Through the darkness of the pathways that we marched, evil and good lived side by side.
And this is the nature of... of life.
We are in an unbalanced and inequivalent confrontation between democracies who are obliged to play by the rules and entities who think democracy is a joke.
You can't convince fanatics by saying, "hey, hatred paralyzes you, love releases you."
There are different rules that we have to play by.
Female newsreader: Today, two of Iran's top nuclear scientists were targeted by hit squads.
Female newsreader 2: ...In the capital Tehran.
Male newsreader: ...The latest in a string of attacks.
Female newsreader 3: Today's attack has all the hallmarks of major strategic sabotage.
Female newsreader 4: Iran immediately accused the U.S. and Israel of trying to damage its nuclear program.
Unfortunately, and without any doubt, in the assassinations which took place today Western countries and the Zionist regime were involved.
I want to categorically deny any United States involvement in any kind of act of violence inside Iran.
Covert actions can help, can assist.
They are needed, they are not all the time essential, and they, in no way, can replace political wisdom.
Alex Gibney: Were the assassinations in Iran related to the STUXnet computer attacks?
Uh, next question, please.
Male newsreader: Iran's infrastructure is being targeted by a new and dangerously powerful cyber worm.
The so-called STUXnet worm is specifically designed, it seems, to infiltrate and sabotage real-world power plants and factories and refineries.
Male newsreader 2: It's not trying to steal information or grab your credit card, they're trying to get into some sort of industrial plant and wreak havoc trying to blow up an engine or...
The Stuxnet virus has made attacks worldwide.
Male newsreader 3:
In Iran alone it was identified 30 thousand times.
A super computer virus has put on alert several countries' secret services.
The information could be in the reach of terrorists.
Male newsreader 4: No one knows who's behind the worm and the exact nature of its mission, but there are fears Iran will hold Israel or America responsible and seek retaliation.
Male newsreader 5: It's not impossible that some group of hackers did it, but the security experts that are studying this really think this required the resource of a nation-state.
Man: Okay, and spinning.
Gibney: Okay, good. Here we go.
What impact, ultimately, did the STUXnet attack have?
Can you say?
I don't want to get into the details.
Gibney: Since the event has already happened, why can't we talk more openly and publicly about STUXnet?
Yeah, I mean, my answer is because it's classified.
I... I won't knowledge... you know, knowingly offer up anything I consider classified.
Gibney: I know that you can't talk much about STUXnet, because STUXnet is officially classified.
You're right on both those counts.
Gibney: But there has been a lot reported about it in the press.
I don't want to comment on this.
I read it in the newspaper, the media, like you, but I'm unable to elaborate upon it.
People might find it frustrating not to be able to talk about it when it's in the public domain, but...
Gibney: I find it frustrating.
Yeah, I'm sure you do.
I don't answer that question.
Unfortunately, I can't comment.
I do not know how to answer that.
Two answers before you even get started, I don't know, and if I did, we wouldn't talk about it anyway.
Gibney: How can you have a debate if everything's secret?
I think right now that's just where we are.
No one wants to...
Countries aren't happy about confessing or owning up to what they did because they're not quite sure where they want the system to go.
And so whoever was behind STUXnet hasn't admitted they were behind it.
Gibney: Asking officials about STUXnet was frustrating and surreal, like asking the emperor about his new clothes.
Even after the cyber weapon had penetrated computers all over the world, no one was willing to admit it was loose or talk about the dangers it posed.
What was it about the STUXnet operation that was hiding in plain sight?
Maybe there was a way the computer code could speak for itself.
STUXnet first surfaced in Belarus.
I started with a call to the man who discovered it when his clients in Iran began to panic over an epidemic of computer shutdowns.
Had you ever seen anything quite so sophisticated before?
I have seen very sophisticated viruses before, but they didn't have...
this kind of... zero day.
It was the first time in my practice.
That led me to understand that I should notify web security companies ASAP about the fact that such a danger exists.
Eric Chien: On a daily basis, basically we are sifting through a massive haystack looking for that proverbial needle.
We get millions of pieces of new malicious threats and there are millions of attacks going on every single day.
And only way are trying to protect people and their computers and... and their systems and countries' infrastructure from being taken down by those attacks.
But more importantly, we have to find the attacks that matter.
When you're talking about that many, impact is extremely important.
Eugene Kaspersky: Twenty years ago, the antivirus companies, they were hunting for computer viruses because there were not so many.
So we had, like, tens of dozens a month, and there was just little numbers.
Now, we collect millions of unique attacks every month.
Vitaly Kamluk: This room we call a woodpecker's room or a virus lab, and this is where virus analysts sit.
We call them woodpeckers because they are pecking the worms, network worms, and viruses.
And we see, like, three different groups of hackers behind cyber-attacks.
They are traditional cyber criminals.
Those guys are interested only in illegal profit.
And quick and dirty money.
Activists, or hacktivists, they are hacking for fun or hacking to push some political message.
And the third group is nation-states.
They're interested in high-quality intelligence or sabotage activity.
Chien: Security companies not only share information but we also share binary samples.
So when this threat was found by a Belarusian security company on one of their customer's machines in Iran, the sample was shared amongst the security community.
When we try to name threats, we just try to pick some sort of string, some sort of words, that are inside of the binary.
In this case, there was a couple of words in there and we took pieces of each, and that formed STUXnet.
I got the news about STUXnet from one of my engineers.
He came to my office, opened the door, and he said, "so, Eugene, of course you know that we are waiting for something really bad.
Gibney: Give me some sense of what it was like in the lab at that time.
Was there a palpable sense of amazement that you had something really different there?
Well, I wouldn't call it amazement.
It was a kind of a shock.
It went beyond our worst fears, our worst nightmares, and this continued the more we analyzed.
The more we researched, the more bizarre the whole story got.
We look at so much malware every day that we can just look at the code and straightaway we can say, "okay, there's something bad going on here, and I need to investigate that."
And that's the way it was when we looked at STUXnet for the first time.
We opened it up and there was just bad things everywhere.
Just like, okay, this is bad and that's bad, and, you know, we need to investigate this.
And just suddenly we had, like, a hundred questions straightaway.
The most interesting thing that we do is detective work where we try to track down who's behind a threat, what are they doing, what's their motivation, and try to really stop it at the root.
And it is kind of all-consuming.
You get this new puzzle and it's very difficult to put it down, you know, work until, like, 4:00 am in the morning and figure these things out.
And I was in that zone where I was very consumed by this, very excited about it, very interested to know what was happening.
And Eric was also in that same sort of zone.
So the two of us were, like, back and forth all the time.
Chien: Liam and I continued to grind at the code, sharing pieces, comparing notes, bouncing ideas off of each other.
We realized that we needed to do what we called deep analysis, pick apart the threat, every single byte, every single zero, one, and understand everything that was inside of it.
And just to give you some context, we can go through and understand every line of code for the average threat in minutes.
And here we are one month into this threat and we were just starting to discover what we call the payload or its whole purpose.
When looking at the STUXnet code, it's 20 times the size of the average piece of code but contains almost no bugs inside of it.
And that's extremely rare.
Malicious code always has bugs inside of it.
This wasn't the case with STUXnet.
It's dense and every piece of code does something and does something right in order to conduct its attack.
One of the things that surprised us was that STUXnet utilized what's called a zero-day exploit, or basically, a piece of code that allows it to spread without you having to do anything.
You don't have to, for example, download a file and run it.
A zero-day exploit is an exploit that nobody knows about except the attacker.
So there's no protection against it.
There's been no patch released.
There's been zero days protection, you know, against it.
That's what attackers value, because they know 100 percent if they have this zero-day exploit, they can get in wherever they want.
They're actually very valuable.
You can sell these on the underground for hundreds of thousands of dollars.
Chien: Then we became more worried because immediately we discovered more zero days.
And again, these zero days are extremely rare.
Inside STUXnet we had, you know, four zero days, and for the entire rest of the year, we only saw 12 zero days used.
It blows all... everything else out of the water.
We've never seen this before.
Actually, we've never seen it since, either.
Seeing one in a malware you could understand because, you know, the malware authors are making money, they're stealing people's credit cards and making money, so it's worth their while to use it, but seeing four zero days, could be worth half a million dollars right there, used in one piece of malware, this is not your ordinary criminal gangs doing this.
This is... this is someone bigger.
It's definitely not traditional crime, not hacktivists. Who else?
It was evident on a very early stage that just given the sophistication of this malware...
Suggested that there must have been a nation-state involved, at least one nation-state involved in the development.
When we look at code that's coming from what appears to be a state attacker or state-sponsored attacker, usually they're scrubbed clean.
They don't... they don't leave little bits behind.
They don't leave little hints behind.
But in STUXnet there were actually a few hints left behind.
One was that, in order to get low-level access to Microsoft Windows, STUXnet needed to use a digital certificate, which certifies that this piece of code came from a particular company.
Now, those attackers obviously couldn't go to Microsoft and say, "hey, test our code out for us.
