Documentary filmmaker Alex Gibney has made enemies: He’s turned over rocks in the rubble of Enron, within the complicated legacy of Steve Jobs, and on whatever bridge is marketed to members in the Church of Scientology during his prolific career. I remember watching an audience member film him during a Q&A after a screening of Going Clear, his two-hour dismantling of Scientology. Presumably, enemies.
But Gibney is not as, let’s call it vigilant, as Mark Zuckerberg when it comes to monitoring what eyes might be watching him via his laptop camera. It’s an idea rooted in paranoia that’s got its fair share of converts. While there are all sorts of guides online claiming to show you how to do it, the National Security Agency can also use your laptop’s camera and microphone to spy on you.
Yet, Gibney doesn’t cover his laptop camera or microphone with tape, he tells Inverse.
“I don’t always cover it ‘cause I use the camera sometimes and don’t want to gum up the lens with tape,” he says before adding: “But I do sometimes use a Post-It with adhesive just above the lens.”
It’s the sort of answer you’d expect from a filmmaker. Early in his latest doc, Zero Days (out July 8), Gibney uses that laptop camera to Skype with Sergey Ulasen, a Belarusian security researcher. Ulasen was first to notice Stuxnet, the dense yet precise malware worm widely believed to be developed by the U.S. federal government. It would find its way to the computers that controlled Iranian nuclear centrifuges and fuck shit up. It did just that in the summer of 2010. Zero Days tells the story of cyberwar with Stuxnet as its conduit, a virus that nobody wants to talk about:
The film’s early minutes include a montage of talking heads in suits saying that they couldn’t say anything in many different ways.
“Two answers before you get started: I don’t know, and if I did, I wouldn’t talk about it anyway,” says former CIA and NSA chief Michael Hayden.
“I was getting pissed off,” Gibney says, before noting that the operation had been blown: “I couldn’t get officials to even say that Stuxnet had existed. There was a kind of Emperor’s New Clothes quality about it.”
So instead, the director looked at the forensics in this two-hour procedural. He starts where the sophisticated virus surfaced. Symantec security engineers Eric Chien and Liam O’Murchu push along the film’s plot because they named it, for one — STUXnet — and helped explore the insanely complex computer code.
“We opened it up, and there were just bad things everywhere, O’Murchu says in the film. “We had 100 questions straight away.”
So they picked apart the threat: An average virus takes minutes to understand. A month into exploring Stuxnet and the two were starting to appreciate its payload or purpose.
“Every piece of code does something and does something right, to perform its attack,” Chien explains in the film.
The code was also a “zero-day code,” which meant that it autonomously started running on Day 1 of it reaching a computer. There was no link that needed to be clicked or attachment that needed to open. “A zero-day exploit is an exploit that nobody knows except for the attacker,” O’Murchu explains. “So there’s no protection against it, no patch released, there are zero days of protection. That’s what attackers value because they know 100 percent if they have this zero-day exploit, they can get in wherever they want.”
The sophistication of the malware pointed to one conclusion: It was the masterwork of a government agency or nation state — not Anonymous, not some hacktivist collective, not Occupy Wall Street. It was a weapon for cyberwar.
Here’s how it worked: The malware is installed via infected code on USB drives. Investigators believe that companies that worked with the Iran nuclear program were hit with the selective virus as a method to get the half-megabyte-sized worm on those drives. Once it was running, it targeted Siemens’ Programmable Logic Controller — a tiny computer that controls all sorts of machines at factories, power grids, hospitals, and nuclear facilities. And the malware was looking for a specific PLC that performed a particular job before it would attack. Because most viruses act like a carpet bomb, this malware was more like a sniper rifle, which is unusual. Stuxnet was programmed to deploy only when it found the target, which was the Natanz nuclear facility in Iran. Centrifuges there, used to enrich uranium, were destroyed once Stuxnet programmed their motors to spin out of control at precisely the right time — when the thing was full of enriched uranium after 13 days of spinning.
Gibney’s film also shows the pride and perhaps the hubris of Iran’s then-president Mahmoud Ahmadinejad to allow photographers into Natanz. They captured images vital to foreign — the United States and Israeli — intelligence. Presidents George W. Bush and Barack Obama approved the deployment of Stuxnet, and the National Security Agency (which collects intelligence) and U.S. Cyber Command (the military arm that uses NSA intelligence to deploy cyberweapons like Stuxnet) carried it out.
“We could watch, or we could attack,” says actress Joanne Tucker, who acts as a composite compiled from interviews with off-the-record military and intelligence sources. It’s an interesting trick not revealed until the end of the film, which is not exactly a spoiler because audiences can see it coming; “Saying Stuxnet out loud was like saying Voldemort in Harry Potter,” says Tucker in the film. They called the Natanz attack Olympic Gates or OG. There was a vast operation to test the code on PLCs in America and to see what the virus did to the centrifuge machinery.”
Natanz, of course, wasn’t connected to the internet. There was an “air gap,” as it’s known, but that was just a hurdle. A human can introduce the code. There were rumors of situations in “Moscow where an Iranian laptop [was] infected by a phony Siemens technician with a flash drive” or double agents with direct access. The actual espionage has never been revealed. Companies that had to conduct repairs at Natanz were also infiltrated. The electrician's laptop is infected. He takes it to Natanz, plugs in, and boom: Stuxnet is in Iran’s nuclear facility.
“There was no turning back once Stuxnet was released,” Chien says in the film.
There was one problem: the Israelis took the Stuxnet code, changed it, and without warning, launched it. They “fucked it up,” says Tucker’s NSA source composite: Instead of quietly hiding in computers, the Israeli-modified virus started shutting them down, so people noticed. It also spread around the world and fell into the hands of Russia and, eventually, Iran.
“They managed to create minor problems for a few of our centrifuges through the software that they had installed on electronic parts,” Ahmadinejad told reporters during a press conference in Iran in November 2010. “It was a naughty and immoral move by them, but fortunately, our experts discovered it, and today they’re not capable of ever doing it again.”
Around this time, Iranian nuclear scientists started getting killed. It’s widely believed the Israeli military killed them, the documentary asserts.
Soon, the number of Iranian centrifuges started spiking, up to 20,000, with a stockpile of low-enriched uranium — and the nuclear facilities expanded.
And Stuxnet hit American computers eventually, too, as it spread around the world. The Department of Homeland Security was then tasked with stopping the virus another branch of the government created from attacking American industrial controls systems. Naturally, DHS officials, including Sean McGurk, who oversaw cybersecurity for DHS at the time, had no idea it was coming from the United States.
“You don’t think the sniper that's behind you is shooting at you. Neither did Senator Joe Lieberman, who’s seen in a Senate hearing croaking out a question to McGurk about who exactly was responsible for Stuxnet:
“Do we think that this was a nation-state actor and that they are a limited number of nation-states that have such advanced capacity?
“Imagine for a moment that not only all the power went out on the East Coast, but the entire Internet came down,” says New York Times reporter David Sanger in the film. The composite actress drops the other shoe: Imagine how long it would take for those power grids to come back online for tens of millions of people.
“The science-fiction cyberwar scenario is here, that’s Nitro Zeus. If the nuclear deal between Iran and six other countries in the summer of 2015 had not been reached, it could have been made to “disable Iran’s air defenses, communications systems and crucial parts of its power grid,” reported Sanger for the Times in February.
“We’ve probably seen close to ten countries,” Chien said at a recent Q&A after a showing of Zero Days, when asked how many countries have access to cyber weapons that could shut down industrial controls systems in America or anywhere else. There’s a relatively low threshold when it comes to starting a cyberwar.