Imagine a weapon, right, but one so quiet, so sneaky. It worked for months, maybe even years, before anyone really got what it was. A weapon that could just take apart critical systems without a single bullet being fired. It sort of opened up a whole new kind of conflict. Today we're diving into the story of the world's first really destructive digital weapon. Okay, let's unpack this.
Yeah, and what's fascinating here is this isn't just about code, yeah, or like clever hackers in dark rooms. This story is really about geopolitics. The weakness is built into our industrial systems, and how the digital world can suddenly smash into the physical one affecting you. So our mission today is to get our heads around Stuck's Net, not just as this piece of amazing tech, but as a moment that really
opened a kind of digital Pandora's box. We'll be looking at some deep investigations, stuff on cyber attacks, industrial security, national defense, the whole picture.
Okay, so where did this all begin? I mean, who first noticed something was wrong? What did they even see?
Well, a story really gets going into one. There was this pretty small security firm in Belarus, virus BLOCKAA and these researchers there, Sergey U. Lawson and Ola Kaprieve, they stumbled onto something well, really weird. They found malware spreading through USB drives. Now that happens, right, But how it was spreading it was totally new. See, usually malware used
this auto un feature which you could disable. But this thing, he used a really clever trick with Windows l NK files shortcut files, much harder to stop, a new way in.
So what was so scary about this lank thing?
Ye, exactly, a new way in, you Leysen. He immediately thought this could be a zero day, you know, a vulnerability that the software maker Microsoft in this case doesn't even know exists. And he got really worried when he tested it. He tried it on a Windows seven machine, the latest version, totally up to date with patches, and the malicious files just appeared seamlessly. Nothing blocked it. And here's where it gets really interesting. The malicious drivers, the
bad code. It was signed with a real digital certificate from real Tech Semiconductor, a legitimate hardware company that was just yeah, unheard of. It basically told Windows, hey, this code's legit. Let it run. It bypassed security warnings. How they got that key, stole it core someone big questions. This whole thing showed something chilling. Even if your system is fully patched, totally up to date, you could still
be hit by these unknown flaws. A total shift in how we had to think about security, these tactics, the stealth, It was all designed so that you, or any normal use or any system adamant even would have almost no way of knowing your system was compromised.
Wow, so the whole world was sort of exposed without knowing it. And then I guess bigger companies started looking into it, like Semantech.
Right, Yeah. Soon after researchers like Lamo Merchu and Nicholas Fallier at Semantec really started digging deep into the code. Amrchu apparently was always taking things apart as a kid, and Fallier was a master at reverse engineering, turning that Messa computer code back into something a human could understand, skills he apparently picked up working on like puzzle files called crackmes.
Okay, so these experts start digging and it became clear pretty fast this wasn't your typical virus, right. It wasn't trying to steal credit cards or anything.
No, definitely not. Its target was much much more critical. It was going after industrial control systems. We're talking about plc's programmable logic controllers. Think of them as the automated brains and factories, power plants, water treatment facilities, all that critical infrastructure. They tell the machines what to do. Now, these things were mostly designed back in the sixties and seventies,
built for reliability in like physically isolated environments. Security against hackers not really on the radar back then, so stick them on a network they become well, pretty soft targets. It exposed this dangerous legacy systems built for one world suddenly living in a very different, connected one, and with that level.
Of sophistication going after PLCs, it must have had a very specific, very high value target in mind.
Absolutely the ultimate target the Nintends uranium Enrichment facility in Iran. And interestingly, even before Stuck Snip became public knowledge, inspectors from the International Atomic Energy Agency the IAEA had seen weird things. Centrifuges weren't working right. They were running at lower capacities like forty five to sixty six percent, even when they weren't being fed as much Uranian gas. It
just didn't add up. Nobody could figure out why. And remember, Neitan's itself had been under the microscope since about two thousand and two when satellite photos first really identified it.
Right, a very sensitive sight. So how did stucksne actually do it? How did it mess with these centrifuges in such a secure place?
What was the attack like, Okay, here's where it gets really interesting. The attack on the Siemens PLCs at Natan's. It was incredibly clever, multi stage. First, it pulled off what's called a man in the middle trick. For about thirteen days, stucksnet would just sit there and secretly record what normal operations looked like, the data coming from the centrifuges. Then when it decided to actually attack to sabotage, it would play back that recorded normal data to the control
room operators. So the operators are looking at their screens thinking, yep, everything's running fine. Well, behind this scenes, stucksnet is actually damaging the centrifuges. Someone described it as the digital equivalent of a six ton circus elephant performing a one legged handstand. Just complete hidden deception, and it wasn't like one big explosion It was subtle. It would sabotage things for maybe fifteen minutes, then wait, then sabotage for fifteen minutes, then
lie low for like twenty six days just watching. This went on for weeks months, designed to cause damage slowly avoid setting off alarms.
That is incredibly patient and sneaky. How did this digital trickery actually break the machines? What was the physical damage?
The physical impact was severe. Stucksnet specifically targeted the frequency converters. These are devices that control the speed of motors, like the one spinning the centrifuges. It targeted models made by Vacan, a finished company, and also Furropaya, which was thought to be an Iranian company, possibly making copies. Stucks Net would mess with the speeds, make the centrifuges spin too fast, then too slow, creating vibrations. These vibrations would literally destroy
the rotors. Iran's own Atomic Energy organization later talked about centrifuge rotors turning into powder. That's what stucksnet was doing. And think about this. To pull that off, you don't just need amazing coders, the sources say, you needed like a team of material scientists and centrifuge experts, people who knew exactly how changing the speed would physically wreck those
specific machines. That's the key thing here, digital code causing direct, calculated physical destruction, a totally new kind of warfare.
