Documentary filmmaker Alex Gibney has made enemies: he’s turned over rocks in the rubble of Enron, within the complicated legacy of Steve Jobs, and on whatever bridge is marketed to members in the Church of Scientology during his prolific career. I remember watching him be aggressively filmed by an audience member during a Q&A after a screening of Going Clear, his two-hour dismantling of scientology. Presumably, enemies.
But Gibney is not as, let’s call it vigilant, as Mark Zuckerberg, when it comes to monitoring what eyes might be watching him via his laptop camera. It’s an idea rooted in paranoia that’s got its fair share of converts because while there are all sorts of guides online claiming to show you how to do it, the National Security Agency can also use your laptop’s camera and microphone to spy on you.
Yet, Gibney doesn’t cover his laptop camera or microphone with tape, he tells Inverse.
“I don’t always cover it ‘cause I use the camera sometimes and don’t want to gum up the lens with tape,” he says before adding: “But I do sometimes use a Post-It with adhesive just above lens.”
It’s the sort of answer you’d expect from a filmmaker, and Gibney, early in his latest doc, Zero Days (out July 8), uses that laptop camera to Skype with Sergey Ulasen, a Belarusian security researcher who first noticed Stuxnet, the incredibly dense, yet precise malware worm — widely believed to be developed by the U.S. federal government. It would find its way to to the computers that controlled Iranian nuclear centrifuges and fuck shit up. It did just that in the summer of 2010. Zero Days tells the story of cyberwar with Stuxnet as its conduit, a virus that nobody wants to talk about:
The film’s early minutes include a montage of talking heads in suits saying many different ways that they couldn’t say anything.
“Two answers before you get started: I don’t know, and if I did, I wouldn’t talk about it anyway,” says former CIA and NSA chief Michael Hayden.
“I was getting pissed off,” Gibney says, before noting that the operation had been blown: “I couldn’t get officials to even say that Stuxnet had existed. There was a kind of Emperor’s New Clothes quality about it.”
So instead, the director looked at the forensics, starting with where the sophisticated virus first surfaced and going from there in the two-hour procedural. Symantec security engineers Eric Chien and Liam O’Murchu push along the film’s plot, because they named it, for one — STUXnet — and helped explore the insanely complex computer code.
“We opened it up and there was just bad things everywhere, O’Murchu says in the film. “We had 100 questions straight-away.”
So they picked apart the threat: An average virus takes minutes to understand. A month into exploring Stuxnet and the two were just starting to understand its payload, or purpose.
“Every piece of code does something and does something right, in order to perform it attack,” Chien explains in the film.
The code was also a “zero day code,” which meant that on Day 1 of it reaching a computer it autonomously started running. There was no link that needed to be clicked or attachment that needed to open. “A zero day exploit is an exploit that nobody knows except for the attacker,” O’Murchu explains. “So there’s no protection against it, no patch released, there’s been zero days of protection. That’s what attackers value, because they know 100 percent if they have this zero day exploit, they can get in wherever they want.”
The sophistication of the malware pointed to one conclusion: It was the masterwork of a government agency or nationstate — not Anonymous, not some hacktivist collective, not Occupy Wall Street. It was a weapon for cyberwar.
Here’s how it worked: The malware was installed via infected code on USB drives. To get the half-megabyte-sized worm on this drives, it’s believed that companies that worked with the Iran nuclear program were hit with the selective virus. Once it was running, it targeted Siemens’ Programmable Logic Controller — which is a little computer— that controls all sorts machines at factories, power grids, hospitals, and nuclear facilities. And the malware was looking for a specific PLC that performed a specific job before it would attack. Because most viruses act like a carpet bomb, this malware was more like a sniper rifle, which is unusual. Stuxnet was programmed to deploy only when it it found the target, which was the Natanz nuclear facility in Iran. Centrifuges there, used to enrich uranium, were destroyed once Stuxnet programmed their motors to spin out of control at precisely the right time — when the thing was full of enriched uranium after 13 days of spinning.
