Mr. Hypponen now draws attention to the process where computer science basically turned into an offensive weapon capable of killing people, namely Stuxnet worm.
Stuxnet is the only one which actually does physical damage. It controls the PLC gear inside the Natanz nuclear enrichment facility, blowing up centrifuges. All the others here are like supporting malware: they gather information, gather intelligence, which then can be used to launch attacks like Stuxnet. We believe some of the information that was needed to launch the Stuxnet attack was collected with Duqu or other related malware before the actual attack was launched.
Now, there’s one key aspect about Stuxnet which is often missed, and that’s the fact that it’s perfectly possible that Stuxnet killed people. We don’t know that. We don’t know whether Stuxnet killed people or whether it did not kill people. But the possibility is there, because what it did was it exploded centrifuges, 2 meter high centrifuges made out of carbon fiber, spinning at very high speeds, and filled with Uranium gas. And when they start failing, they fail catastrophically and they easily create a chain reaction, where one exploding centrifuge will make other centrifuges explode as well. And if there are scientists in the control room, it’s not a good place to be.
We don’t know if this happened, but I think the key point here is that the countries launching these attacks must have known that at least a possibility of killing people with this malware is there, and they went ahead and did it anyway. And when they did that, I think we crossed an important line.It can be argued that nuclear scientists lost their innocence in 1945 (see image), when we, the mankind, used the atom bomb for the very first time. And if that’s the case, then we could argue that exactly in the same way computer scientists lost their innocence in 2009, when we started using malware as an offensive attack weapon. That is a Siemens S7-400 PLC (see left-hand image). This is the basic building block of any modern society. This runs our factories, this runs our power plants, runs our nuclear plants, runs our food processing plants, runs our chemical plants, most likely runs the elevators in this building. These are being used everywhere, and that’s what Stuxnet infected. So, Iranian Atomic Energy Organization – that’s where they do their research. They publish scientific papers about nuclear radiation and nuclear power and related things (see right-hand image). And I’m bringing this up because in June I got an email from the Atomic Energy Organization of Iran. And I don’t usually get emails from the Atomic Energy Organization of Iran… But I got an email, this email right here (see left-hand image), which was sent by a scientist working in there, and he explains that they’ve had problems and he wants the world to know that they are under attack again. And then he explains that some of the computers inside their nuclear research facility were waking up in the middle of the night and starting to play music, starting to play AC/DC, specifically playing Thunderstruck at full volume. Nuclear research machines playing Thunderstruck in the middle of the night…Doesn’t sound very plausible, does it? Was it really happening?
Now, I don’t know if this actually happened or not, all I know is that this guy was telling me this, and this guy was emailing from the Atomic Energy Organization of Iran, and I checked it: he was sending it from there. And the name he was using belonged to a real nuclear scientist. I don’t know if this was true or not. But if it was true; assume for a second it really happened. Why would any attacker do this? Why would they start playing AC/DC or any music in the middle of the night? Because, obviously, they blow their cover and everybody will know that there is a problem. But maybe that was the idea, to begin with?
If you actually read Sanger’s book, one of the key points about Operation Olympic was to make the enemy feel stupid. Many of the attacks they were doing with the centrifuges were very slow in the beginning, they were just failing; and Iranian nuclear scientists ended up firing tons of people because they couldn’t get the job done, and they didn’t realize why they weren’t getting the job done. They were feeling stupid.
So, maybe, here what they want to do is show the employees of this organization that your IT department can’t protect you. If your computer plays AC/DC, you know that something’s going on, and your own IT department looks stupid, because they can’t stop it, they can’t keep the malware out. Maybe it’s mind games, or maybe it never happened; maybe this guy was just playing some kind of a joke.
But I did find it interesting that around 4 weeks after this, when the Gauss malware was found, if you look at the network traffic (Gauss collects information and sends it out, and it encrypts the information before it sends it out), the encryption it uses – uses the encryption key, and that key is 4 characters, and those characters are A, C, D, C, which could be a coincidence, right?