And give us a digital certificate."
So they essentially stole them...
From two companies in Taiwan.
And these two companies have nothing to do with each other except for their close proximity in the exact same business park.
Digital certificates are guarded very, very closely behind multiple doors and they require multiple people to unlock.
Security: ...To the camera.
Chien: And they need to provide both biometrics
- and, as well, pass phrases.
It wasn't like those certificates were just sitting on some machine connected to the Internet.
Some human assets had to be involved, spies.
O'Murchu: Like a cleaner who comes in at night and has stolen these certificates from these companies.
It did feel like walking onto the set of this James Bond movie and you...
You've been embroiled in this thing that, you know, you... you never expected.
We continued to search, and we continued to search in code, and eventually we found some other bread crumbs left we were able to follow.
It was doing something with Siemens, Siemens software, possibly Siemens hardware.
We'd never ever seen that in any malware before, something targeting Siemens.
We didn't even know why they would be doing that.
But after googling, very quickly we understood it was targeting Siemens PLCs.
STUXnet was targeting a very specific hardware device, something called a PLC or a programmable logic controller.
Langner: The PLC is kind of a very small computer attached to physical equipment, like pumps, like valves, like motors.
So this little box is running a digital program and the actions of this program turns that motor on, off, or sets a specific speed.
Chien: Those program module controllers control things like power plants, power grids.
O'Murchu: This is used in factories, it's used in critical infrastructure.
Critical infrastructure, it's everywhere around us, transportation, telecommunications, financial services, health care.
So the payload of STUXnet was designed to attack some very important part of our world.
The payload is gonna be important.
What happens there could be very dangerous.
Langner: The next very big surprise came when it infected our lab system.
We figured out that the malware was probing for controllers.
It was quite picky on its targets.
It didn't try to manipulate any given controller in a network that it would see.
It went through several checks, and when those checks failed, it would not implement the attack.
It was obviously probing for a specific target.
You've got to put this in context that, at the time, we already knew, well, this is the most sophisticated piece of malware that we have ever seen.
So it's kind of strange.
Somebody takes that huge effort to hit one specific target?
Well, that must be quite a significant target.
Chien: So at Symantec we have probes on networks all over the world watching for malicious activity.
O'Murchu: We'd actually seen infections of STUXnet all over the world, in the U.S., Australia, in the U.K., in France, Germany, all over Europe.
Chien: It spread to any Windows machine in the entire world.
You know, we had these organizations inside the United States who were in charge of industrial control facilities saying, "we're infected. What's gonna happen?"
O'Murchu: We didn't know if there was a deadline coming up where this threat would trigger and suddenly would, like, turn off all, you know, electricity plants around the world or it would start shutting things down or launching some attack.
We knew that STUXnet could have very dire consequences, and we were very worried about what the payload contained and there was an imperative speed that we had to race and try and, you know, beat this ticking bomb.
Eventually, we were able to refine the statistics a little and we saw that Iran was the number one infected country in the world.
Chien: That immediately raised our eyebrows.
We had never seen a threat before where it was predominantly in Iran.
And so we began to follow what was going on in the geopolitical world, what was happening in the general news.
And at that time, there were actually multiple explosions of gas pipelines going in and out of Iran.
O'Murchu: And of course, we did notice that at the time there had been assassinations of nuclear scientists.
So that was worrying.
We knew there was something bad happening.
Gibney: Did you get concerned for yourself?
I mean, did you begin to start looking over your shoulder from time to time?
Yeah, definitely looking over my shoulder and... and being careful about what I spoke about on the phone.
I was... pretty confident my conversations on my...
On the phone were being listened to.
We were only half joking when we would look at each other and tell each other things like, "look, I'm not suicidal.
If I show up dead on Monday, you know, it wasn't me."
We'd been publishing information about STUXnet all through that summer.
And then in November, the industrial control system sort of expert in Holland contacted us...
And he said all of these devices that would be inside of an industrial control system hold a unique identifier number that identified the make and model of that device.
And we actually had a couple of these numbers in the code that we didn't know what they were.
And so we realized maybe what he was referring to was the magic numbers we had.
And then when we searched for those magic numbers in that context, we saw that what had to be connected to this industrial control system that was being targeted were something called frequency converters from two specific manufacturers, one of which was in Iran.
And so at this time, we absolutely knew that the facility that was being targeted had to be in Iran and had equipment made from Iranian manufacturers.
When we looked up those frequency converters, we immediately found out that they were actually export controlled by the nuclear regulatory commission.
And that immediately lead us then to some nuclear facility.
Gibney: This was more than a computer story, so I left the world of the antivirus detectives and sought out journalist, David Sanger, who specialized in the strange intersection of cyber, nuclear weapons, and espionage.
Sanger: The emergence of the code is what put me on alert that an attack was under way.
And because of the covert nature of the operation, not only were official government spokesmen unable to talk about it, they didn't even know about it.
Eventually, the more I dug into it, the more I began to find individuals who had been involved in some piece of it or who had witnessed some piece of it.
And that meant talking to Americans, talking to Israelis, talking to Europeans, because this was obviously the first, biggest, and most sophisticated example of a state or two states using a cyber weapon for offensive purposes.
I came to this with a fair bit of history, understanding the Iranian nuclear program.
How did Iran get its first nuclear reactor?
We gave it to them... under the Shah, because the Shah was considered an American ally.
Thank you again for your warm welcome, Mr. President.
Gary Samore: During the Nixon administration, the U.S. was very enthusiastic about supporting the Shah's nuclear power program.
And at one point, the Nixon administration was pushing the idea that Pakistan and Iran should build a joint plant together in Iran.
There's at least some evidence that the Shah was thinking about acquisition of nuclear weapons, because he saw, and we were encouraging him to see Iran as the so-called policemen of the Persian Gulf.
And the Iranians have always viewed themselves as naturally the dominant power in the Middle East.
Why is it normal for you, the Germans and the British, to have... atomic and hydrogen weapons, and for Iran, the simple principle of self-defense the defense of its interests, a problem, while for others it is totally normal?
Samore: But the revolution, which overthrew the Shah in '79, really curtailed the program before it ever got any head of steam going.
Part of our policy against Iran after the revolution was to deny them nuclear technology.
So most of the period when I was involved in the '80s and the '90s was the U.S. running around the world and persuading potential nuclear suppliers not to provide even peaceful nuclear technology to Iran.
And what we missed was the clandestine transfer in the mid-1980s from Pakistan to Iran.
Rolf Mowatt-Larssen: Abdul Qadeer Khan is what we would call the father of the Pakistan nuclear program.
He had the full authority and confidence of the Pakistan government from its inception to the production of nuclear weapons.
I was a CIA officer for... for...
For over two decades, operations officer, worked overseas most of my career.
The A.Q. Khan network is so notable because aside from building the Pakistani program for decades...
It also was the means by which other countries were able to develop nuclear weapons, including Iran.
Samore: A.Q. Khan acting on behalf of the Pakistani government negotiated with officials in Iran and then there was a transfer which took place through Dubai of blueprints for nuclear weapons design as well as some hardware.
Throughout the mid-1980s, the Iranian program was not very well-resourced.
It was more of an R & D program.
It wasn't really until the mid-'90s that it started to take off when they made the decision to build the nuclear weapons program.
You know, we can speculate what, in their mind, motivated them.
I think it was the U.S. invasion of Iraq after Kuwait.
You know, there was an eight-year war between Iraq and Iran, we had wiped out Saddam's forces in a matter of weeks.
And I think that was enough to convince the rulers in Tehran that they needed to pursue nuclear weapons more seriously.
George Bush: States like these and their terrorist allies constitute an axis of evil, arming to threaten the peace of the world.
Samore: From 2003 to 2005 when they feared that the U.S. would invade them, they accepted limits on their nuclear program.
But by 2006, the Iranians had come to the conclusion that the U.S. was bogged down in Afghanistan and Iraq and no longer had the capacity to threaten them, and so they felt it was safe to resume their enrichment program they started producing low enriched uranium, producing more centrifuges, installing them at the large-scale underground enrichment facility at Natanz.
For a journalist, passing through these underground tunnels and visiting the beating heart of Iran's nuclear plant is quite an event.
The president's visit to the plant today had made this event possible for us.
The West tells us that we have to negotiate with them for like ten years Ahmadinejad: and then they will decide whether Iran may have 20 centrifuges or not.
Of course the Iranian nation says no to them.
Today, about 7,000 of these machines are working under the ground right over there.
Gibney: How many times have you been to Natanz?
Not that many, because I left few years ago, the CIA, but I was there quite... quite a few times.
Natanz is just in the middle of the desert.
When they were building it in secret, they were calling it desert irrigation facility.
For the local people, you want to sell why you are building a big complex.
There is a lot of artillery and air force.
It's better protected against attack from air than any other nuclear installation I have seen.
So this is deeply underground.
But then inside, Natanz is like any other centrifuge facility.