Gibney’s film also shows the pride and perhaps the hubris of Iran’s then-president Mahmoud Ahmadinejad to allow photographers into Natanz. They captured images vital to foreign — United States and Israeli — intelligence. Presidents George W. Bush and Barack Obama approved the deployment of Stuxnet and it was carried out by the partnership of the National Security Agency (which collects intelligence) and U.S. Cyber Command (the military arm that uses NSA intelligence to deploy cyber weapons like Stuxnet).
“We could watch, or we could attack,” says actress Joanne Tucker, who acts as a composite compiled from interviews with off-the-record military and intelligence sources. It’s an interesting trick not revealed until the end of the film, which is not exactly a spoiler because audiences audiences can see it coming; “Saying Stuxnet out loud was like saying Voldemort in Harry Potter”, says Tucker in the film. They called the Natanz attack Olympic Gates, or OG. There was a huge operation to test the code on PLC’s in America and to see what the virus did to the centrifuge machinery.”
Natanz, of course, wasn’t connected to the internet. There was an “air gap” as it’s known, but that was just a hurdle. The code can be introduced by a human. There were rumors of situations in “Moscow where an Iranian laptop [was] infected by a phony Siemens technician with a flash drive” or double agents with direct access. The actual espionage has never been revealed. Companies that had to conduct repairs at Natanz were also infiltrated the electricians laptop is infected, he takes it to Natanz plugs in, and boom: Stuxnet is in Iran’s nuclear facility..
“There was no turning back once Stuxnet was released,” Chien says in the film.
There was one problem: the Israelis took the Stuxnet code, changed it, and without warning, launched it. They “fucked it up,” says Tucker’s NSA source composite: Instead of quietly hiding in computers, the Israeli-modified virus started shutting them down so people noticed. It also spread around the world, and fell into the hands of Russia and eventually, Iran.
“They managed to create minor problems for a few of our centrifuges through the software that they had installed on electronic parts,” Ahmadinejad told reporters during a press conference in Iran in November 2010. “It was a naughty and immoral move by them, but fortunately our experts discovered it and today they’re not capable of ever doing it again.”
Around this time, Iranian nuclear scientists started getting killed, widely believed to be by Israeli military.
Soon, the number of Iranian centrifuges started spiking, up to 20,000, with a stockpile of low-enriched uranium — and the nuclear facilities expanded. Was the cover was blown, Stuxnet had the opposite effect.
And Stuxnet hit American computers eventually, too, as it spread around the world. The Department of Homeland Security was then tasked with stopping the virus another branch of the government created from attacking American industrial controls systems. Naturally, DHS officials, including Sean McGurk, who oversaw cybersecurity for DHS at the time, had no idea it was coming from the United States.
“You don’t think the sniper thats behind you is shooting at you. Neither did Senator Joe Lieberman, who’s seen in a Senate hearing croaking out a question to McGurk about who exactly was responsible for Stuxnet: “Do we think that this was a nation-state actor and that they are a limited number of nation-states that have such advanced capacity?
“Imagine for a moment that not only all the power went out on the East Coast, but the entire Internet came down,” says New York Times reporter David Sanger in the film. The composite actress drop the other shoe: Imagine how long it would take for those power grids to come back online for tens of millions of people.
“The science-fiction cyberwar scenario is here, that’s Nitro Zeus. If the nuclear deal between Iran and six other countries in the summer of 2015 had not been reached, it could have been made to “disable Iran’s air defenses, communications systems and crucial parts of its power grid,” reported Sanger for the Times in February.
“We’ve probably seen close to ten countries,” Chien said at a recent Q&A after a showing of Zero Days, when asked how many countries have access to cyber weapons that could shut down industrial controls systems in America or anywhere else. There’s a relatively low threshold when it comes to starting a cyber war.