Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:46,912 --> 00:00:49,013
Through the darkness
2
00:00:49,015 --> 00:00:53,250
of the pathways that we marched,
3
00:00:54,319 --> 00:00:57,354
evil and good lived side by side.
4
00:00:57,356 --> 00:01:00,424
And this is the nature of... of life.
5
00:01:16,541 --> 00:01:18,842
We are in an unbalanced
6
00:01:18,844 --> 00:01:23,047
and inequivalent confrontation between democracies
7
00:01:23,049 --> 00:01:25,416
who are obliged to play by the rules
8
00:01:26,051 --> 00:01:29,486
and entities who think democracy is a joke.
9
00:01:31,590 --> 00:01:33,958
You can't convince fanatics
10
00:01:33,960 --> 00:01:38,562
by saying, "hey, hatred paralyzes you,
11
00:01:38,564 --> 00:01:40,164
love releases you."
12
00:01:41,266 --> 00:01:45,536
There are different rules that we have to play by.
13
00:02:01,119 --> 00:02:03,787
Female newsreader: Today, two of Iran's top nuclear scientists
14
00:02:03,789 --> 00:02:05,756
were targeted by hit squads.
15
00:02:05,758 --> 00:02:07,791
Female newsreader 2: ...In the capital Tehran.
16
00:02:07,793 --> 00:02:09,426
Male newsreader: ...The latest in a string of attacks.
17
00:02:09,428 --> 00:02:11,662
Female newsreader 3: Today's attack has all the hallmarks
18
00:02:11,664 --> 00:02:13,831
of major strategic sabotage.
19
00:02:13,833 --> 00:02:14,932
Female newsreader 4: Iran immediately accused
20
00:02:14,934 --> 00:02:16,166
the U.S. and Israel
21
00:02:16,168 --> 00:02:18,035
of trying to damage its nuclear program.
22
00:02:18,336 --> 00:02:19,700
Mahmoud Ahmadinejad:
23
00:02:19,700 --> 00:02:20,889
Unfortunately, and without any doubt,
24
00:02:21,140 --> 00:02:23,600
in the assassinations
which took place today
25
00:02:23,934 --> 00:02:27,774
Western countries and the
Zionist regime were involved.
26
00:02:28,080 --> 00:02:33,817
I want to categorically deny any United States involvement
27
00:02:33,819 --> 00:02:38,756
in any kind of act of violence inside Iran.
28
00:02:38,758 --> 00:02:41,925
Covert actions can help,
29
00:02:41,927 --> 00:02:43,927
can assist.
30
00:02:45,196 --> 00:02:48,098
They are needed, they are not all the time essential,
31
00:02:48,333 --> 00:02:52,770
and they, in no way, can replace political wisdom.
32
00:02:53,138 --> 00:02:55,372
Alex Gibney: Were the assassinations in Iran
33
00:02:55,374 --> 00:02:57,775
related to the STUXnet computer attacks?
34
00:02:58,943 --> 00:03:00,778
Uh, next question, please.
35
00:03:02,380 --> 00:03:03,947
Male newsreader: Iran's infrastructure
36
00:03:03,949 --> 00:03:05,049
is being targeted
37
00:03:05,051 --> 00:03:08,218
by a new and dangerously powerful cyber worm.
38
00:03:08,220 --> 00:03:10,854
The so-called STUXnet worm is specifically designed,
39
00:03:10,856 --> 00:03:13,190
it seems, to infiltrate and sabotage
40
00:03:13,192 --> 00:03:16,326
real-world power plants and factories and refineries.
41
00:03:16,328 --> 00:03:17,728
Male newsreader 2: It's not trying to steal information
42
00:03:17,730 --> 00:03:18,896
or grab your credit card,
43
00:03:18,898 --> 00:03:21,699
they're trying to get into some sort of industrial plant
44
00:03:21,701 --> 00:03:24,085
and wreak havoc trying to blow up an engine or...
45
00:03:24,085 --> 00:03:25,376
The Stuxnet virus
has made attacks worldwide.
46
00:03:25,376 --> 00:03:26,788
Male newsreader 3:
47
00:03:26,788 --> 00:03:31,585
In Iran alone it was identified
30 thousand times.
48
00:03:32,336 --> 00:03:37,336
A super computer virus has put on alert
several countries' secret services.
49
00:03:37,591 --> 00:03:40,551
The information could be
in the reach of terrorists.
50
00:03:40,552 --> 00:03:41,652
Male newsreader 4: No one knows
51
00:03:41,654 --> 00:03:42,820
who's behind the worm
52
00:03:42,822 --> 00:03:44,488
and the exact nature of its mission,
53
00:03:44,490 --> 00:03:47,357
but there are fears Iran will hold Israel
54
00:03:47,359 --> 00:03:50,728
or America responsible and seek retaliation.
55
00:03:50,730 --> 00:03:51,829
Male newsreader 5: It's not impossible that
56
00:03:51,831 --> 00:03:53,163
some group of hackers did it,
57
00:03:53,165 --> 00:03:55,232
but the security experts that are studying this
58
00:03:55,234 --> 00:03:58,001
really think this required the resource of a nation-state.
59
00:04:03,942 --> 00:04:05,876
Man: Okay, and spinning.
60
00:04:05,878 --> 00:04:07,344
Gibney: Okay, good. Here we go.
61
00:04:08,580 --> 00:04:11,882
What impact, ultimately, did the STUXnet attack have?
62
00:04:11,884 --> 00:04:13,150
Can you say?
63
00:04:13,952 --> 00:04:16,120
I don't want to get into the details.
