear facilities all around the world, for the enrichment of uranium. Let’s return to Iran. There’s another important aspect to the story of Iran, and its conflict with the West during the 2000s. A large part of the reason that the US and its allies were so disgruntled by the prospect of another term for President Ahmadinejad was because of his enthusiasm for and acceleration of Iran’s nuclear program. Under Ahmadinejad, Iran was massively increasing its capacity for uranium enrichment. The ultimate goal, according to Iran’s terrified critics in the west, was nuclear armament. Suddenly it all began to click.
LIAM O’MURCHU: We knew uranium enrichment is a very hot topic in Iran and all governments were trying to prevent that happening. So it fitted in with the pieces we had in the code. It fitted in with the political story. Talk about doing work you never expected. The International Atomic Energy Association publishes manuals for inspectors of uranium enrichment facilities and they tell the inspectors exactly what to look for. I couldn’t believe it, but those are available online and by reading those documents we were then able to reference the Stuxnet code and we could see: ‘Okay, you need 168 of these centrifuges connected in an array, and oh, look here in the Stuxnet code, you have messages being sent to 168 devices.’ We were able to go through the entire inspection document and we could map out all of the equipment that we saw in the document back to the instructions that we saw in Stuxnet, which was honestly, just mind-blowing.”
NARRATOR: Stuxnet was never targeting oil and gas pipelines. It was infiltrating Iran’s nuclear weapons program. And that’s not all. The same online training manual revealed the specific location that Stuxnet wanted to attack.
ERIC CHIEN: We were able to actually not just narrow down to uranium centrifuge but to specifically Natanz.
NARRATOR: Natanz was and is Iran’s largest nuclear facility, the central headquarters of their operation to increase capacity for uranium enrichment. So this is the triumphant moment you’ve been waiting for, right? After countless hours spent scratching away at the dense layers of binary code, your search has led you to the heart of Iran’s nuclear weapons program. You have uncovered the endgame of this virus. High fives and congratulations all around, surely? Or perhaps not.
LIAM O’MURCHU: That breakthrough moment was a very scary moment because that solidified in my mind that this was a spy operation and there was a lot of money, and a lot of people, and a lot of power behind this, and that we were - unbeknownst to ourselves up to that point - essentially meddling in that operation. And that made it very real for me.
NARRATOR: This is your wake-up call. Up to this point you’ve been running on professional instinct. You are simply doing the job that you are paid to do but have you stopped to think about the consequences of your discovery? Have you considered just how dangerous a game you’ve been playing? Maybe now is the time to take a breath. You should think this through before you take your next step.
ERIC CHIEN: You know the funny thing... there’s obviously that moment, that Oh my God! moment, but this is so quintessential Stuxnet, there was no end to it. Even though you think that’s the moment, that’s not the moment. The moment then now is: ‘Now that I know that it’s Natanz, what is it doing? Does it just turn it off? What is it doing?’ So every time you pull on one thread there’s a whole other set of things to go figure out.
NARRATOR: Eric and Liam nearly had the full picture of Stuxnet’s purpose but they still didn’t know what happened to these spinning centrifuges once they had been infected.
ERIC CHIEN: We were able to get in touch with some nuclear experts, centrifuge enrichment experts, and we told them what we saw happening. And so they were able to paint the real-world picture of what would happen in that Natanz plant. And what would happen when Stuxnet triggered was basically the centrifuges would spin up to 1400 Hz and basically go through something called a ‘resonant frequency’, where the vibrations would build on themselves at that speed such that the tubes would spin so fast and vibrate so much that they would shatter.
NARRATOR: Boom. Utter devastation.
ERIC CHIEN: You would have this domino effect, these arrays of centrifuges all standing up and they would just domino, and pieces of aluminum would be flying around the room in shattered shards, and uranium gas leaking everywhere. And if there was someone standing in that room, they would have died.
LIAM O’MURCHU: This was sabotage. This was not espionage. It was actually software trying to control the centrifuges and break the centrifuges. That became very real for us, because if they were willing to do sabotage... what else were they willing to do?
NARRATOR: The gruesome answer to that question came in the form of a news story straight out of Iran.
NEWS REPORT: … what experts call a ‘precision kill’. A nuclear scientist who was a key player in Iran’s nuclear program, killed in broad daylight...
NARRATOR: Eric and Liam were used to seeking out context in the news but this particular story left them shaken to the core.