I have been all over the world, from Brazil to Russia, Japan, so they are all alike with their own features, their own centrifuges, their own culture, but basically, the process is the same.
And so are the monitoring activities of the IAEA.
There are basic principles.
You want to see what goes in, what goes out, and then on top of that you make sure that it produces low enriched uranium instead of anything to do with the higher enrichments and nuclear weapon grade uranium.
Emad Kiyaei: Iran's nuclear facilities are under 24-hour watch.
Of the United Nations nuclear watchdog, the IAEA, the International Atomic Energy Agency.
Every single gram of Iranian fissile material...
Is accounted for.
They have, like, basically seals they put on fissile materials. There are IAEA seals.
You can't break it without getting noticed.
Heinonen: When you look at the uranium which was there in Natanz, it was a very special uranium.
This is called Isotope 236, and that was a puzzle to us, because you only see this sort of uranium in states which have had nuclear weapons.
We realized that they had cheated us.
This sort of equipment has been bought from what they call a black market.
They never pointed out it to A.Q. Khan at that point of time.
What I was surprised was the sophistication and the quality control and the way they have the manufacturing was really professional.
It was not something, you know, you just create in a few months' time.
This was a result of a long process.
A centrifuge, you feed uranium gas in and you have a cascade, thousands of centrifuges, and from the other end you get enriched uranium out.
It separates uranium based on spinning the rotors.
It spins so fast, 300 meters per second, the same as the velocity of sound.
These are tremendous forces and as a result, the rotor, it twists, looks like a banana at one point of time.
So it has to be balanced because any small vibration it will blow up.
And here comes another trouble.
You have to raise the temperature but this very thin rotor was...
They are made from carbon fiber, and the other pieces, they are made from metal.
When you heat carbon fiber, it shrinks.
When you heat metal, it expands.
So you need to balance not only that they spin, they twist, but this temperature behavior in such a way that it doesn't break.
So this has to be very precise.
This is what makes them very difficult to manufacture.
You can model it, you can calculate it, but at the very end, it's actually based on practice and experience.
So it's a... it's a piece of art, so to say.
Because of the strength of our nation, our army and our revolutionary guard Our dawn became eternal by the glow of success Morning of dreams rises from the shores The branches of life have sprouted May this victory be Blessed Heinonen: Iranians are very proud of their centrifuges.
They have a lot of public relations videos given up always in April when they have what they call a national nuclear day.
Blessed be this holy spring Man:
Blessed be the gardener I proudly announce that from today on, Iran is among the countries that can produce nuclear fuel.
Kiyaei: Ahmadinejad came into his presidency saying if the international community wants to derail us we will stand up to it.
If they want us to sign more inspections and more additional protocols and other measures, no, we will not. We will fight for our rights.
Iran is a signature to nuclear non-proliferation treaty, and under that treaty, Iran has a right to a nuclear program.
We can have enrichment. Who are you, world powers, to come and tell us that we cannot have enrichment?
This was his mantra, and it galvanized the public.
Sanger: By 2007, 2008, the U.S. government was in a very bad place with the Iranian program.
President Bush recognized that he could not even come out in public and declare that the Iranians were building a nuclear weapon, because by this time, he had gone through the entire WMD fiasco in Iraq.
He could not really take military action.
Condoleezza Rice said to him at one point, "you know, Mr. President, I think you've invaded your last Muslim country, even for the best of reasons."
He didn't want to let the Israelis conduct a military operation.
It's 1938, and Iran is Germany and it's racing...
To arm itself with atomic bombs.
Iran's nuclear ambitions must be stopped.
They have to be stopped. We all have to stop it, now.
That's the one message I have for you today.
Israel was saying they were gonna bomb Iran.
And the government here in Washington did all sorts of scenarios about what would happen if that Israeli attack occurred.
They were all very ugly scenarios.
Our belief was that if they went on their own knowing the limitations...
No, they're a very good air force, all right?
But it's small and the distances are great and the target's disbursed and hardened, all right?
If they would have attempted a raid on a military plane, we would have been assuming that they were assuming we would finish that which they started.
In other words, there would be many of us in government thinking that the purpose of the raid wasn't to destroy the Iranian nuclear system, but the purpose of the raid was to put us at war with Iran.
Israel is very much concerned about Iran's nuclear program, more than the United States.
It's only natural because of the size of the country, because we live in this neighborhood, America lives thousands and thousands miles away from Iran.
The two countries agreed on the goal.
There is no page between us that Iran should not have a nuclear military capability.
There are some differences on how to... how to achieve it and when action is needed.
The origin of corruption (Israel) will be wiped off the face of the Earth.
Yadlin: We are taking very seriously leaders of countries who call to the destruction and annihilation of our people.
If Iran will get nuclear weapons, now or in the future...
It means that for the first time in human history Islamic zealots, religious zealots, will get their hand on the most dangerous, devastating weapons, and the world should prevent this.
Samore: The Israelis believe that the Iranian leadership has already made the decision to build nuclear weapons when they think they can get away with it.
The view in the U.S. is that the Iranians haven't made that final decision yet.
To me, that doesn't make any difference.
I mean, it really doesn't make any difference, and it's probably unknowable, unless you can put, you know, Supreme Leader Khamenei on the couch and interview him.
I think, you know, from our standpoint, stopping Iran from getting the threshold capacity is, you know, the primary policy objective.
Once they have the fissile material, once they have the capacity to produce nuclear weapons, then the game is lost.
Hayden: President Bush once said to me, he said, "Mike, I don't want any president ever to be faced with only two options, bombing or the bomb."
He... he wanted options that... that made it...
Made it far less likely he or his successor or successors would ever get to that point where that's... that's all you've got.
We wanted to be energetic enough in pursuing this problem that... that the Israelis would certainly believe, "yeah, we get it."
The intelligence cooperation between Israel and the United States is very, very good.
And therefore, the Israelis went to the Americans and said, "okay, guys, you don't want us to bomb Iran.
Okay, let's do it differently."
And then the American intelligence community started rolling in joint forces with the Israeli intelligence community.
One day a group of intelligence and military officials showed up in President Bush's office and said, "sir, we have an idea.
It's a big risk.
It might not work, but here it is."
Langner: Moving forward in my analysis of the codes, I took a closer look at the photographs that had been published by the Iranians themselves in a press tour from 2008 of Ahmadinejad and the shiny centrifuges.
Sanger: Well, photographs of Ahmadinejad going through the centrifuges at Natanz had provided some very important clues.
There was a huge amount to be learned.
First of all, those photographs showed many of the individuals who were guiding Ahmadinejad through the program.
And there's one very famous photograph that shows Ahmadinejad being shown something.
You see his face, you can't see what's on the computer.
And one of the scientists who was behind him was assassinated a few months later.
Langner: In one of those photographs, you could see parts of a computer screen.
We... we refer to that as a SCADA screen.
The SCADA system is basically a piece of software running on a computer.
It enables the operators to monitor the processes.
What you could see when you look close enough was a more detailed view of the configuration there were these six groups of centrifuges and each group had 164 entries.
And guess what?
That was a perfect match to what we saw in the attack code.
It was absolutely clear that this piece of code was attacking an array of six different groups of, let's just say, thingies, physical objects, and in those six groups, there were 164 elements.
Gibney: Were you able to do any actual physical tests?
Or it was all just code analysis?
Yeah, so, you know, we obviously couldn't set up our own sort of nuclear enrichment facility.
So... but what we did was we did obtain some PLCs, the exact models.
We then ordered an air pump, and that's what we used sort of as our sort of proof of concept.
O'Murchu: We needed a visual demonstration to show people what we discovered.
So we thought of different things that we could do, and we... we settled on blowing up a balloon.
We were able to write a program that would inflate a balloon, and it was set to stop after five seconds.
So it would inflate the balloon to a certain size but it wouldn't burst the balloon and it was all safe.
And we showed everybody, this is the code that's on the PLC.
And the timer says, "stop after five seconds."
We know that's what's going to happen.
And then we would infect the computer with STUXnet, and we would run the test again.
Here is a piece of software that should only exist in a cyber realm and it is able to affect physical equipment in a plant or factory and cause physical damage.
Real-world physical destruction.
At that time, things became very scary to us.
Here you had malware potentially killing people and that was something that was always Hollywood-esque to us that we'd always laugh at when people made that kind of assertion.
Gibney: At this point, you had to have started developing theories as to who had built STUXnet.
It wasn't lost on us that there were probably only a few countries in the world that would want and have the motivation to sabotage Iran's nuclear enrichment facility.
The U.S. government would be up there.
Israeli government certainly would be... would be up there.
You know, maybe U.K., France, Germany, those sorts of countries, but we never found any information that would tie it back 100 percent to... to those countries.
There are no telltale signs.
You know, the attackers don't leave a message inside saying, you know, "it was me."
And even if they did, all of that stuff can be faked.
So it's very, very difficult to do attribution when looking at computer code.
Gibney: Subsequent work that's been done leads us to believe that this was the work of a collaboration between Israel and the United States.