64
00:04:16,354 --> 00:04:18,856
Gibney: Since the event has already happened,
65
00:04:18,858 --> 00:04:22,559
why can't we talk more openly and publicly about STUXnet?
66
00:04:22,561 --> 00:04:25,462
Yeah, I mean, my answer is because it's classified.
67
00:04:25,930 --> 00:04:29,032
I... I won't knowledge... you know, knowingly
68
00:04:29,034 --> 00:04:31,135
offer up anything I consider classified.
69
00:04:31,137 --> 00:04:33,370
Gibney: I know that you can't talk much about STUXnet,
70
00:04:33,372 --> 00:04:36,774
because STUXnet is officially classified.
71
00:04:36,776 --> 00:04:38,142
You're right on both those counts.
72
00:04:38,610 --> 00:04:39,943
Gibney: But there has been
73
00:04:39,945 --> 00:04:42,045
a lot reported about it in the press.
74
00:04:42,047 --> 00:04:44,281
I don't want to comment on this.
75
00:04:44,283 --> 00:04:48,552
I read it in the newspaper, the media, like you,
76
00:04:48,554 --> 00:04:51,555
but I'm unable to elaborate upon it.
77
00:04:51,790 --> 00:04:53,957
People might find it frustrating
78
00:04:53,959 --> 00:04:56,493
not to be able to talk about it when it's in the public domain,
79
00:04:56,495 --> 00:04:57,895
but...
80
00:04:57,897 --> 00:04:59,396
Gibney: I find it frustrating.
81
00:04:59,398 --> 00:05:00,898
Yeah, I'm sure you do.
82
00:05:00,900 --> 00:05:02,466
I don't answer that question.
83
00:05:02,468 --> 00:05:03,834
Unfortunately, I can't comment.
84
00:05:03,836 --> 00:05:05,469
I do not know how to answer that.
85
00:05:05,471 --> 00:05:07,638
Two answers before you even get started, I don't know,
86
00:05:07,640 --> 00:05:10,440
and if I did, we wouldn't talk about it anyway.
87
00:05:10,442 --> 00:05:12,276
Gibney: How can you have a debate if everything's secret?
88
00:05:12,278 --> 00:05:14,311
I think right now that's just where we are.
89
00:05:14,612 --> 00:05:16,079
No one wants to...
90
00:05:16,081 --> 00:05:18,482
Countries aren't happy about confessing
91
00:05:18,484 --> 00:05:21,285
or owning up to what they did because they're not quite sure
92
00:05:21,287 --> 00:05:23,153
where they want the system to go.
93
00:05:23,788 --> 00:05:25,756
And so whoever was behind STUXnet
94
00:05:25,758 --> 00:05:27,257
hasn't admitted they were behind it.
95
00:05:31,095 --> 00:05:32,963
Gibney: Asking officials about STUXnet
96
00:05:32,965 --> 00:05:34,498
was frustrating and surreal,
97
00:05:34,799 --> 00:05:37,334
like asking the emperor about his new clothes.
98
00:05:38,036 --> 00:05:41,138
Even after the cyber weapon had penetrated computers
99
00:05:41,140 --> 00:05:42,539
all over the world,
100
00:05:42,807 --> 00:05:45,108
no one was willing to admit it was loose
101
00:05:45,110 --> 00:05:47,511
or talk about the dangers it posed.
102
00:05:48,379 --> 00:05:50,647
What was it about the STUXnet operation
103
00:05:50,649 --> 00:05:52,449
that was hiding in plain sight?
104
00:05:53,885 --> 00:05:55,652
Maybe there was a way the computer code
105
00:05:55,654 --> 00:05:57,287
could speak for itself.
106
00:05:58,056 --> 00:06:00,424
STUXnet first surfaced in Belarus.
107
00:06:00,992 --> 00:06:03,360
I started with a call to the man who discovered it
108
00:06:03,362 --> 00:06:06,363
when his clients in Iran began to panic
109
00:06:06,365 --> 00:06:09,032
over an epidemic of computer shutdowns.
110
00:06:09,834 --> 00:06:13,070
Had you ever seen anything quite so sophisticated before?
111
00:06:13,664 --> 00:06:17,424
I have seen very sophisticated
viruses before,
112
00:06:17,668 --> 00:06:21,548
but they didn't have...
113
00:06:24,008 --> 00:06:25,378
this kind of...
114
00:06:26,969 --> 00:06:27,719
zero day.
115
00:06:29,054 --> 00:06:32,524
It was the first time in my practice.
116
00:06:33,350 --> 00:06:36,440
That led me to understand
117
00:06:37,813 --> 00:06:44,783
that I should notify
web security companies ASAP
118
00:06:46,530 --> 00:06:51,030
about the fact that such a danger exists.
119
00:07:36,487 --> 00:07:38,322
Eric Chien: On a daily basis, basically
120
00:07:38,324 --> 00:07:40,390
we are sifting through
121
00:07:40,392 --> 00:07:43,894
a massive haystack looking for that proverbial needle.
122
00:07:44,762 --> 00:07:47,731
We get millions of pieces of new malicious threats
123
00:07:47,733 --> 00:07:49,599
and there are millions of attacks going on
124
00:07:49,601 --> 00:07:50,801
every single day.
125
00:07:50,969 --> 00:07:53,403
And only way are trying to protect people
126
00:07:53,405 --> 00:07:55,005
and their computers and... and their systems
127
00:07:55,007 --> 00:07:57,674
and countries' infrastructure
128
00:07:57,676 --> 00:07:59,776
from being taken down by those attacks.
129
00:07:59,778 --> 00:08:03,113
But more importantly, we have to find the attacks that matter.