ERIC CHIEN: These Iranian nuclear scientists were driving to work, for example, in their car and these guys in motorbikes would pull up very quickly and attach these magnetic sticky bombs to their car, and they would blow up and literally kill them. So here we are exposing this whole nuclear sabotage operation and here they are killing people related to it.
NARRATOR: There were five such assassination attempts - four of them successful - between 2010 and 2012 in Iran. Four expert scientists, integral to the development of Iran’s nuclear program, neutralized on the most brutal terms possible. This was the other side to the Stuxnet coin, another version of the sabotage written in its code. These attacks made one detail horrifically clear to Liam and Eric: Whoever was behind Stuxnet - they were willing to go to extraordinary lengths to guarantee the success of their mission. You’ll remember that Eric and Liam had been publishing the findings of their investigation online in real-time. They had, to all intents and purposes, loudly declared their intention to uncover who was behind this virus, and in doing so, they now realized, they had placed a target on their backs.
LIAM O’MURCHU: So, putting that together - a sabotage operation, plus, if the sabotage doesn’t work, there’s another plan for assassination - that really upped the stakes for us and made us very worried, actually, about our own security and how much information we should release and what we should do with the knowledge we had.
NARRATOR: You are very, very far out of your element, here. Forget corporate espionage or hackers on the hunt for a quick buck. The stakes here are real: explosions, assassinations, nuclear weapons. Is this really a story you want to follow to its conclusion? It might not end well for you. After all, nationality and profession don’t guarantee immunity in this world.
LIAM O’MURCHU: There’s a very famous story of the Greece wiretapping incident at the time of the 2004 Olympics where Ericsson and Vodafone equipment was tapped and used for spying. And we had followed that operation because there was malicious software used in the operation as well, and what was in the news afterward was some suspicious deaths of some engineers who had been working at Vodafone in relation to that incident.
NARRATOR: Eric and Liam were all too aware of the nasty precedent that had been set. When civilians stray into spaces they’re not welcome the consequences can be life and death. They were rattled.
ERIC CHIEN: Those sort of suspicious deaths were all apparent suicides. So maybe we were half-joking, we would go to lunch during the day and be like: ‘Hey look, we’re going into the weekend. If I’m found dead this weekend, I’m not suicidal. I’m telling you that right now.’
NARRATOR: But underneath the half-jokes there lurked a very real fear.
ERIC CHIEN: I’m not exaggerating when I say that when I left the office, I would look under my car to see if anything was under there. I pulled out of the office parking lot one time, turned right onto the street, and just as I pulled out this guy on a motorcycle, out of nowhere, all dressed in black, in a black helmet comes speeding up next to me, and in that moment you’re just sitting there holding the steering wheel going: ‘Okay. I hope this isn’t it. I hope this isn’t it.’
NARRATOR: This might sound like your garden variety paranoia but you have to remember that Eric and Liam are trained to pick up on unusual activity, to recognize when something’s off. And during their analysis of Stuxnet alarm bells had been ringing all over the place.
LIAM O’MURCHU: I’m Irish but I’m living in Los Angeles, so I would make a lot of calls home to Ireland and I had never noticed any interference on my calls. And suddenly, around the time of Stuxnet when we started publishing information and it became clear we were doing a large investigation into Stuxnet, I started to notice unusual activity on all my international phone calls taking longer to connect, extra noises on the call, extra static, poor connections... And in one case I made a phone call and somebody picked up the call and answered before the person who I’d actually called answered.
NARRATOR: Technical difficulties on a long-distance call. A man dressed in black, pulling up beside your car on a motorbike. These tiny moments could mean nothing or they could mean everything.
LIAM O’MURCHU: You know, it could have been anything, right? But the timing of it was so suspicious. We knew that there was interest from governments in our analysis and what we were doing. We hadn’t got to the crux of Stuxnet yet. We hadn’t understood exactly what it was that it was doing. It was clear that there were people who wanted to know were going to get there? Were we going to publish it? What information did we have? Were they exposed? So I have no doubt at all that we were being spied on at that time.
NARRATOR: These men are not spies, and they would never claim to be. This world of wire-taps and sticky explosives is not their natural habitat. And yet, during the most stressful, dangerous period of their lives, they demonstrated a sense of duty that any operative would take pride in.
ERIC CHIEN: We had a philosophy of: ‘Our job is to protect our customers.’ That was sort of the very thick line of why we needed to continue looking at it.