Gibney: Did you have any evidence in terms of your analysis that would lead you to believe that that's correct also?
Nothing that I could talk about on camera.
Gibney: Well, can I ask why?
Well, you can, but I won't answer.
Gibney: But even in the case of nation-states, I mean, one of the concerns is...
Gibney: This was beginning to really piss me off.
Even civilians with an interest in telling the STUXnet story were refusing to address the role of Tel Aviv and Washington. But luckily for me, while D.C. is a city of secrets, it is also a city of leaks.
They're as regular as a heartbeat and just as hard to stop.
That's what I was counting on.
Finally, after speaking to a number of people on background, I did find a way of confirming, on the record, the American role in STUXnet.
In exchange for details of the operation, I had to agree to find a way to disguise the source of the information.
Gibney: We're good? Man: We're on.
Gibney: So the first question I have to ask you is about secrecy.
I mean, at this point, everyone knows about STUXnet.
Why can't we talk about it?
It's a covert operation.
Gibney: Not anymore.
I mean, we know what happened, we know who did it.
Well, maybe you don't know as much as you think you know.
Gibney: Well, I'm talking to you because I want to get the story right.
Well, that's the same reason I'm talking to you.
Gibney: Even though it's a covert operation?
Look, this is not a Snowden kind of thing, okay?
I think what he did was wrong.
He went too far. He gave away too much.
Unlike Snowden, who was a contractor, I was in NSA.
I believe in the agency, so what I'm willing to give you will be limited, but we're talking because everyone's getting the story wrong and we have to get it right.
We have to understand these new weapons.
The stakes are too high.
Gibney: What do you mean?
We did STUXnet.
It's a fact.
You know, we came so fucking close to disaster, and we're still on the edge.
It was a huge multinational, interagency operation.
In the U.S. it was CIA, NSA, and the military Cyber Command.
From Britain, we used Iran intel out of GCHQ, but the main partner was Israel.
Over there, Mossad ran the show, and the technical work was done by Unit 8200.
Israel is really the key to the story.
Melman: Oh, traffic in Israel is so unpredictable.
Gibney: Yossi, how did you get into this whole STUXnet story?
I have been covering the Israeli intelligence in general, in the Mossad in particular for nearly 30 years.
In '82, I was a London-based correspondent and I covered a trial of terrorists, and I became more familiar with this topic of terrorism, and slowly but surely, I started covering it as a beat.
Israel, we live in a very rough neighborhood where the... the Democratic values, western values, are very rare.
But Israel pretends to be a free, Democratic, westernized society, posh neighborhoods, rich people, youngsters who are having almost similar mind-set to their American or western European counterparts.
On the other hand, you see a lot of scenes and events which resemble the real Middle East, terror attacks, radicals, fanatics, religious zealots.
I knew that Israel is trying to slow down Iran's nuclear program, and therefore, I came to the conclusion that if there was a virus infecting Iran's computers, it's... it's one more element in... in this larger picture based on past precedents.
Yadlin: 1981 I was an F-16 pilot, and we were told that, unlike our dream to do dogfights and to kill MIGs, we have to be prepared for a long-range mission to destroy a valuable target.
Nobody told us what is this very valuable strategic target.
It was 600 miles from Israel.
So we train our self to do the job, which was very difficult. No air refueling at that time.
No satellites for reconnaissance.
Fuel was on the limit.
Pilot: What? Whoa! Whoa!
Yadlin: At the end of the day, we accomplished the mission.
Gibney: Which was?
Yadlin: To destroy the Iraqi nuclear reactor near Baghdad, which was called Osirak.
And Iraq never was able to accomplish its ambition to have a nuclear bomb.
Melman: Amos Yadlin, General Yadlin, he was the head of the military intelligence.
The biggest unit within that organization was Unit 8200.
They'd block telephones, they'd block faxes, they're breaking into computers.
A decade ago, when Yadlin became the chief of military intelligence, there was no cyber warfare unit in 8200.
So they started recruiting very talented people, hackers either from the military or outside the military that can contribute to the project of building a cyber warfare unit.
Yadlin: In the 19th century, there were only Army and Navy.
In the 20th century, we got air power as a third dimension of war.
In the 21st century, cyber will be the fourth dimension of war.
It's another kind of weapon and it is for unlimited range in a very high speed and in a very low signature.
So this give you a huge opportunity...
And the superpowers have to change the way we think about warfare.
Finally we are transforming our military for a new kind of war that we're fighting now...
And for wars of tomorrow.
We have made our military better trained, better equipped, and better prepared to meet the threats facing America today and tomorrow and long in the future.
Sanger: Back in the end of the Bush Administration, people within the U.S. government were just beginning to convince President Bush to pour money into offensive cyber weapons.
STUXnet started off in the defense department.
Then Robert Gates, Secretary of Defense, reviewed this program and he said, "this program shouldn't be in the defense department.
This should really be under the covert authorities over in the intelligence world."
So the CIA was very deeply involved in this operation, while much of the coding work was done by The National Security Agency and Unit 8200, its Israeli equivalent, working together with a newly created military position called U.S. Cyber Command.
And interestingly, the director of The National Security Agency would also have a second role as the commander of U.S. Cyber Command.
And U.S. Cyber Command is located at Fort Meade in the same building as the NSA.
Col. Gary D. Brown: I was deployed for a year giving advice on air operations in Iraq and Afghanistan, and when I was returning home after that, the assignment I was given was to go to U.S. Cyber Command.
Cyber Command is a...
Is the military command that's responsible for essentially the conducting of the nation's military affairs in cyberspace.
The stated reason the United States decided it needed a Cyber Command was because of an event called Operation Buckshot Yankee.
Chris Inglis: In the fall of 2008, we found some adversaries inside of our classified networks.
While it wasn't completely true that we always assumed that we were successful at defending things at the barrier, at the... at the kind of perimeter that we might have between our networks and the outside world, there was a large confidence that we'd been mostly successful.
But that was a moment in time when we came to the quick conclusion that it... it's not really ever secure.
That then accelerated The Department of Defense's progress towards what ultimately became Cyber Command.
Good morning, sir. Cyber has one item for you today.
Earlier this week, Antok analysts detected a foreign adversary using known methods to access the U.S. military network.
We identified the malicious activity via data collected through our information assurance and signals from intelligence authorities and confirmed it was a cyber adversary.
We provided data to our cyber partners within the DOD...
You think of NSA as an institution that essentially uses its abilities in cyberspace to help defend communications in that space.
Cyber Command extends that capability by saying that they will then take responsibility to attack.
Hayden: NSA has no legal authority to attack.
It's never had it, I doubt that it ever will.
It might explain why U.S. Cyber Command is sitting out at Fort Meade on top of The National Security Agency, because NSA has the abilities to do these things.
Cyber Command has the authority to do these things.
And "these things" here refer to the cyber-attack.
This is a huge change for the nature of the intelligence agencies.
The NSA was supposed to be a code-making and code-breaking operation to monitor the communications of foreign powers and American adversaries in the defense of the United States.
But creating a Cyber Command meant using the same technology to do offense.
Once you get inside an adversary's computer networks, you put an implant in that network.
And we have tens of thousands of foreign computers and networks that the United States put implants in.
You can use it to monitor what's going across that network and you can use it to insert cyber weapons, malware.
If you can spy on a network, you can manipulate it.
It's already included.
The only thing you need is an act of will.
NSA source: I played a role in Iraq.
I can't tell you whether it was military or not, but I can tell you NSA had combat support teams in country.
And for the first time, units in the field had direct access to NSA intel.
Over time, we thought more about offense than defense, you know, more about attacking than intelligence.
In the old days, sigint units would try to track radios, but through NSA in Iraq, we had access to all the networks going in and out of the country.
And we hoovered up every text message, email, and phone call.
A complete surveillance state.
We could find the bad guys, say, a gang making IEDs, map their networks, and follow them in real time.
NSA source: And we could lock into cell phones even when they were off and send a fake text from a friend, suggest a meeting place, and then capture...
Soldier: 1A, clear to fire.
Soldier: Good shot.
Brown: A lot of the people that came to Cyber Command, the military guys, came directly from an assignment in Afghanistan or Iraq, 'cause those are the people with experience and expertise in operations, and those are the ones you want looking at this to see how cyber could facilitate traditional military operations.
NSA source: Fresh from the surge, I went to work at NSA in '07 in a supervisory capacity.
Gibney: Exactly where did you work?
NSA source: Fort Meade.
You know, I commuted to that massive complex every single day.
I was in TAO-S321, "The Roc."
Gibney: Okay, the TAO, The Roc?
Right, sorry. TAO is tailored access operations.
It's where NSA's hackers work.
Of course, we didn't call them that.
Gibney: What did you call them?
NSA source: On net operators.
They're the only people at NSA allowed to break in or attack on the Internet.
Inside TAO headquarters is The Roc, remote operations center.
If the U.S. government wants to get in somewhere, it goes to The Roc.
