The Bomber Always Gets Through

Analysis on the 2021 Natanz attacks from someone who responded to Stuxnet

Iran’s Natanz nuclear enrichment facility

In the early morning of April 11th, 2021 an explosion rocked the desert surrounding Natanz, a nuclear enrichment facility within Iran’s nuclear power infrastructure. Later that day, the Iranian government issued a statement that Iran was the subject of a powerful cyberattack that physically (and dangerously) sabotaged the facility’s nuclear enrichment capabilities.

The 2021 Natanz attacks are already making waves across a security community still reeling from the Solarwinds attacks. State sponsored hacking is already a concern for most organizations working in critical infrastructure. But the physical nature of the 2021 Natanz attacks well underscore that modern state sponsored adversaries, in order to accomplish their strategic objectives, are willing to employ cyberattacks that may kill a lot of people and cause lasting physical and economic damage to a government.

Attacks like Natanz and Solarwinds are starting to set the tone for the next decade of cybersecurity. To understand what they mean, and especially don’t mean, for security in the 2020s we need to look back at the last decade of cyberattacks.

And in particular, to the last time someone physically sabotaged Natanz with malware.

So, what happened in Natanz?

It has only been 24 hours since the attack on Natanz occurred. Details are scant at the time of this writing, but the broad strokes are below:

There are very strong historical precedents linking this current attack on Natanz with a series of attacks in the early ’10s on Natanz and Iran’s nuclear program as a whole. In particular, the history behind the 2010 Stuxnet attack serves as a good point to contextualize the current attack and understand how the world has changed over the last decade.

This is a period in history that I know a bit about.

Pepperidge Farm remembers

Stuxnet, the first malware to strike Natanz in 2010 and arguably the first “digital weapon” unleashed by a state sponsored hacker to physically sabotage an adversary. As a recent college grad, I worked on the collective community response to Stuxnet.

In 2010 I graduated college and became NetApp’s first associate product manager. My role was focused on cryptography and security — then niche areas of computing that at the time were more akin to working in insurance than being part of the “let’s go to Ruby Skye dressed in American Apparel swag already drunk off of our company’s Friday mixer” culture of period Silicon Valley.

That year turned out to be a turning point for cybersecurity. While cyber-espionage and what would later be known as state sponsored hacking had occurred prior to 2010, a major attack on the Iranian nuclear enrichment facility at Natanz proved to be a “crossing the Rubicon” moment for the field.

This attack was Stuxnet: a horrifyingly beautiful and bespoke malware that, once infiltrated into the Industrial Control Systems (ICS) of Iran’s dubiously acquired Siemens Supervisory Control and Data Acquisition (SCADA) systems physically sabotaged the facility’s nuclear enrichment capabilities. In essence, it was malware purpose-built to evade detection and cause a nuclear meltdown.

Stuxnet has become one of the historic and legendary cyberattacks in the history of information security. Books like Countdown to Zero Day and numerous press and conference papers have well analyzed how it served as the opening of Pandora’s Box for ICS and SCADA attacks. Stuxnet also showed that when provoked, powerful nation states were willing to cause significant infrastructural damage to an adversary using software.

No longer were infosec analysts and researchers attempting to stop computer virii or cyberattacks meant to steal information. We were trying to raise the cost of performing these attacks to disincentivize expert adversaries from creating another Chernobyl.

NetApp and Siemens had a deep technical relationship at this time. Siemens provided the core SCADA infrastructure while NetApp provided a storage option to host the application code that powered that infrastructure. While it was almost certain that our systems weren’t involved in the attack, data after the attack was similarly scarce and we joined the trove of other organizations attempting to unravel details behind what actually happened in Iran in a remote desert facility guarded by the Iranian Revolutionary Guard.

Countdown to Zero Day well captures the chaos of the first few months (and even year) following Stuxnet’s discovery, and I highly recommend folks read Zetter’s book to learn more about what happened.

But nearly a decade later, lots of the assumptions we had when first unpacking what happened with Stuxnet turned out to be false. And in some cases, things were both much better and worse off than what we thought at the time.

Was this really even a cyberattack?

The difficulty in crossing the air gap to deploy Stuxnet begs serious questions about whether the 2021 Natanz attacks were really cyberattacks

In both Stuxnet and the 2021 Natanz attacks, there is a 300 pound elephant of a question in the room: how the hell did someone infiltrate malware to cause physical damage to the facility?

Ten years ago and (especially) today, Natanz’s SCADA systems were almost certainly air gapped from the internet. Infiltrating the control systems in the facility would be far more complicated than a “normal” hack, as the adversary attacking Natanz would need to get their malware somehow into the SCADA or ICS systems of their target.

For Stuxnet, this mechanism was through physical access with a USB stick. An adversary would physically access a computer on the air gapped network. Once inserted into a Windows computer, the USB would deploy the malware which exploited a zero-day vulnerability to crawl through the network looking for instances of the Siemens SCADA software it targeted. If it did not find its target, Stuxnet went dormant. It seemingly did so to evade detection.

In the months following Stuxnet, these details weren’t known. The ability for Stuxnet to jump the air gap was a confusing and frightening proposition, provoking some questions about whether the adversary compromising Natanz had snuck in long-dormant source code into the Siemens control software via a supply chain attack similar to the attacks launched against Solarwinds a decade later.