130
00:08:03,115 --> 00:08:04,848
When you're talking about that many,
131
00:08:05,149 --> 00:08:07,417
impact is extremely important.
132
00:08:19,797 --> 00:08:21,498
Eugene Kaspersky: Twenty years ago, the antivirus companies,
133
00:08:21,500 --> 00:08:23,200
they were hunting for computer viruses
134
00:08:23,202 --> 00:08:24,468
because there were not so many.
135
00:08:24,470 --> 00:08:27,771
So we had, like, tens of dozens a month,
136
00:08:27,972 --> 00:08:30,540
and there was just little numbers.
137
00:08:30,542 --> 00:08:34,745
Now, we collect millions of unique attacks every month.
138
00:08:36,114 --> 00:08:38,548
Vitaly Kamluk: This room we call a woodpecker's room
139
00:08:38,550 --> 00:08:39,883
or a virus lab,
140
00:08:40,118 --> 00:08:42,052
and this is where virus analysts sit.
141
00:08:42,054 --> 00:08:44,021
We call them woodpeckers because they are
142
00:08:44,023 --> 00:08:46,523
pecking the worms, network worms, and viruses.
143
00:08:47,392 --> 00:08:50,627
And we see, like, three different groups of hackers
144
00:08:50,629 --> 00:08:52,195
behind cyber-attacks.
145
00:08:52,964 --> 00:08:54,731
They are traditional cyber criminals.
146
00:08:54,899 --> 00:08:58,735
Those guys are interested only in illegal profit.
147
00:08:58,737 --> 00:09:00,137
And quick and dirty money.
148
00:09:00,139 --> 00:09:02,305
Activists, or hacktivists,
149
00:09:02,307 --> 00:09:04,674
they are hacking for fun or hacking to push
150
00:09:04,676 --> 00:09:05,942
some political message.
151
00:09:06,177 --> 00:09:08,545
And the third group is nation-states.
152
00:09:08,746 --> 00:09:11,648
They're interested in high-quality intelligence
153
00:09:11,650 --> 00:09:13,083
or sabotage activity.
154
00:09:14,352 --> 00:09:16,853
Chien: Security companies not only share information
155
00:09:16,855 --> 00:09:18,588
but we also share binary samples.
156
00:09:18,590 --> 00:09:20,190
So when this threat was found
157
00:09:20,192 --> 00:09:22,025
by a Belarusian security company
158
00:09:22,027 --> 00:09:24,361
on one of their customer's machines in Iran,
159
00:09:24,363 --> 00:09:26,963
the sample was shared amongst the security community.
160
00:09:27,865 --> 00:09:29,433
When we try to name threats, we just try to pick
161
00:09:29,435 --> 00:09:31,501
some sort of string, some sort of words,
162
00:09:31,503 --> 00:09:34,071
that are inside of the binary.
163
00:09:35,239 --> 00:09:37,607
In this case, there was a couple of words in there
164
00:09:37,609 --> 00:09:40,577
and we took pieces of each, and that formed STUXnet.
165
00:09:43,047 --> 00:09:46,249
I got the news about STUXnet from one of my engineers.
166
00:09:46,251 --> 00:09:48,952
He came to my office, opened the door,
167
00:09:49,520 --> 00:09:52,522
and he said, "so, Eugene, of course you know that
168
00:09:52,524 --> 00:09:55,125
we are waiting for something really bad.
169
00:09:55,426 --> 00:09:56,593
It happened."
170
00:10:03,301 --> 00:10:05,469
Gibney: Give me some sense of what it was like
171
00:10:05,471 --> 00:10:06,870
in the lab at that time.
172
00:10:06,872 --> 00:10:08,472
Was there a palpable sense of amazement
173
00:10:08,474 --> 00:10:10,474
that you had something really different there?
174
00:10:10,775 --> 00:10:12,776
Well, I wouldn't call it amazement.
175
00:10:12,778 --> 00:10:14,845
It was a kind of a shock.
176
00:10:15,246 --> 00:10:18,381
It went beyond our worst fears, our worst nightmares,
177
00:10:18,749 --> 00:10:21,751
and this continued the more we analyzed.
178
00:10:21,753 --> 00:10:23,720
The more we researched,
179
00:10:23,722 --> 00:10:26,723
the more bizarre the whole story got.
180
00:10:27,058 --> 00:10:28,725
We look at so much malware every day that
181
00:10:28,727 --> 00:10:30,660
we can just look at the code and straightaway we can say,
182
00:10:30,662 --> 00:10:32,262
"okay, there's something bad going on here,
183
00:10:32,264 --> 00:10:33,730
and I need to investigate that."
184
00:10:33,732 --> 00:10:34,798
And that's the way it was
185
00:10:34,999 --> 00:10:36,933
when we looked at STUXnet for the first time.
186
00:10:36,935 --> 00:10:39,436
We opened it up and there was just bad things everywhere.
187
00:10:39,438 --> 00:10:41,905
Just like, okay, this is bad and that's bad,
188
00:10:41,907 --> 00:10:43,440
and, you know, we need to investigate this.
189
00:10:43,442 --> 00:10:44,908
And just suddenly we had, like,
190
00:10:44,910 --> 00:10:46,376
a hundred questions straightaway.
191
00:10:48,412 --> 00:10:50,847
The most interesting thing that we do is detective work
192
00:10:50,849 --> 00:10:53,517
where we try to track down who's behind a threat,
193
00:10:53,519 --> 00:10:55,085
what are they doing, what's their motivation,
194
00:10:55,087 --> 00:10:56,820
and try to really stop it at the root.