I mean, we were flooded with requests.
So many that we could only do about, mm, 30% of the missions that were requested of us at one time, through the web but also by hijacking shipments of parts.
You know, sometimes the CIA would assist inputting implants in machines, so once inside a target network, we could just...
Or we could attack.
Inside NSA was a strange kind of culture, like, two parts macho military and two parts cyber geek. I mean, I came from Iraq, so I was used to, "Yes, sir. No, sir."
But for the weapons programmers we needed more "think outside the box" types.
From cubicle to cubicle, you'd see lightsabers, Tribbles, those Naruto action figures, lots of Aqua Teen Hunger Force.
This one guy, they were mostly guys, who liked to wear a yellow hooded cape, he used a ton of gray Legos to build a massive Death Star.
Gibney: Were they all working on STUXnet?
NSA source: We never called it STUXnet.
That was the name invented by the antivirus guys.
When it hit the papers, we're not allowed to read about classified operations, even if it's in The New York Times.
We went out of our way to avoid the term.
I mean, saying "STUXnet" out loud was like saying "Voldemort" in Harry Potter.
The name that shall not be spoken.
Gibney: What did you call it then?
The Natanz attack, and this is out there already, was called Olympic Games or OG.
There was a huge operation to test the code on PLCs here are Fort Meade and in Sandia, New Mexico.
Remember during the Bush era when Libya turned over all the centrifuges?
Those were the same models the Iranians got from A.Q. Khan. P1s.
We took them to Oak Ridge and used them to test the code which demolished the insides.
At Dimona, the Israelis also tested on the P1s.
Then, partly by using our intel on Iran, we got the plans for the newer models, the IR-2s.
We tried out different attack vectors.
We ended up focusing on ways to destroy the rotor tubes.
In the tests we ran, we blew them apart.
They swept up the pieces, they put it on an airplane, they flew it to Washington, they stuck it in the truck, they drove it through the gates of the White House, and dumped the shards out on the conference room table in the Situation Room.
And then they invited President Bush to come down and take a look.
And when he could pick up the shard of a piece of centrifuge...
He was convinced this might be worth it, and he said, "go ahead and try."
Gibney: Was there legal concern inside the Bush Administration that this might be an act of undeclared war?
If there were concerns, I haven't found them.
That doesn't mean that they didn't exist and that some lawyers somewhere weren't concerned about it, but this was an entirely new territory.
At the time, there were really very few people who had expertise specifically on the law of war and cyber.
And basically what we did was looking at, okay, here's our broad direction.
Now, let's look... technically what can we do to facilitate this broad direction?
After that, maybe the... I would come in or one of my lawyers would come in and say, "okay, this is what we may do." Okay.
There are many things we can do, but we are not allowed to do them.
And then after that, there's still a final level that we look at and that's, what should we do?
Because there are many things that would be technically possible and technically legal but a bad idea.
For Natanz, it was a CIA-led operation, so we had to have agency sign-off.
Someone from the agency stood behind the operator and the analyst and gave the order to launch every attack.
Chien: Before they had even started this attack, they put inside of the code the kill date, a date at which it would stop operating.
O'Murchu: Cutoff dates, we don't normally see that in other threats, and you have to think, "well, why is there a cutoff date in there?"
And when you realize that, well, STUXnet was probably written by government and that there are laws regarding how you can use this sort of software, that there may have been a legal team who said, "no, you...
You need to have a cutoff date in there, and you can only do this and you can only go that far and we need to check if this is legal or not.
That date is a few days before Obama's inauguration.
So the theory was that this was an operation that needed to be stopped at a certain time because there was gonna be a handover and that more approval was needed.
Are you prepared to take the oath, senator?
I, Barack Hussein Obama...
I, Barack... Do solemnly swear...
I, Barack Hussein Obama, do solemnly swear...
Sanger: Olympic Games was reauthorized by President Obama in his first year in office, 2009.
It was fascinating because it was the first year of the Obama administration and they would talk to you endlessly about cyber defense.
Obama: We count on computer networks to deliver our oil and gas, our power, and our water.
We rely on them for public transportation and air traffic control.
But just as we failed in the past to invest in our physical infrastructure, our roads, our Bridges, and rails, we failed to invest in the security of our digital infrastructure.
Sanger: He was running East Room events trying to get people to focus on the need to defend cyber networks and defend American infrastructure.
But when you asked questions about the use of offensive cyber weapons, everything went dead.
White House wouldn't help, Pentagon wouldn't help, NSA wouldn't help.
Nobody would talk to you about it.
But when you dug into the budget for cyber spending during the Obama administration, what you discovered was much of it was being spent on offensive cyber weapons.
You see phrases like "Title 10 CNO."
Title 10 means operations for the U.S. military, and CNO means computer network operations.
This is considerable evidence that STUXnet was just the opening wedge of what is a much broader U.S. government effort now to develop an entire new class of weapons.
Chien: STUXnet wasn't just an evolution.
It was really a revolution in the threat landscape.
In the past, the vast majority of threats that we saw were always controlled by an operator somewhere.
They would infect your machines, but they would have what's called a callback or a command-and-control channel.
The threats would actually contact the operator and say, what do you want me to do next?
And the operator would send down commands and say, maybe, search through this directory, find these folders, find these files, upload these files to me, spread to this other machine, things of that nature.
But STUXnet couldn't have a command-and-control channel because once it got inside in Natanz it would not have been able to reach back out to the attackers.
The Natanz network is completely air gapped from the rest of the Internet.
It's not connected to the Internet.
It's its own isolated network.
Generally, getting across an air gap is...
Is one of the more difficult challenges that attackers will face just because of the fact that there... everything is in place to prevent that.
You know, everything, you know, the policies and procedures and the physical network that's in place is specifically designed to prevent you crossing the air gap.
But there's no truly air-gapped network in these real-world production environments.
People gotta get new code into Natanz.
People have to get log files off of this network in Natanz.
People have to upgrade equipment.
People have to upgrade computers.
This highlights one of the major security issues that we have in the field.
If you think, "well, nobody can attack this power plant or this chemical plant because it's not connected to the Internet," that's a bizarre illusion.
NSA source: The first time we introduced the code into Natanz we used human assets, maybe CIA, more likely Mossad, but our team was kept in the dark about the trade craft.
We heard rumors in Moscow, an Iranian laptop infected by a phony Siemens technician with a flash drive...
A double agent in Iran with access to Natanz, but I don't really know.
What we had to focus on was to write the code so that, once inside, the worm acted on its own.
They built in all the code and all the logic into the threat to be able to operate all by itself.
It had the ability to spread by itself.
It had the ability to figure out, do I have the right PLCs?
Have I arrived in Natanz? Am I at the target?
Langner: And when it's on target, it executes autonomously.
That also means you... you cannot call off the attack.
It was definitely the type of attack where someone had decided that this is what they wanted to do.
There was no turning back once STUXnet was released.
When it began to actually execute its payload, you would have a whole bunch of centrifuges in a huge array of cascades sitting in a big hall.
And then just off that hall you would have an operators room, the control panels in front of them, a big window where they could see into the hall.
Computers monitor the activities of all these centrifuges.
So a centrifuge, it's driven by an electrical motor.
And the speed of this electrical motor is controlled by another PLC, by another programmable logic controller.
Chien: STUXnet would wait for 13 days before doing anything, because 13 days is about the time it takes to actually fill an entire cascade of centrifuges with uranium.
They didn't want to attack when the centrifuges essentially were empty or at the beginning of the enrichment process.
What STUXnet did was it actually would sit there during the 13 days and basically record all of the normal activities that were happening and save it.
And once they saw them spinning for 13 days, then the attack occurred.
Centrifuges spin at incredible speeds, about 1,000 hertz.
Langner: They have a safe operating speed, 63,000 revolutions per minute.
Chien: STUXnet caused the uranium enrichment centrifuges to spin up to 1,400 hertz.
Langner: Up to 80,000 revolutions per minute.
What would happen was those centrifuges would go through what's called a resonance frequency.
It would go through a frequency at which the metal would basically vibrate uncontrollably and essentially shatter.
There'd be uranium gas everywhere.
And then the second attack they attempted was they actually tried to lower it to two hertz.
They were slowed down to almost standstill.
Chien: And at two hertz, sort of an opposite effect occurs.
You can imagine a toy top that you spin and as the top begins to slow down, it begins to wobble.
That's what would happen to these centrifuges.
They'd begin to wobble and essentially shatter and fall apart.
And instead of sending back to the computer what was really happening, it would send back that old data that it had recorded.
So the computer's sitting there thinking, "yep, running at 1,000 hertz, everything is fine.
Running at 1,000 hertz, everything is fine."
But those centrifuges are potentially spinning up wildly, a huge noise would occur.
It'd be like, you know, a jet engine.
So the operators then would know, "whoa, something is going wrong here."
They might look at their monitors and say, "hmm, it says it's 1,000 hertz," but they would hear that in the room something gravely bad was happening.
