On the morning of May 21, 2020, Israelis woke up to some 1,000 of their commercial web sites showing images of Tel Aviv in flames, and Israeli Prime Minister Benjamin Netanyahu swimming away from the city.
The images were accompanied by text that read, "The countdown to the destruction of Israel started long ago," and a request that visitors to the websites allow access to their computer's camera.
This cyberattack was just the latest in what has become a tit-for-tat cyberwar between Israel and Iran that has included disruption to the Iranian port of Bandar Abbas and several Israeli water systems.
An article in the Daily Mail quoted the executive director of Tel Aviv University's Institute for National Security Studies, Amos Yadlin, as saying, "We've all known for a decade already that cyber is the new dimension of war in the 21st century."
Yadlin was also quoted as saying that "cyberattacks are only met with more cyberattacks." In a further indication that the conflict in the Middle East has moved online, Iran's supreme leader, Ayatollah Khamenei, and Israel's Prime Minister, Benjamin Netanyahu, recently traded barbs with one another on Twitter.
A traffic jam at sea and on land
On May 9, 2020 something strange began happening at the Shahid Rajaee port in Bandar Abbas, on the Iranian side of the Strait of Hormuz. Satellite photos showed ships backed up and a miles-long traffic jam of trucks leading to the port, all of which was causing massive delays in the off-loading of containers at the port.
The next day, Mohammad Rastad, the managing director of Iran's Ports and Maritime Organization confirmed to Iran's ILNA news agency that computers that run the port had been hacked.
In a May 18, 2020 article, the Washington Post quoted a foreign security official as saying that the attack on the Shahid Rajaee port was "highly accurate" and that, "there was total disarray."
If carried out by Israel, the cyber attack was most likely in response to Iran's attempt on April 24, 2020 to hack computers at several Israeli rural water distribution networks.
Hackers attempted to disable the computers that control water flow and wastewater treatment, and also a system that administers chlorine and other chemicals into the water. Officials at the Israeli Water Authority claimed that the cyber attack was detected and stopped before it could cause serious damage.
The world's first cyberweapon
The cyberwar between Iran and Israel most likely started in January 2010 with the mother of all hacks — Stuxnet. Technicians at Iran's Natanz uranium enrichment plant were constantly having to replace failing centrifuges.
International Atomic Energy Agency (IAEA) cameras installed at the Natanz facility recorded the replacement of between 900 and 1,000 of the 5,000 centrifuges at the facility which were being used to enrich uranium gas. The centrifuges are cylindrical tubes that are grouped into what are known as "cascades". At Natanz, each cascade held 164 centrifuges.
The centrifuges spin at high rates of speed and separate the isotopes in uranium gas, isolating those that are capable of a nuclear reaction.
Several months later, technicians from a computer security firm located in Belarus came to Iran to examine a series of computers that were constantly crashing and rebooting. The technicians discovered malicious code on the machines, and that code came to be called Stuxnet.
The code targeted programmable logic controllers (PLCs), which control machinery and industrial processes, and it was targeted to machines running:
- The Windows operating system
- Siemens PCS 7, WinCC and STEP7 industrial software applications
- One or more Siemens S7 PLCs.
Analyzing the code, experts revealed that the highly sophisticated program was comprised of three modules:
- A worm - that executes all routines of the attack
- A link file - that automatically executes copies of the worm
- A rootkit - that hides all the malicious files and processes.
Introduced most likely by a USB flash drive, the worm propagated across the Natanz computer network, looking for Siemens Step7 software on computers that controlled a PLC. Siemens supervisory control and data acquisition (SCADA) systems control and monitor specific industrial processes.
In 1975, author John Brunner published his science fiction novel, The Shockwave Rider. It was the first work in which the hero used computer hacking skills to escape pursuit in a dystopian future. It also coined the term "worm" to describe a program that propagates itself through a computer network.
Once installed, Stuxnet gave commands to the PLC, modifying the centrifuges' rotational speed between 1,410 Hz to 2 Hz and back to 1,064 Hz. Stresses created by the changes in speed caused the aluminum tubes within the centrifuges into contact with one another, literally tearing the machines apart. At the same time, the rootkit hid the changes in rotational speed from monitoring systems, so no one was alerted.
Moscow-based Kaspersky Lab concluded that the sophistication of the attack indicated that it was created "with nation-state support," and other security firms agreed with that assessment.
Who were the nation-states?
In a May 2011 broadcast of PBS's program Need To Know, the U.S. Coordinator for Arms Control and Weapons of Mass Destruction, Gary Samore, said, "We're glad they [the Iranians] are having trouble with their centrifuge machines and that we — the U.S. and its allies — are doing everything we can to make sure that we complicate matters for them."
A February 15, 2011 article in the Daily Telegraph newspaper described a video that was played at the retirement party for Gabi Ashkenazi, then head of the Israel Defense Forces (IDF). The video included references to Stuxnet as one of IDF's successes.
In a June 1, 2012 article in the New York Times, it was reported that Stuxnet was a part of a joint U.S. and Israeli intelligence operation named "Operation Olympic Games," which was begun in 2006 under President George W. Bush, and continued under President Barack Obama. Bush believed that sabotaging Iran's nuclear infrastructure was preferable to an Israeli airstrike against Iranian nuclear facilities.
The aftermath of Stuxnet
Stuxnet would have remained a secret had there not been a programming error, or "bug", in its code that allowed the worm to spread to an engineer's computer that had been connected to the centrifuges. When the engineer connected his computer to the Internet, the worm spread to other computers where it was discovered.
Stuxnet was designed to only affect computers running the Siemens software, and it limited spread from an infected computer to just three additional computers. Stuxnet was also designed to only attack systems that spin between 807 Hz and 1,210 Hz, and it was programmed to self destruct on June 24, 2012.
In all, Stuxnet spread to 58.85% of all computers in Iran, 18.22% of computers in Indonesia, 8.31% of computers in India, and less than 5% of computers in Azerbaijan, the U.S., Pakistan, and other countries.
To prevent something like Stuxnet from infecting facilities in the U.S., the Department of Homeland Security's National Cyber Security Division (NCSD) operates the Control System Security Program (CSSP). It provides a computer emergency response team called the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), conducts a biannual conference (ICSJWG), provides training, and publishes a list of best practices.
In 2016, documentary filmmaker Alex Gibney's film Zero Days, which is about Stuxnet, was selected to compete for the Golden Bear at the 66th Berlin International Film Festival.
In an odd twist, flaws in Siemens Process Control System 7 (PCS 7) and its software Step 7, were discussed in July 2008 at a conference in Chicago, and it was the very next year that Stuxnet exploited those exact same holes.