195
00:10:56,822 --> 00:10:59,189
And it is kind of all-consuming.
196
00:10:59,191 --> 00:11:00,824
You get this new puzzle
197
00:11:00,826 --> 00:11:02,526
and it's very difficult to put it down,
198
00:11:02,528 --> 00:11:04,961
you know, work until, like, 4:00 am in the morning
199
00:11:04,963 --> 00:11:06,163
and figure these things out.
200
00:11:06,165 --> 00:11:08,965
And I was in that zone where I was very consumed by this,
201
00:11:08,967 --> 00:11:11,101
very excited about it, very interested to know
202
00:11:11,103 --> 00:11:12,369
what was happening.
203
00:11:12,371 --> 00:11:15,505
And Eric was also in that same sort of zone.
204
00:11:15,507 --> 00:11:18,208
So the two of us were, like, back and forth all the time.
205
00:11:18,210 --> 00:11:20,944
Chien: Liam and I continued to grind at the code,
206
00:11:20,946 --> 00:11:23,046
sharing pieces, comparing notes,
207
00:11:23,048 --> 00:11:24,881
bouncing ideas off of each other.
208
00:11:25,316 --> 00:11:26,783
We realized that we needed to do
209
00:11:26,785 --> 00:11:29,853
what we called deep analysis, pick apart the threat,
210
00:11:29,855 --> 00:11:32,689
every single byte, every single zero, one,
211
00:11:32,691 --> 00:11:34,791
and understand everything that was inside of it.
212
00:11:35,326 --> 00:11:37,127
And just to give you some context,
213
00:11:37,129 --> 00:11:39,162
we can go through and understand every line of code
214
00:11:39,164 --> 00:11:40,964
for the average threat in minutes.
215
00:11:41,566 --> 00:11:43,366
And here we are one month into this threat
216
00:11:43,368 --> 00:11:45,302
and we were just starting to discover what we call
217
00:11:45,304 --> 00:11:47,204
the payload or its whole purpose.
218
00:11:49,540 --> 00:11:51,074
When looking at the STUXnet code,
219
00:11:51,076 --> 00:11:53,643
it's 20 times the size of the average piece of code
220
00:11:54,145 --> 00:11:56,379
but contains almost no bugs inside of it.
221
00:11:56,381 --> 00:11:58,248
And that's extremely rare.
222
00:11:58,250 --> 00:12:00,150
Malicious code always has bugs inside of it.
223
00:12:00,152 --> 00:12:01,918
This wasn't the case with STUXnet.
224
00:12:01,920 --> 00:12:04,754
It's dense and every piece of code does something
225
00:12:04,756 --> 00:12:07,591
and does something right in order to conduct its attack.
226
00:12:08,826 --> 00:12:10,894
One of the things that surprised us
227
00:12:10,896 --> 00:12:13,263
was that STUXnet utilized what's called
228
00:12:13,265 --> 00:12:15,832
a zero-day exploit, or basically,
229
00:12:15,834 --> 00:12:18,168
a piece of code that allows it to spread
230
00:12:18,170 --> 00:12:20,003
without you having to do anything.
231
00:12:20,005 --> 00:12:22,739
You don't have to, for example, download a file and run it.
232
00:12:22,741 --> 00:12:24,941
A zero-day exploit is an exploit that
233
00:12:24,943 --> 00:12:26,610
nobody knows about except the attacker.
234
00:12:26,612 --> 00:12:28,178
So there's no protection against it.
235
00:12:28,180 --> 00:12:29,613
There's been no patch released.
236
00:12:29,615 --> 00:12:31,915
There's been zero days protection,
237
00:12:31,917 --> 00:12:33,516
you know, against it.
238
00:12:34,385 --> 00:12:35,785
That's what attackers value,
239
00:12:35,787 --> 00:12:37,587
because they know 100 percent
240
00:12:37,589 --> 00:12:39,923
if they have this zero-day exploit,
241
00:12:39,925 --> 00:12:41,625
they can get in wherever they want.
242
00:12:41,627 --> 00:12:43,126
They're actually very valuable.
243
00:12:43,128 --> 00:12:44,527
You can sell these on the underground
244
00:12:44,529 --> 00:12:46,049
for hundreds of thousands of dollars.
245
00:12:47,398 --> 00:12:48,465
Chien: Then we became more worried
246
00:12:48,467 --> 00:12:50,533
because immediately we discovered more zero days.
247
00:12:50,535 --> 00:12:53,270
And again, these zero days are extremely rare.
248
00:12:53,272 --> 00:12:55,572
Inside STUXnet we had, you know, four zero days,
249
00:12:55,574 --> 00:12:57,307
and for the entire rest of the year,
250
00:12:57,309 --> 00:12:59,876
we only saw 12 zero days used.
251
00:12:59,878 --> 00:13:01,544
It blows all... everything else out of the water.
252
00:13:01,546 --> 00:13:02,779
We've never seen this before.
253
00:13:02,781 --> 00:13:04,541
Actually, we've never seen it since, either.
254
00:13:04,615 --> 00:13:07,217
Seeing one in a malware you could understand
255
00:13:07,219 --> 00:13:10,120
because, you know, the malware authors are making money,
256
00:13:10,122 --> 00:13:11,721
they're stealing people's credit cards and making money,
257
00:13:11,723 --> 00:13:12,889
so it's worth their while to use it,
258
00:13:12,891 --> 00:13:15,258
but seeing four zero days, could be worth
259
00:13:15,260 --> 00:13:16,459
half a million dollars right there,
260
00:13:16,461 --> 00:13:18,228
used in one piece of malware,
261
00:13:18,496 --> 00:13:20,897
this is not your ordinary criminal gangs doing this.