Not only are the operators fooled into thinking everything's normal, but also any kind of automated protective logic is fooled.
Chien: You can't just turn these centrifuges off.
They have to be brought down in a very controlled manner.
And so they would hit, literally, the big red button to initiate a graceful shutdown, and STUXnet intercepts that code.
So you would have these operators slamming on that button over and over again and nothing would happen.
Yadlin: If your cyber weapon is good enough, if your enemy is not aware of it, it is an ideal weapon, because the enemy even don't understand what is happening to it.
Gibney: Maybe even better if the enemy begins to doubt their own capability. Absolutely.
Certainly one must conclude that what happened at Natanz must have driven the engineers crazy, because the worst thing that can happen to a maintenance engineer is not being able to figure out what the cause of specific trouble is.
So they must have been analyzing themselves to death.
Heinonen: You know, you see centrifuges blowing up.
You look the computer screens, they go with the proper speed.
There's a proper gas pressure. Everything looks beautiful.
Sanger: Through 2009 it was going pretty smoothly.
Centrifuges were blowing up.
The International Atomic Energy Agency inspectors would go in to Natanz and they would see that whole sections of the centrifuges had been removed.
The United States knew from its intelligence channels that some Iranian scientists and engineers were being fired because the centrifuges were blowing up and the Iranians had assumed that this was because they had been making errors or manufacturing mistakes.
Clearly this was somebody's fault.
So the program was doing exactly what it was supposed to be doing, which was it was blowing up centrifuges and it was leaving no trace and leaving the Iranians to wonder what they got hit by.
This was the brilliance of Olympic Games.
You know, as a former director of a couple of big
3-letter agencies, slowing down 1,000 centrifuges in Natanz...
There was a need for... for... for buying time.
There was a need for slowing them down.
There was the need to try to push them to the negotiating table.
I mean, there are a lot of variables at play here.
Sanger: President Obama would go down into the Situation Room, and he would have laid out in front of him what they called the horse blanket, which was a giant schematic of the Natanz nuclear enrichment plan.
And the designers of Olympic Games would describe to him what kind of progress they made and look for him for the authorization to move on ahead to the next attack.
And at one point during those discussions, he said to a number of his aides, "you know, I have some concerns because once word of this gets out," and eventually he knew it would get out, "the Chinese may use it as an excuse for their attacks on us. The Russians might or others."
So he clearly had some misgivings, but they weren't big enough to stop him from going ahead with the program.
And then in 2010, a decision was made to change the code.
Our human assets weren't always able to get code updates into Natanz and we weren't told exactly why, but we were told we had to have a cyber solution for delivering the code.
But the delivery systems were tricky.
If they weren't aggressive enough, they wouldn't get in.
If they were too aggressive, they could spread and be discovered.
Chien: When we got the first sample, there was some configuration information inside of it.
And one of the pieces in there was a version number, 1.1 and that made us realize, well, look, this likely isn't the only copy.
We went back through our databases looking for anything that looks similar to STUXnet.
Chien: As we began to collect more samples, we found a few earlier versions of STUXnet.
O'Murchu: And when we analyzed that code, we saw that versions previous to 1.1 were a lot less aggressive.
The earlier version of STUXnet, it basically required humans to do a little bit of double clicking in order for it to spread from one computer to another.
And, so, what we believe after looking at that code is two things, one, either they didn't get in to Natanz with that earlier version, because it simply wasn't aggressive enough, wasn't able to jump over that air gap, and/or two, that payload as well didn't work properly, didn't work to their satisfaction, maybe was not explosive enough.
There were slightly different versions which were aimed at different parts of the centrifuge cascade.
Gibney: But the guys at Symantec figured you changed the code because the first variations couldn't get in and didn't work right.
We always found a way to get across the air gap.
At TAO, we laughed when people thought they were protected by an air gap.
And for OG, the early versions of the payload did work.
But what NSA did...
Was always low-key and subtle.
The problem was that Unit 8200, the Israelis, kept pushing us to be more aggressive.
Chien: The later version of STUXnet 1.1, that version had multiple ways of spreading.
Had the four zero days inside of it, for example, that allowed it to spread all by itself without you doing anything.
It could spread via network shares.
It could spread via USB keys.
It was able to spread via network exploits.
That's the sample that introduced us to stolen digital certificates.
That is the sample that, all of a sudden, became so noisy and caught the attention of the antivirus guys.
In the first sample we don't find that.
And this is very strange, because it tells us that in the process of this development the attackers were less concerned with operational security.
Chien: STUXnet actually kept a log inside of itself of all the machines that it infected along the way as it jumped from one machine to another to another to another.
And we were able to gather up all the samples that we could acquire, tens of thousands of samples. We extracted all of those logs.
O'Murchu: We could see the exact path that STUXnet took.
Chien: Eventually, we were able to trace back this version of STUXnet to ground zero, to the first five infections in the world.
The first five infections are all outside a Natanz plant, all inside of organizations inside of Iran, all organizations that are involved in industrial control systems and construction of industrial control facilities, clearly contractors who were working on the Natanz facility.
And the attackers knew that.
They were electrical companies. They were piping companies.
They were, you know, these sorts of companies.
And they knew... they knew the technicians from those companies would visit Natanz.
So they would infect these companies and then technicians would take their computer or their laptop or their USB...
That operator then goes down to Natanz and he plugs in his USB key, which has some code that he needs to update into Natanz, into the Natanz network, and now STUXnet is able to get inside Natanz and conduct its attack.
These five companies were specifically targeted to spread STUXnet into Natanz and that it wasn't that... that STUXnet escaped out of Natanz and then spread all over the world and it was this big mistake and "oh, it wasn't meant to spread that far but it really did."
No, that's not the way we see it.
The way we see it is that they wanted it to spread far so that they could get it into Natanz.
Someone decided that we're gonna create something new, something evolved, that's gonna be far, far, far more aggressive.
And we're okay, frankly, with it spreading all over the world to innocent machines in order to go after our target.
The Mossad had the role, had the... the assignment to deliver the virus to make sure that STUXnet would be put in place in Natanz to affect the centrifuges.
Meir Dagan, the head of Mossad, was under growing pressure from the prime minister, Benjamin Netanyahu, to produce results.
Inside The Roc, we were furious.
The Israelis took our code for the delivery system and changed it.
Then, on their own, without our agreement, they just fucking launched it.
2010 around the same time they started killing Iranian scientists...
And they fucked up the code!
Instead of hiding, the code started shutting down computers, so naturally, people noticed.
Because they were in a hurry, they opened Pandora's Box.
They let it out and it spread all over the world.
Gibney: The worm spread quickly but somehow it remained unseen until it was identified in Belarus.
Soon after, Israeli intelligence confirmed that it had made its way into the hands of the Russian federal security service, a successor to the KGB.
So it happened that the formula for a secret cyber weapon designed by the U.S. and Israel fell into the hands of Russia and the very country it was meant to attack.
They managed to create minor problems for a few of our centrifuges through the software that they had installed on electronic parts.
It was a naughty and immoral move by them but fortunately our experts discovered it and today they are not capable of ever doing it again.
Kiyaei: In international law, when some country or a coalition of countries targets a nuclear facility, it's a act of war.
Please, let's be frank here.
If it wasn't Iran, let's say a nuclear facility in United States...
Was targeted in the same way...
The American government would not sit by and let this go.
Gibney: STUXnet is an attack in peacetime on critical infrastructures.
Yes, it is. I'm... look, when I read about it, I read it, I go, "whoa, this is a big deal."
Sanger: The people who were running this program, including Leon Panetta, the Director of the CIA at the time, had to go down into the Situation Room and face President Obama, Vice President Biden and explain that this program was suddenly on the loose.
Vice President Biden, at one point during this discussion, sort of exploded in Biden-esque fashion and blamed the Israelis.
He said, "it must have been the Israelis who made a change in the code that enabled it to get out."
Richard Clarke: President Obama said to the senior leadership, "you told me it wouldn't get out of the network. It did.
You told me the Iranians would never figure out it was the United States. They did.
You told me it would have a huge affect on their nuclear program, and it didn't."
Sanger: The Natanz plant is inspected every couple of weeks by the International Atomic Energy Agency inspectors.
And if you line up what you know about the attacks with the inspection reports, you can see the effects.
Heinonen: If you go to the IAEA reports, they really show that all of those centrifuges were switched off and they were removed.
As much as almost couple of thousand got compromised.
When you put this altogether, I wouldn't be surprised if their program got delayed by the one year.
But go then to year 2012-13 and looking how the centrifuges started to come up again.
Kiyaei: Iran's number of centrifuges went up exponentially, to 20,000, with a stockpile of low enriched uranium.
This isn't... these are high numbers.
Iran's nuclear facilities expanded with the construction of Fordow and other highly protected facilities.
So ironically, cyber warfare...
Assassination of its nuclear scientists, economic sanctions, political isolation...