NARRATOR: Their investigation into Stuxnet took them to terrifying new places, to the core of an international conspiracy for sabotage and assassination, and yet never once did they waver in their resolve.
LIAM O’MURCHU: There was a big responsibility to the world. We didn’t know initially that it was just targeting Natanz and Iran. And there was this ticking time bomb aspect to it, where this could shut down electricity. It could shut down water. It could shut down airports. It could cause explosions, and it could do that anywhere in the world. And there was a huge driving force to defend all of those places, to defend critical infrastructure, to defend people, to defend lives. That’s a really huge driving factor.
NARRATOR: Defending those lives meant carrying on this investigation and answering its final unsolved question: Who was behind Stuxnet? They didn’t have the proof they needed but they were picking up on some troubling hints.
LIAM O’MURCHU: Of course we knew if Iran is the target, and uranium enrichment is the target, there’s only a handful of governments that are likely to be able to do this, that are sophisticated enough, that can write code this good and can have an operation this big.
NARRATOR: And their suspicions were only reinforced by some of the details they had uncovered in Stuxnet’s code.
LIAM O’MURCHU: There was a large configuration file in the code that made it clear to us that there was legal oversight of the operation. In particular, there was one date in there - and it was a cut-off date - and it was one day before the inauguration of President Obama.
NARRATOR: Why on earth would a renegade virus designed to infiltrate and ruthlessly attack its target, potentially killing people in the process, need a cut-off date? And why would that date coincide so precisely with the arrival of a new American president?
LIAM O’MURCHU: That gave us a clear indication that this is a large operation that has legal oversight and, for legal reasons, they have to end at the end of Bush’s presidency. And they have to get it re-enabled when Obama becomes president. So that’s a very strong indicator to us that it is a US-government operation.
NARRATOR: Bingo. Eric and Liam had uncovered the shocking truth behind Stuxnet, but it was not until years later that they would have their proof.
ERIC CHIEN: Since that time there’s been both the Snowden leaks and the Shadow Brokers’ leak, and the Shadow Brokers’ leak was basically a leak of the tools of the NSA and there are basically pieces of code in those leaks that marry up to Stuxnet.
NARRATOR: The final, anonymous helper in this game of cat and mouse? A group of hackers that infiltrated America’s National Security Agency network and published the tools they had developed for cyber espionage. Amongst those tools: a virus that bore a shocking resemblance to Stuxnet. This was all the proof Eric and Liam needed. Since those leaks, multiple journalists, citing government sources, have corroborated this version of events. Stuxnet was created by the US government and its chief ally in the Middle East, Israel, with the explicit intention of crippling Iran’s nuclear program. Their articles revealed something else. For the US and Israeli intelligence agencies who’d had a hand in it, Stuxnet was never called Stuxnet. To them, it was Operation Olympic Games. If their reports are to be believed Operation Olympic Games was never designed to spread outside of Natanz. That it ended up infecting machines all over the planet was a simple case of human error, a flaw in the code. It was that flaw that ultimately delivered Stuxnet to the hands of Liam and Eric and placed two cyber defenders working for a private security company in Los Angeles at the very heart of a profoundly dangerous game of international sabotage. The only question left to answer is whether Operation Olympic Games succeeded in its aim.
ERIC CHIEN: Yeah, we were able to then go back to the IEA docs once again, those inspector reports, and inspectors were recording when new centrifuges were brought in, and [when] old or broken centrifuges were brought out. And there were reports from a year prior from the IEA that they brought out at least 1,000 centrifuges.
NARRATOR: Iran, in this and all matters, prefers to keep its cards close to its chest and the true extent of Stuxnet’s damage to the Natanz plant is still cause for speculation in the West. But this report revealed that at least 1,000 shattered centrifuges were removed from Iran’s Natanz nuclear facility in the year 2009. What this told Eric and Liam was that for at least a year before Stuxnet landed on their desks this revolutionary virus had been wreaking havoc, undetected, in the plant. One thousand broken centrifuges meant a significant dent in Iran’s capacity for uranium enrichment and a knockback on their timeline for achieving nuclear armament. The worm called Stuxnet had, for the time being at least, crippled the nuclear capacity of one of the US’s greatest enemies. In other words, Stuxnet had been a triumph for its architects. But now, thanks to Eric and Liam’s investigation, it had also been exposed. Surely now that the US government had been all but caught with the smoking gun in their hands they would have to retire this piece of code?