262
00:13:20,899 --> 00:13:22,499
This is... this is someone bigger.
263
00:13:22,501 --> 00:13:24,401
It's definitely not traditional crime,
264
00:13:24,403 --> 00:13:27,904
not hacktivists. Who else?
265
00:13:28,773 --> 00:13:31,007
It was evident on a very early stage
266
00:13:31,509 --> 00:13:33,743
that just given the sophistication
267
00:13:33,745 --> 00:13:35,245
of this malware...
268
00:13:36,480 --> 00:13:39,282
Suggested that there must have been
269
00:13:39,284 --> 00:13:40,750
a nation-state involved,
270
00:13:40,752 --> 00:13:43,987
at least one nation-state involved in the development.
271
00:13:43,989 --> 00:13:46,022
When we look at code that's coming from
272
00:13:46,024 --> 00:13:47,590
what appears to be a state attacker
273
00:13:47,592 --> 00:13:50,193
or state-sponsored attacker, usually they're scrubbed clean.
274
00:13:50,195 --> 00:13:52,629
They don't... they don't leave little bits behind.
275
00:13:52,631 --> 00:13:54,364
They don't leave little hints behind.
276
00:13:54,632 --> 00:13:56,299
But in STUXnet there were actually
277
00:13:56,301 --> 00:13:57,667
a few hints left behind.
278
00:13:58,936 --> 00:14:02,205
One was that, in order to get low-level access
279
00:14:02,207 --> 00:14:03,673
to Microsoft Windows,
280
00:14:03,874 --> 00:14:05,674
STUXnet needed to use a digital certificate,
281
00:14:05,976 --> 00:14:08,378
which certifies that this piece of code
282
00:14:08,380 --> 00:14:11,247
came from a particular company.
283
00:14:12,149 --> 00:14:14,217
Now, those attackers obviously couldn't go to Microsoft
284
00:14:14,219 --> 00:14:15,685
and say, "hey, test our code out for us.
285
00:14:15,687 --> 00:14:17,287
And give us a digital certificate."
286
00:14:17,988 --> 00:14:19,589
So they essentially stole them...
287
00:14:20,825 --> 00:14:22,892
From two companies in Taiwan.
288
00:14:22,894 --> 00:14:24,794
And these two companies have nothing to do with each other
289
00:14:24,796 --> 00:14:26,463
except for their close proximity
290
00:14:26,465 --> 00:14:28,264
in the exact same business park.
291
00:14:30,835 --> 00:14:34,671
Digital certificates are guarded very, very closely
292
00:14:34,673 --> 00:14:36,206
behind multiple doors
293
00:14:36,208 --> 00:14:38,641
and they require multiple people to unlock.
294
00:14:38,643 --> 00:14:40,310
Security: ...To the camera.
295
00:14:40,312 --> 00:14:42,011
Chien: And they need to provide both biometrics
296
00:14:42,013 --> 00:14:44,414
- and, as well, pass phrases.
297
00:14:44,416 --> 00:14:45,882
It wasn't like those certificates were
298
00:14:45,884 --> 00:14:47,584
just sitting on some machine connected to the Internet.
299
00:14:47,818 --> 00:14:50,620
Some human assets had to be involved, spies.
300
00:14:50,855 --> 00:14:52,689
O'Murchu: Like a cleaner who comes in at night
301
00:14:52,691 --> 00:14:54,424
and has stolen these certificates
302
00:14:54,426 --> 00:14:55,658
from these companies.
303
00:14:59,063 --> 00:15:01,164
It did feel like walking onto the set
304
00:15:01,166 --> 00:15:03,666
of this James Bond movie and you...
305
00:15:03,668 --> 00:15:05,235
You've been embroiled in this thing that,
306
00:15:05,237 --> 00:15:07,837
you know, you... you never expected.
307
00:15:10,508 --> 00:15:11,608
We continued to search,
308
00:15:11,610 --> 00:15:13,109
and we continued to search in code,
309
00:15:13,111 --> 00:15:15,945
and eventually we found some other bread crumbs left
310
00:15:15,947 --> 00:15:17,347
we were able to follow.
311
00:15:18,048 --> 00:15:19,682
It was doing something with Siemens,
312
00:15:19,950 --> 00:15:22,752
Siemens software, possibly Siemens hardware.
313
00:15:23,053 --> 00:15:24,754
We'd never ever seen that in any malware before,
314
00:15:24,756 --> 00:15:26,089
something targeting Siemens.
315
00:15:26,091 --> 00:15:28,051
We didn't even know why they would be doing that.
316
00:15:29,627 --> 00:15:32,362
But after googling, very quickly we understood
317
00:15:32,364 --> 00:15:34,798
it was targeting Siemens PLCs.
318
00:15:35,266 --> 00:15:38,201
STUXnet was targeting a very specific hardware device,
319
00:15:38,203 --> 00:15:41,604
something called a PLC or a programmable logic controller.
320
00:15:42,039 --> 00:15:44,941
Langner: The PLC is kind of a very small computer
321
00:15:45,242 --> 00:15:47,977
attached to physical equipment,
322
00:15:47,979 --> 00:15:50,613
like pumps, like valves, like motors.
323
00:15:51,415 --> 00:15:55,985
So this little box is running a digital program
324
00:15:55,987 --> 00:15:58,288
and the actions of this program
325
00:15:58,290 --> 00:16:02,392
turns that motor on, off, or sets a specific speed.
326
00:16:02,394 --> 00:16:04,127
Chien: Those program module controllers
327
00:16:04,129 --> 00:16:06,663
control things like power plants, power grids.