Iran has gone through "a" to "x" of every chorus of policy that the U.S., Israel, and those who ally with them have placed on Iran, and they have actually made Iran's nuclear program more advanced today than it was ever before.
Mossad Operative: This is a very very dangerous minefield that we are walking, and nations who decide to take these covert actions should be taking into consideration all the effects, including the moral effects.
I would say that this is the price that we have to pay in this... in this war, and our blade of righteousness shouldn't be so sharp.
Gibney: In Israel and in the United States, the blade of righteousness cut both ways, wounding the targets and the attackers.
When STUXnet infected American computers, the Department of Homeland Security, unaware of the cyber weapons launch by the NSA, devoted enormous resources trying to protect Americans from their own government.
We had met the enemy and it was us.
Seán Paul McGurk: The purpose of the watch stations that you see in front of you is to aggregate the data coming in from multiple feeds of what the cyber threats could be, so if we see threats we can provide real-time recommendations for both private companies, as well as federal agencies.
Can you give us a readout on this Stuxnet virus?
Yep, absolutely. We'd be more than happy to discuss that.
Female journalist: Seán, is it...
McGurk: Early July of 2010 we received a call that said that this piece of malware was discovered and could we take a look at it.
When we first started the analysis, there was that "oh, crap" moment, you know, where we sat there and said, this is something that's significant.
It's impacting industrial control.
It can disrupt it to the point where it could cause harm and not only damage to the equipment, but potentially harm or loss of life.
We were very concerned because STUXnet was something that we had not seen before.
So there wasn't a lot of sleep that night.
Basically, light up the phones, call everybody we know, inform the secretary, inform the White House, inform the other departments and agencies, wake up the world, and figure out what's going on with this particular malware.
Good morning, Chairman Lieberman, ranking member Collins.
Something as simple and innocuous as this becomes a challenge for all of us to maintain accountability control of our critical infrastructure systems.
This actually contains the STUXnet virus.
I've been asked on a number of occasions, "did you ever think this was us?"
And at... at no point did that ever really cross our mind, because we were looking at it from the standpoint of, is this something that's coming after the homeland?
You know, what... what's going to potentially impact, you know, our industrial control based here in the United States?
You know, I liken it to, you know, field of battle.
You don't think the sniper that's behind you is gonna be shooting at you, 'cause you expect him to be on your side.
We really don't know who the attacker was in the STUXnet case.
So help us understand a little more what this thing is whose origin and destination we don't understand.
Gibney: Did anybody ever give you any indication that it was something that they already knew about?
No, at no time did I get the impression from someone that that's okay, you know, get the little pat on the head, and... and scooted out the door.
I never received a stand-down order.
I never... no one ever asked, "stop looking at this."
Do we think that this was a nation-state actor and that there are a limited number of nation-states that have such advanced capacity?
Gibney: Seán McGurk, the Director of Cyber for the Department of Homeland Security, testified before the Senate about how he thought STUXnet was a terrifying threat to the United States.
Is that not a problem?
I don't... and... and how... how do you mean?
That STUXnet was a bad idea?
Gibney: No, no, no, just that before he knew what it was and what it attacks... Oh, I... I get it.
Gibney: Yeah... Yeah, he was responding to something that we...
Gibney: He thought it was a threat to critical infrastructure in the United States.
Yeah. The worm is loose!
Gibney: The worm is loose. I understand.
But there's... there's a further theory having to do with whether or not, following upon David Sanger...
I got the subplot, and who did that?
Was it the Israelis? And, yeah, I...
I truly don't know, and even though I don't know, I still can't talk about it, all right?
STUXnet was somebody's covert action, all right?
And the definition of covert action is an activity in which you want to have the hand of the actor forever hidden.
So by definition, it's gonna end up in this
"we don't talk about these things" box.
Sanger: To this day, the United States government has never acknowledged conducting any offensive cyber attack anywhere in the world.
But thanks to Mr. Snowden, we know that in 2012 President Obama issued an Executive Order that laid out some of the conditions under which cyber weapons can be used.
And interestingly, every use of a cyber weapon requires presidential sign-off.
That is only true in the physical world for nuclear weapons.
Clarke: Nuclear war and nuclear weapons are vastly different from cyber war and cyber weapons.
Having said that, there are some similarities.
And in the early 1960s, the United States government suddenly realized it had thousands of nuclear weapons, big ones and little ones, weapons on jeeps, weapons on submarines, and it really didn't have a doctrine.
It really didn't have a strategy.
It really didn't have an understanding at the policy level about how he was going to use all of these things.
And so academics started publishing unclassified documents about nuclear war and nuclear weapons.
Sanger: And the result was more than 20 years, in the United States, of very vigorous national debates about how we want to go use nuclear weapons.
And not only did that cause the Congress and people in the executive branch in Washington to think about these things, it caused the Russians to think about these things.
And out of that grew nuclear doctrine, mutual assured destruction, all of that complicated set of nuclear dynamics.
Today, on this vital issue at least, we have seen what can be accomplished when we pull together.
We can't have that discussion in a sensible way right now about cyber war and cyber weapons because everything is secret.
And when you get into a discussion with people in the government, people still in the government, people who have security clearances, you run into a brick wall.
Trying to stop Iran is really the... my number one job, and I think...
Host: And let me ask you, in that context, about the STUXnet computer virus potentially...
You can ask, but I won't comment.
Host: Can you tell us anything?
What do you think has had the most impact on their nuclear decision-making, the STUXnet virus?
I can't talk about STUXnet.
I can't even talk about the operation of Iran centrifuges.
Was the U.S. involved in any way in the development of STUXnet?
It's hard to get into any kind of comment on that till we've finished any... our examination.
But, sir, I'm not asking you if you think another country was involved.
I'm asking you if the U.S. was involved.
And we're... this is not something that we're gonna be able to answer at this point.
Look, for the longest time, I was in fear that I couldn't actually say the phrase
"computer network attack."
This stuff is hideously overclassified, and it gets into the way of a...
Of a mature public discussion as to what it is we as a democracy want our nation to be doing up here in the cyber domain.
Now, this is a former director of NSA and CIA saying this stuff is overclassified.
One of the reasons this is highly classified as it is this is a peculiar weapons system.
This is a weapons system that's come out of the espionage community, and... and so those people have a habit of secrecy.
Secrecy is still justifiable in certain cases to protect sources or to protect national security but when we deal with secrecy, don't hide behind it to use as an excuse to not disclose something properly that you know should be or that the American people need ultimately to see.
Gibney: While most government officials refused to acknowledge the operation, at least one key insider did leak parts of the story to the press.
In 2012, David Sanger wrote a detailed account of Olympic Games that unmasked the extensive joint operation between the U.S. and Israel to launch cyber attacks on Natanz.
Sanger: The publication of this story coming at a time that turned out that there were a number of other unrelated national security stories being published, lead to the announcement of investigations by the Attorney General.
Gibney: In... into the press and into the leaks?
Into the press and into the leaks.
Gibney: Soon after the article, the Obama administration targeted General James Cartwright in a criminal investigation for allegedly leaking classified details about STUXnet.
Journalist: There are reports of cyber attacks on the Iranian nuclear program that you ordered.
What's your reaction to this information getting out?
Well, first of all, I'm not gonna comment on the...
The details of... what are...
Supposed to be classified items.
Since I've been in office, my attitude has been zero tolerance for these kinds of leaks.
We have mechanisms in place where, if we can root out folks who have leaked, they will suffer consequences.
It became a significant issue and a very wide-ranging investigation in which I think most of the people who were cleared for Olympic Games at some point had been, you know, interviewed and so forth.
When STUXnet hit the media, they polygraphed everyone in our office, including people who didn't know shit.
You know, they polyed the interns, for God's sake.
These are criminal acts when they release information like this, and we will conduct thorough investigations as we have in the past.
Gibney: The administration never filed charges, possibly afraid that a prosecution would reveal classified details about STUXnet.
To this day, no one in the U.S. or Israeli governments has officially acknowledged the existence of the joint operation.
I would never compromise ongoing operations in the field, but we should be able to talk about capability.
We can talk about our...
Bunker busters, why not our cyber weapons?
I mean, the secrecy of the operation has been blown.
Our friends in Israel took a weapon that we jointly developed, in part to keep Israel from doing something crazy, and then used it on their own in a way that blew the cover of the operation and could have led to war.
And we can't talk about that?
Mowatt-Larssen: There's a way to talk about STUXnet.
That... to deny that it happened is... is foolish.
So the fact it happened is really what we're talking about here.
What does... what are the implications of the fact that we now are in a post-STUXnet world?
What I said to David Sanger was, "I understand the difference in destruction is dramatic, but this has the whiff of August 1945."
Somebody just used a new weapon, and this weapon will not be put back into the box.
I... I know no operational details and don't know what anyone did or didn't do before someone decided to use the weapon, all right.
I do know this.
If we go out and do something, most of the rest of the world now thinks that's the new standard and it's something that they now feel legitimated to do as well.
But the rules of engagement, international norms, treaty standards, they don't exist right now.