It will likely be months, if not years, before the details of how the 2021 cyberattack crossed the air gap for Natanz’s systems. But the fact that somehow an adversary once again circumvented Natanz’s physical security either bodes ill for the Iranian Army and Revolutionary Guard defending the site or begs another question:

Was this really a cyberattack?

Since Stuxnet, Iran has been subject to a series of state sponsored cyberattacks against their critical military and civilian infrastructure. A year after Stuxnet, the Duqu malware marauded critical systems with Iran’s nuclear power and military command and control infrastructure. Duqu was heavily based on Stuxnet and used the same Windows zero-day vulnerabilities to deploy itself and begin bounding through an air gapped system.

Iranian cyberwarfare capabilities have advanced significantly since they were struck by Duqu and Stuxnet. Since the early 2010s, Iranian state sponsored hackers have successfully executed hundreds of cyberattacks on critical infrastructure in the United States and the Middle East. Targeted attacks against Israeli politicians and defense professionals have been attributed to Iranain cyberespionage, and Iranian hackers have compromised critical infrastructure of its regional adversaries in a manner not unlike Stuxnet and Duqu’s targeted attacks on their own infrastructure.

Given the above, it seems likely that Natanz’s security was hardened to defend against air gap circumventing cyberattacks. The physical security infrastructure in Natanz would likely have been significantly improved in the face of Stuxnet and Duqu, and Intrusion Detection and Intrusion Prevention Systems (IDS/IPS) would likely have been introduced into the air gapped systems within Natanz to look for applications attempting to scour the privileged network for targets similar to the m.o. used by Stuxnet and Duqu.

Launching an attack in 2021 similar to Stuxnet must be much more difficult than deploying Stuxnet or Duqu a decade prior. Improved physical and defenses make the cost of deploying a cyberattack much higher than before. This has contributed to a prevailing theory in the infosec research community that the damage from the attack was either minimally (or not at all) attributable to a cyberattack.

Was cyberwarfare the “safe” option?

Unlike what happened in Stuxnet, the Iranian government and the Israeli government (whom Iran openly blames for the attack) have been surprisingly transparent about the 2021 Natanz attack.

The Iranian government responded quickly to the attacks, stating that they were the subject of “nuclear terrorism” and called on the IAEA to respond appropriately. Iran’s Foreign Minister also explicitly attributed the attack to Israel, noting:

“[T]he Zionists want to take revenge on the Iranian people for their success in lifting the oppressive sanctions, but we will not allow it and we will take revenge on the Zionists themselves.”

The Israeli government has also responded to the attacks, in a similar departure from how they responded to the Stuxnet attacks after their discovery. While they did not take ownership over the attacks, Israel’s Defense Minister responded to the attacks after a meeting with United States defense officials in Tel Aviv:

“We will work closely with our American allies to ensure that any new agreement with Iran will secure the vital interests of the world, of the United States, prevent a dangerous arms race in our region, and protect the state of Israel.”

The world has changed since 2010. It would have been inconceivable then to think that the American president would respond to a publicized direct action espionage with a Twitter shitpost. But even with the more brazen nature of modern espionage, it seems that both Israel and Iran have been unusually transparent about the attacks.

Given the complexity of deploying a Stuxnet-style cyberattack in modern Natanz, this begs the question if the tacit acceptance of the cyberattack narrative seems to be purposeful.

Critical infrastructure cyberattacks have become disturbingly normal. Despite the US government’s insistence that physical damage from a cyberattack constitutes an act of war, cyberattacks from state sponsored adversaries like Solarwinds which likely yielded physical consequences have not led to a publicized kinetic response or declaration of war.

One wonders if we have so normalized even critical state sponsored cyberattacks that they are the “safer” option. The attack on Natanz occurs in the context of a period of rising tension between Iran and Israel; Israeli mines have damaged an Iranian navy ship just 6 days prior to the disclosure of the attack, and Mossad-attributed assassinations of Iranian scientists have occurred within the the last 8 months.

Unless Israel and and Iran intend on going to war, it seems like attributing this to a cyberattack is the least escalatory way to respond to the attack on Natanz. There seems to be a common acceptance that countries regularly violate each other’s critical infrastructure in the 2020’s, with reprisal for those attacks occurring in the shadows.

TL;DR

We are in the very early days of what is likely to be another historic geopolitical cyberattack. If Stuxnet has anything to tell us about the 2021 Natanz blackout, it’s likely that we minimally understand what happened and the full context around the attack.

That being said, it’s clear that there are strong parallels between Stuxnet and the attack this last weekend at Natanz. There are also some unusual discrepancies between the two, and the lack of evidence (beyond unusually transparent Israeli media commentary) of an actual cyberattack seems to cast this attack on Natanz in a very different light than Stuxnet.

Only time well tell what really happened in Natanz over the last weekend. But one thing is clear: the world has changed enormously over the last decade.

Principal PM for Cryptography and Security Products @HashiCorp. Formerly Defense/NatSec & Crypto @NetApp, VC @GGVCapital + @AmplifyPartners