328
00:16:06,665 --> 00:16:08,398
O'Murchu: This is used in factories,
329
00:16:08,400 --> 00:16:10,867
it's used in critical infrastructure.
330
00:16:11,569 --> 00:16:14,604
Critical infrastructure, it's everywhere around us,
331
00:16:14,606 --> 00:16:17,173
transportation, telecommunications,
332
00:16:17,175 --> 00:16:19,476
financial services, health care.
333
00:16:20,010 --> 00:16:22,912
So the payload of STUXnet was designed
334
00:16:22,914 --> 00:16:26,082
to attack some very important part
335
00:16:26,084 --> 00:16:27,517
of our world.
336
00:16:27,785 --> 00:16:29,319
The payload is gonna be important.
337
00:16:29,321 --> 00:16:32,088
What happens there could be very dangerous.
338
00:16:34,292 --> 00:16:37,260
Langner: The next very big surprise came
339
00:16:37,262 --> 00:16:39,562
when it infected our lab system.
340
00:16:40,297 --> 00:16:43,299
We figured out that the malware was probing
341
00:16:43,301 --> 00:16:44,667
for controllers.
342
00:16:45,035 --> 00:16:47,103
It was quite picky on its targets.
343
00:16:47,105 --> 00:16:51,441
It didn't try to manipulate any given controller in a network
344
00:16:51,443 --> 00:16:52,775
that it would see.
345
00:16:53,010 --> 00:16:57,213
It went through several checks, and when those checks failed,
346
00:16:57,215 --> 00:16:59,449
it would not implement the attack.
347
00:17:02,186 --> 00:17:06,055
It was obviously probing for a specific target.
348
00:17:07,391 --> 00:17:09,559
You've got to put this in context that,
349
00:17:09,561 --> 00:17:11,361
at the time, we already knew,
350
00:17:11,363 --> 00:17:13,730
well, this is the most sophisticated piece of malware
351
00:17:13,732 --> 00:17:15,298
that we have ever seen.
352
00:17:16,066 --> 00:17:18,034
So it's kind of strange.
353
00:17:18,036 --> 00:17:23,039
Somebody takes that huge effort to hit one specific target?
354
00:17:23,307 --> 00:17:25,241
Well, that must be quite a significant target.
355
00:17:28,846 --> 00:17:31,247
Chien: So at Symantec we have probes on networks
356
00:17:31,249 --> 00:17:32,415
all over the world
357
00:17:32,417 --> 00:17:34,817
watching for malicious activity.
358
00:17:35,219 --> 00:17:37,220
O'Murchu: We'd actually seen infections of STUXnet
359
00:17:37,222 --> 00:17:39,756
all over the world, in the U.S., Australia,
360
00:17:39,758 --> 00:17:42,392
in the U.K., in France, Germany, all over Europe.
361
00:17:42,893 --> 00:17:45,293
Chien: It spread to any Windows machine in the entire world.
362
00:17:45,663 --> 00:17:47,897
You know, we had these organizations
363
00:17:47,899 --> 00:17:50,199
inside the United States who were in charge of
364
00:17:50,201 --> 00:17:51,901
industrial control facilities saying,
365
00:17:51,903 --> 00:17:53,903
"we're infected. What's gonna happen?"
366
00:17:54,271 --> 00:17:56,940
O'Murchu: We didn't know if there was a deadline coming up
367
00:17:56,942 --> 00:17:58,508
where this threat would trigger
368
00:17:58,510 --> 00:18:00,843
and suddenly would, like, turn off all, you know,
369
00:18:00,845 --> 00:18:02,412
electricity plants around the world
370
00:18:02,414 --> 00:18:04,180
or it would start shutting things down
371
00:18:04,182 --> 00:18:05,515
or launching some attack.
372
00:18:06,350 --> 00:18:09,385
We knew that STUXnet could have very dire consequences,
373
00:18:09,387 --> 00:18:12,055
and we were very worried about
374
00:18:12,057 --> 00:18:13,523
what the payload contained
375
00:18:13,525 --> 00:18:15,758
and there was an imperative speed
376
00:18:15,760 --> 00:18:17,860
that we had to race and try and, you know,
377
00:18:17,862 --> 00:18:19,262
beat this ticking bomb.
378
00:18:20,397 --> 00:18:22,932
Eventually, we were able to refine the statistics a little
379
00:18:22,934 --> 00:18:24,434
and we saw that Iran was the number one
380
00:18:24,436 --> 00:18:26,035
infected country in the world.
381
00:18:26,037 --> 00:18:28,605
Chien: That immediately raised our eyebrows.
382
00:18:28,607 --> 00:18:30,873
We had never seen a threat before
383
00:18:30,875 --> 00:18:33,009
where it was predominantly in Iran.
384
00:18:33,944 --> 00:18:35,545
And so we began to follow what was going on
385
00:18:35,547 --> 00:18:36,779
in the geopolitical world,
386
00:18:36,947 --> 00:18:38,547
what was happening in the general news.
387
00:18:38,716 --> 00:18:41,951
And at that time, there were actually multiple explosions
388
00:18:41,953 --> 00:18:44,854
of gas pipelines going in and out of Iran.
389
00:18:45,823 --> 00:18:47,223
Unexplained explosions.
390
00:18:48,759 --> 00:18:50,893
O'Murchu: And of course, we did notice that at the time
391
00:18:50,895 --> 00:18:53,529
there had been assassinations of nuclear scientists.
392
00:18:54,732 --> 00:18:56,165
So that was worrying.
393
00:18:56,967 --> 00:18:59,168
We knew there was something bad happening.