LIAM O’MURCHU: We expected that the attackers would go away and that we would never see these attackers again. And we were completely shocked - my jaw dropped - when a year later we saw the same type of code being used in another threat. And for us, it just reinforced the fact that we’re dealing with some very sophisticated attackers who don’t particularly care that they’ve been outed and are just going to continue their operations. And then, of course, we saw another operation that had similar code, and another, and another. We realized that they weren’t going away.
NARRATOR: If there is a moment where you might allow yourself to take a breath, perhaps this is it. The US government has followed your investigation closely, has charted your progress as you edge closer and closer to the shocking revelation at its core. It has held you between its fingers and wondered whether to squeeze. But ultimately it has decided that exposure doesn’t matter. The architects of this sabotage did not care that they had been outed. With Stuxnet, they had made the opening play in a new age of cyber warfare. And neither they, nor their enemies elsewhere, saw reason to stop now.
LIAM O’MURCHU: Stuxnet was a watershed moment in so far as before Stuxnet we were not tracking any known government operations, and now we track hundreds. It opened Pandora's box. Everybody saw, not only can you do this you can use it for espionage, you can use it for sabotage. Here are the blueprints of how you do it and that allowed governments all over the world to start their own programs and to realize the power of what they could do just with code.
ERIC CHIEN: If you think about how much money and effort it takes to build a nuclear missile - which is maybe the ultimate in security offense for a nation-state - but in today’s world, you can maybe have some similar effects by mounting a cyber offense campaign, where you get five people out of college, you get them to write some digital ones and zero code, and be able to turn the lights off in a country without having to launch any missiles or send any infantry. So it became very obvious to us that all sorts of nation-states were going to be launching cyber offensive campaigns.
NARRATOR: There’s a Before Stuxnet and an After Stuxnet. Once its potential for damage had been revealed it could not be unseen. And before long digital sabotage became just another everyday aspect of Eric and Liam’s work.
ERIC CHIEN: Russia turned off the power in Ukraine, twice now, in the middle of winter. We saw Russian actors on US critical infrastructure, literally at the control panel of a power station, where they could have literally flipped the switch. They were taking screenshots. We were able to intercept those screenshots, and they had the mouse control to switch things on and off. So these attacks continue and the stakes are much much higher now.
NARRATOR: Because, despite the growing frequency of these attacks, we are still wading into uncharted territory…
ERIC CHIEN: I think some people are surprised to learn there are actually rules to war. There are established international norms for rules to war. But not with ‘cyber war’. There are no rules. There are no treaties right now. There are no norms right now. It’s a bit of a Wild West.
NARRATOR: And in the Wild West, anything goes. This story has a postscript. In 2020, a full decade after Stuxnet was first uncovered, two news stories arrived in short succession and brought with them a vivid sense of deja vu.
NEWS REPORT: What exactly happened at the Natanz nuclear facility last week? It’s a question people in Iran and around the world have been asking since a fire was reported at Iran’s main nuclear facility on Thursday.
NARRATOR: First, a fire at Natanz’s centrifuge assembly facility. And second?
NEWS REPORT: Some breaking news for you. Iranian state media are saying one of the country’s top nuclear scientists has been assassinated.
NARRATOR: Espionage and sabotage; virus and murder; the digital world and the physical. The lines have blurred once again. For Eric and Liam news stories like this remind them that the shift is permanent and that their lives have been altered forever.
ERIC CHIEN: We are in a world now where cyber warfare exists. And you have to remember - at least in the US when we talk about critical infrastructure, critical infrastructure is run by private companies, that is protected by a private company such as Symantec - that has two guys like Liam and Eric sitting there, making sure that the lights are on every day.
NARRATOR: I’m Vanessa Kirby. Join us next week for another brush with True Spies. We all have valuable spy skills, and our experts are here to help you discover yours. Get an authentic assessment of your spy skills, created by a former head of training at British intelligence, now at SPYSCAPE.com.
Eric Chien leads Symantec's attack intelligence team responsible for discovering new, sophisticated attack campaigns and tracking hundreds of adversaries, documenting their TTPs (tools, tactics, and procedures) and providing attack intelligence to the company's products, partners and customers. Liam O'Murchu manages the security response operations team for North America with Symantec. He and his team have uncovered and responded to the majority of high-profile malware outbreaks for the last 10 years.