Brown: The law of war, because it began to develop so long ago is really dependent on thinking of things kinetically and the physical realm.
So for example, we think in terms of attacks.
You know an attack when it happens in the kinetic world.
It's not really much of a mystery.
But in cyberspace it is sort of confusing to think, how far do we have to go before something is considered an attack?
So we have to take all the vocabulary and the terms that we use in strategy and military operations and adapt them into the cyber realm.
Sanger: For nuclear we have these extensive inspection regimes.
The Russians come and look at our silos.
We go and look at their silos.
Bad as things get between the two countries, those inspection regimes have held up.
But working that our for... for cyber would be virtually impossible.
Where do you send your inspector?
Inside the laptop of, you know...
How many laptops are there in the United States and Russia?
It's much more difficult in the cyber area to construct an international regime based on treaty commitments and rules of the road and so forth.
Although, we've tried to have discussions with the Chinese and Russians and so forth about that, but it's very difficult.
Brown: Right now, the norm in cyberspace is do whatever you can get away with.
That's not a good norm, but it's the norm that we have.
That's the norm that's preferred by states that are engaging in lots of different kinds of activities that they feel are benefitting their national security.
Yadlin: Those who excel in cyber are trying to slow down the process of creating regulation.
Those who are victims we like the regulation to be in the open as... as soon as possible.
Brown: International law in this area is written by custom, and customary law requires a nation to say, this is what we did and this is why we did it.
And the U.S. doesn't want to push the law in that direction and so it chooses not to disclose its involvement.
And one of the reasons that I thought it was important to tell the story of Olympic Games was not simply because it's a cool spy story, it is, but it's because as a nation...
We need to have a debate about how we want to use cyber weapons because we are the most vulnerable nation on earth to cyber-attack ourselves.
McGurk: If you get up in the morning and turn off your alarm and make coffee and pump gas and use the ATM, you've touched industrial control systems.
It's what powers our lives.
And unfortunately, these systems are connected and interconnected in some ways that make them vulnerable.
Critical infrastructure systems generally were built years and years and years ago without security in mind and they didn't realize how things were gonna change, maybe they weren't even meant to be connected to the Internet.
And we've seen, through a lot of experimentation and through also, unfortunately, a lot of attacks that most of these systems are relatively easy for a sophisticated hacker to get into.
Let's say you took over the control system of a railway. You could switch tracks.
You could cause derailments of trains carrying explosive materials.
What if you were in the control system of gas pipelines and when a valve was supposed to be open, it was closed and the pressure built up and the pipeline exploded?
There are companies that run electric power generation or electric power distribution that we know have been hacked by foreign entities that have the ability to shut down the power grid.
Sanger: Imagine for a moment that not only all the power went off on the east coast, but the entire Internet came down.
Imagine what the economic impact of that is even if it only lasted for 24 hours.
Newsreader: According to the officials, Iran is the first country ever in the Middle East to actually be engaged in a cyber war with the United States and Israel.
If anything they said the recent cyber attacks were what encouraged them to plan to set up the cyber Army, which will gather computer scientists, programmers, software engineers...
Kiyaei: If you are a youth and you see assassination of a nuclear scientist, your nuclear facilities are getting attacked, wouldn't you join your national cyber Army?
Well, many did.
And that's why today, Iran has one of the largest...
Cyber armies in the world.
So whoever initiated this and was very proud of themselves to see that little dip in Iran's centrifuge numbers, should look back now and acknowledge that it was a major mistake.
Very quickly, Iran sent a message to the United States, very sophisticated message, and they did that with two attacks.
First, they attacked Saudi Aramco, the biggest oil company in the world, and wiped out every piece of software, every line of code, on 30,000 computer devices.
Then Iran did a surge attack on the American banks.
The most extensive attack on American banks ever launched from the Middle East, happening right now.
Newsreader: Millions of customers trying to bank online this week blocked, among the targets, Bank of America, PNC, and Wells Fargo.
The U.S. suspects hackers in Iran may be involved.
NSA source: When Iran hit our banks, we could have shut down their botnet, but the state department got nervous, because the servers weren't actually in Iran.
So until there was a diplomatic solution, Obama let the private sector deal with the problem.
I imagine that in the White House Situation Room people sat around and said...
Let me be clear, I don't imagine, I know.
People sat around in the White House Situation Room and said, "the Iranians have sent us a message which is essentially, 'stop attacking us in cyberspace the way you did at Natanz with STUXnet.
We can do it, too.'"
Melman: There are unintended consequences of the STUXnet attack.
You wanted to cause confusion and damage to the other side, but then the other side can do the same to you.
The monster turned against its creators, and now everyone is in this game.
They did a good job in showing the world, including the bad guys, what you would need to do in order to cause serious trouble that could lead to injuries and death.
It's inevitable that more countries will acquire the capacity to use cyber, both for espionage and for destructive activities.
And we've seen this in some of the recent conflicts that Russia's been involved in.
If there's a war, then somebody will try to knock out our communication system or the radar.
McGurk: State-sponsored cyber sleeper cells, they're out there everywhere today.
It could be for communications purposes.
It could be for data exfiltration.
It could be to, you know, Shepherd in the next STUXnet.
I mean, you've been focusing on STUXnet, but that was just a small part of a much larger Iranian mission.
Gibney: There was a larger Iranian mission?
Nitro Zeus. NZ.
We spent hundreds of millions, maybe billions on it.
In the event the Israelis did attack Iran, we assumed we would be drawn into the conflict.
We built in attacks on Iran's command-and-control system so the Iranians couldn't talk to each other in a fight.
We infiltrated their iads, military air defense systems, so they couldn't shoot down our planes if we flew over.
We also went after their civilian support systems, power grids, transportation, communications, financial systems.
We were inside waiting, watching, ready to disrupt, degrade, and destroy those systems with cyber-attacks.
And in comparison, STUXnet was a back alley operation.
NZ was the plan for a full-scale cyber war with no attribution.
The question is, is that the kind of world we want to live in?
And if we don't, as citizens, how do we go about a process where we have a more sane discussion?
We need an entirely new way of thinking about how we're gonna solve this problem.
You're not going to get an entirely new way of solving this problem until you begin to have an open acknowledgement that we have cyber weapons as well, and that we may have to agree to some limits on their use if we're going to get other nations to limit their use.
It's not gonna be a one-way street.
I'm old enough to have worked on nuclear arms control and biological weapons arms control and chemical weapons arms control.
And I was told in each of those types of arms control, when we were beginning, "it's too hard. There are all these problems.
It's technical. There's engineering.
There's science involved.
There are real verification difficulties.
You'll never get there."
Well, it took 20, 30 years in some cases, but we have a biological weapons treaty that's pretty damn good.
We have a chemical weapons treaty that's pretty damn good.
We've got three or four nuclear weapons treaties.
Yes, it may be hard, and it may take 20 or 30 years, but it'll never happen unless you get serious about it, and it'll never happen unless you start it.
Today, after two years of negotiations, the United States, together with our international partners, has achieved something that decades of animosity has not, a comprehensive, long-term deal with Iran that will prevent it from obtaining a nuclear weapon.
It was reached in Lausanne, Switzerland, by Iran, the U.S., Britain, France, Germany, Russia, and China.
It is a deal in which Iran will cut its installed centrifuges by more than two thirds.
Iran will not enrich uranium with its advanced centrifuges for at least the next ten years.
It will make our country, our allies, and our world safer.
Netanyahu: Seventy years after the murder of 6 million Jews Iran's rulers promised to destroy my country, and the response from nearly every one of the governments represented here has been utter silence.
Perhaps you can now understand why Israel is not joining you in celebrating this deal.
History shows that America must lead, not just with our might, but with our principles.
It shows we're are stronger, not when we are alone, but when we bring the world together.
Today's announcement marks one more chapter in this pursuit of a safer and more helpful, more hopeful world. Thank you.
God bless you, and God bless the United States of America.
NSA source: Everyone I know is basically thrilled with the Iran deal.
Sanctions and diplomacy worked.
But behind that deal was a lot of confidence in our cyber capability.
We were everywhere inside Iran. Still are.
I'm not gonna tell you the operational details of what we can do going forward or where...
But the science fiction cyber war scenario is here.
That's Nitro Zeus.
But my concern and the reason I'm talking...
Is because when you shut down a country's power grid...
It doesn't just pop back up, you know?
It's more like humpty-dumpty...
And if all the king's men can't turn the lights back on or filter the water for weeks, then lots of people die.
And something we can do to others, they can do to us too.
Is that something that we should keep quiet?
Or should we talk about it?
Gibney: I've gone to many people in this film, even friends of mine, who won't talk to me about the NSA or STUXnet even off the record for fear of going to jail.
Is that fear protecting us?
No, but it protects me.
Or should I say we?
I'm an actor playing a role written from the testimony of a small number of people from NSA and CIA, all of whom are angry about the secrecy but too scared to come forward.
Now, we're forward.