394
00:18:59,637 --> 00:19:01,471
Gibney: Did you get concerned for yourself?
395
00:19:01,473 --> 00:19:03,406
I mean, did you begin to start looking over your shoulder
396
00:19:03,408 --> 00:19:04,641
from time to time?
397
00:19:04,643 --> 00:19:06,242
Yeah, definitely looking over my shoulder
398
00:19:06,244 --> 00:19:08,811
and... and being careful about what I spoke about on the phone.
399
00:19:09,813 --> 00:19:13,016
I was... pretty confident my conversations on my...
400
00:19:13,018 --> 00:19:14,484
On the phone were being listened to.
401
00:19:14,818 --> 00:19:16,786
We were only half joking
402
00:19:16,788 --> 00:19:18,821
when we would look at each other
403
00:19:18,823 --> 00:19:20,590
and tell each other things like,
404
00:19:20,592 --> 00:19:22,825
"look, I'm not suicidal.
405
00:19:23,160 --> 00:19:26,663
If I show up dead on Monday, you know, it wasn't me."
406
00:19:35,439 --> 00:19:37,874
We'd been publishing information about STUXnet
407
00:19:37,876 --> 00:19:39,275
all through that summer.
408
00:19:40,644 --> 00:19:43,279
And then in November, the industrial control system
409
00:19:43,281 --> 00:19:46,416
sort of expert in Holland contacted us...
410
00:19:47,685 --> 00:19:50,286
And he said all of these devices that would be inside of
411
00:19:50,288 --> 00:19:53,356
an industrial control system hold a unique identifier number
412
00:19:53,358 --> 00:19:56,559
that identified the make and model of that device.
413
00:19:58,328 --> 00:20:01,998
And we actually had a couple of these numbers in the code
414
00:20:02,000 --> 00:20:03,440
that we didn't know what they were.
415
00:20:04,401 --> 00:20:06,302
And so we realized maybe what he was referring to
416
00:20:06,304 --> 00:20:07,770
was the magic numbers we had.
417
00:20:08,305 --> 00:20:09,839
And then when we searched for those magic numbers
418
00:20:09,841 --> 00:20:11,007
in that context,
419
00:20:11,009 --> 00:20:13,409
we saw that what had to be connected
420
00:20:13,411 --> 00:20:15,578
to this industrial control system that was being targeted
421
00:20:15,580 --> 00:20:17,547
were something called frequency converters
422
00:20:17,881 --> 00:20:20,049
from two specific manufacturers,
423
00:20:20,051 --> 00:20:21,818
one of which was in Iran.
424
00:20:22,419 --> 00:20:24,187
And so at this time, we absolutely knew
425
00:20:24,189 --> 00:20:26,522
that the facility that was being targeted
426
00:20:26,524 --> 00:20:27,990
had to be in Iran
427
00:20:28,325 --> 00:20:31,160
and had equipment made from Iranian manufacturers.
428
00:20:32,096 --> 00:20:33,863
When we looked up those frequency converters,
429
00:20:33,865 --> 00:20:35,665
we immediately found out that they were actually
430
00:20:35,667 --> 00:20:38,067
export controlled by the nuclear regulatory commission.
431
00:20:38,669 --> 00:20:40,002
And that immediately lead us then
432
00:20:40,004 --> 00:20:42,271
to some nuclear facility.
433
00:20:59,890 --> 00:21:02,024
Gibney: This was more than a computer story,
434
00:21:02,392 --> 00:21:04,827
so I left the world of the antivirus detectives
435
00:21:05,129 --> 00:21:07,063
and sought out journalist, David Sanger,
436
00:21:07,065 --> 00:21:09,298
who specialized in the strange intersection
437
00:21:09,300 --> 00:21:12,301
of cyber, nuclear weapons, and espionage.
438
00:21:13,270 --> 00:21:15,371
Sanger: The emergence of the code
439
00:21:15,373 --> 00:21:18,674
is what put me on alert that an attack was under way.
440
00:21:20,110 --> 00:21:23,279
And because of the covert nature of the operation,
441
00:21:23,281 --> 00:21:26,282
not only were official government spokesmen
442
00:21:26,284 --> 00:21:29,185
unable to talk about it, they didn't even know about it.
443
00:21:30,387 --> 00:21:32,455
Eventually, the more I dug into it,
444
00:21:32,457 --> 00:21:37,059
the more I began to find individuals
445
00:21:37,294 --> 00:21:39,495
who had been involved in some piece of it
446
00:21:39,663 --> 00:21:41,731
or who had witnessed some piece of it.
447
00:21:42,332 --> 00:21:44,734
And that meant talking to Americans,
448
00:21:44,736 --> 00:21:47,637
talking to Israelis, talking to Europeans,
449
00:21:47,639 --> 00:21:50,740
because this was obviously the first, biggest,
450
00:21:50,742 --> 00:21:55,311
and most sophisticated example of a state
451
00:21:55,313 --> 00:21:57,947
or two states using a cyber weapon
452
00:21:57,949 --> 00:21:59,482
for offensive purposes.
453
00:22:02,920 --> 00:22:05,822
I came to this with a fair bit of history,
454
00:22:05,824 --> 00:22:08,591
understanding the Iranian nuclear program.
455
00:22:09,626 --> 00:22:13,029
How did Iran get its first nuclear reactor?
456
00:22:13,597 --> 00:22:16,732
We gave it to them... under the Shah,
457
00:22:17,034 --> 00:22:20,469
because the Shah was considered an American ally.
458
00:22:21,973 --> 00:22:25,608
Thank you again for your warm welcome, Mr. President.
459
00:22:25,943 --> 00:22:27,543
Gary Samore: During the Nixon administration,
460
00:22:27,545 --> 00:22:30,813
the U.S. was very enthusiastic about supporting
461
00:22:30,815 --> 00:22:32,915
the Shah's nuclear power program.
462
00:22:33,817 --> 00:22:36,152
And at one point, the Nixon administration
463
00:22:36,154 --> 00:22:38,988
was pushing the idea that Pakistan and Iran
464
00:22:38,990 --> 00:22:43,593
should build a joint plant together in Iran.
465
00:22:44,962 --> 00:22:46,662
There's at least some evidence that
466
00:22:46,664 --> 00:22:50,166
the Shah was thinking about acquisition of nuclear weapons,
467
00:22:50,168 --> 00:22:53,703
because he saw, and we were encouraging him to see Iran
468
00:22:53,705 --> 00:22:56,005
as the so-called policemen of the Persian Gulf.
469
00:22:56,007 --> 00:22:58,174
And the Iranians have always viewed themselves
470
00:22:58,176 --> 00:23:01,410
as naturally the dominant power in the Middle East.
471
00:23:02,214 --> 00:23:07,594
Why is it normal for you,
the Germans and the British,
472
00:23:07,845 --> 00:23:09,435
to have...
473
00:23:10,764 --> 00:23:14,484
atomic and hydrogen weapons, and for Iran,
474
00:23:15,102 --> 00:23:17,102
the simple principle of self-defense
475
00:23:17,396 --> 00:23:20,106
the defense of its interests, a problem,
476
00:23:20,357 --> 00:23:22,357
while for others it is totally normal?
477
00:23:24,001 --> 00:23:25,568
Samore: But the revolution,
478
00:23:25,570 --> 00:23:27,270
which overthrew the Shah in '79,
479
00:23:27,272 --> 00:23:29,071
really curtailed the program
480
00:23:29,073 --> 00:23:31,440
before it ever got any head of steam going.
481
00:23:32,542 --> 00:23:37,113
Part of our policy against Iran after the revolution
482
00:23:37,115 --> 00:23:39,415
was to deny them nuclear technology.
483
00:23:39,417 --> 00:23:42,718
So most of the period when I was involved
484
00:23:42,720 --> 00:23:44,720
in the '80s and the '90s
485
00:23:44,722 --> 00:23:47,123
was the U.S. running around the world
486
00:23:47,125 --> 00:23:50,393
and persuading potential nuclear suppliers
487
00:23:50,395 --> 00:23:53,796
not to provide even peaceful nuclear technology to Iran.
488
00:23:54,031 --> 00:23:57,466
And what we missed was the clandestine transfer
489
00:23:57,468 --> 00:24:00,369
in the mid-1980s from Pakistan to Iran.
490
00:24:04,375 --> 00:24:05,608
Rolf Mowatt-Larssen: Abdul Qadeer Khan
491
00:24:05,610 --> 00:24:06,943
is what we would call
492
00:24:06,945 --> 00:24:08,945
the father of the Pakistan nuclear program.
493
00:24:10,380 --> 00:24:12,949
He had the full authority and confidence
494
00:24:12,951 --> 00:24:15,251
of the Pakistan government from its inception
495
00:24:15,253 --> 00:24:17,320
to the production of nuclear weapons.
496
00:24:19,056 --> 00:24:21,390
I was a CIA officer for... for...
497
00:24:21,392 --> 00:24:24,060
For over two decades, operations officer,
498
00:24:24,062 --> 00:24:25,861
worked overseas most of my career.
499
00:24:26,430 --> 00:24:28,497
The A.Q. Khan network is so notable
500
00:24:28,499 --> 00:24:31,500
because aside from building
501
00:24:31,502 --> 00:24:34,537
the Pakistani program for decades...
502
00:24:35,772 --> 00:24:38,941
It also was the means by which other countries
503
00:24:38,943 --> 00:24:41,577
were able to develop nuclear weapons,
504
00:24:41,579 --> 00:24:42,878
including Iran.
505
00:24:43,480 --> 00:24:45,114
Samore:
Afrikaans
Akan
Albanian
Amharic
Armenian
Azerbaijani
Basque
Belarusian
Bemba
Bengali
Bihari
Bosnian
Breton
Bulgarian
Cambodian
Catalan
Cebuano
Cherokee
Chichewa
Chinese (Simplified)
Chinese (Traditional)
Corsican
Croatian
Czech
Danish
Esperanto
Estonian
Faroese
Finnish
Frisian
Galician
Georgian
German
Greek
Guarani
Haitian Creole
Hausa
Hawaiian
Hmong
Hungarian
Icelandic
Irish
Javanese
Kazakh
Kinyarwanda
Kirundi
Kongo
Korean
Krio (Sierra Leone)
Kurdish
Kyrgyz
Laothian
Latin
Latvian
Lithuanian
Luganda
Luo
Luxembourgish
Macedonian
Malagasy
Malay
Maltese
Maori
Mauritian Creole
Moldavian
Mongolian
Myanmar (Burmese)
Montenegrin
Nepali
Norwegian (Nynorsk)
Pashto
Persian
Polish
Portuguese (Brazil)
Portuguese (Portugal)
Quechua
Romanian
Romansh
Russian
Samoan
Scots Gaelic
Serbian
Sesotho
Setswana
Seychellois Creole
Shona
Sindhi
Sinhalese
Slovak
Slovenian
Somali
Spanish
Swedish
Tajik
Thai
Tigrinya
Tonga
Turkish
Turkmen
Ukrainian
Uzbek
Vietnamese
Welsh
Wolof