Wow, so stucksnet wasn't just about Natan's. Then it kind of blew the lid off. How vulnerable these industrial systems are everywhere?
Right? Oh? Absolutely? It showed these weren't just isolated problems at one facility. These were systemic flaws. Experts like Joe Weiss, they'd been warning about this for years, especially after the whole y two K thing. He pointed out that these control systems often didn't even have basic stuff like firewalls or ways to log network activity. They were built assuming they'd never be connected or attacked. And guys like Dylan BEBARSSD in twenty ten, he was just this twenty five
year old researcher. He literally went online, bought some Siemens PLCs, the same kind used in Natanse, and working from his apartment, in just a few weeks, he found tons of security holes, like communications weren't encrypted. The PLCs would happily talk to any machine that knew their language. And get this Some had hard coded passwords like basisk built right in that could be changed. It was like leaving the front door wide open with a key tape to it.
That's unbelievable. Hard coded passwords you can't change.
Yeah, it just showed they weren't designed with network security in mind at all. It really highlights how vulnerable these systems were. And we'd seen hints of this before, like that incident in maruci Shire or Australia back in two thousand, an ex employee got mad. You stolen software and a radio link to hack into the sewage treatment system and
deliberately caused massive spares. Hundreds of thousands of gallons of raw sewage flooded into parks and rivers, a real world impact from a digital intrusion.
Grim reminder. We always here about critical systems being air gapped, you know, disconnected from the Internet for safety. Does stucksnet basically killed that idea.
It certainly punched a huge hole in it.
Yeah.
Yeah, many of these control systems had similar design flaws. This legacy from before the Internet was everywhere. The whole air gap idea that these systems were safe because they were isolated, well, it turned out to be largely a myth.
In twenty twelve, one researcher in the UK used this search engine called showdan, which specifically looks for Internet connected devices, and he found over ten thousand industrial control systems online, water plants, power grids, dams, train systems just sitting there connected to the Internet. Then there was that actor proof and twenty eleven he got into the controls of a water plant in South Houston. HOWATAI password? That was literally
just three characters long. Kasprusio himself said, most HAXI saw weren't because of amazing skill, but just gross stupidity in security practices.
Wow.
Three Yeah. And maybe the most dramatic demonstration was the Aurora generator test. This is back in two thousand and seven. The Idaho National Lab researchers wanted to prove a point. They digitally hacked into a huge diesel generator, a Wartzelen model, and they manipulated its protective relays, the safety systems designed
to stop damage from happening. They basically tricked the relays into rapidly opening and closing breakers out of sinc The physical forces were so violent the generator literally tore itself apart. Smoke flying debris. It was physically destroyed by a digital command and the thing that was supposed to prevent an attack like this was the very thing they used to conduct the attack.
That's deeply unsettling.
It is. And here's something crucial for you to consider. In the US, something like eighty five percent of critical infrastructure is owned and operated privately. That makes it incredibly hard to enforce consistent high level security across the board. Back in twenty thirteen, General Keith Alexander, who was head of the NSA then was asked how prepared the nation was for cyber attacks. He bluntly set at three on a scale of one to ten.
A three out of ten.
That's not comforting.
So stecksnet wasn't just about finding holes. It really unleashed something new, didn't It changed the whole game of geopolitics and warfare. What was the thinking before stucksnet hit.
The scene, Well, people were thinking about it way back in nineteen ninety three. Analysts at Ran Corporation actually coined the term cyber war. They predicted it could be the Blitzkrieg of the twenty first century. And there were early hacks that raised eyebrows like Marcus Hess in the eighties, apparently spying for the KGB through computer networks, where those Dutch teenagers who broke into US military systems right before
the First Gulf War. Then the US military ran its own exercises in the late nineties like Eligible Receiver and Solar Sunrise, and the results were pretty shocking. They found their own networks were wide open to attack, and maybe even more worrying, they realized that basically no one was in charge of defending military networks effectively. So, yeah, the potential was recognized, but the actual defenses and strategy they were lagging way behind.
Chilling to look back on those warnings. Now, Okay, so after those wake up calls, the US set up things like the Joint Task Force for Computer and Network Defense. But developing these kinds of weapons like STUCKSNT there's a hidden danger, isn't there a paradox.
Huge paradox. Yeah. Andy Pennington used to be an Air Force weapons officer. He planted really well, he warned, the cyber weapon it doesn't die, it's just code. Somebody can pick it up and fire it right back at you. Ye, unlike a bomb that explodes once code can be copied analyzed, repurposed, and we saw that happen frighteningly with stucksnt itself. There was a version in twenty ten that somehow lost its
precision targeting. It just started spreading like crazy, uncontrollably, infecting thousands and thousands of computers that weren't its intended target in Iran. It showed just how easily even a supposedly surgical weapon could escape control. And this also fueled the rise of this sort of gray market for exploits. Companies like VUP and Security in France were openly finding zero day flaws and then selling them to governments, sometimes for
like one hundred thousand dollars a popp or more. The big takeaway once you let these digital weapons out, they're incredibly to control. They spread, they proliferate, and the consequence has become totally unpredictable.
Right, So, looking back, President Obama gave this big speech about cybersecurity in two thousand and nine, really sounding the alarm right before stucksnet was deployed. The irony is pretty stark. Michael Hayden, the former CIA and NSA director, he famously said Stucksnet meant somebody had crossed the Rubicon, there was no going back. So what are the global consequences? Now? This new frontier is open. But how do you even fight a war when you might not know who fired the first shot.
Well, if we connect this to the bigger picture, that Rubicon analogy is spot on. The immediate consequence was a kind of global cyber arms race. Suddenly everyone realized this was real. Nations like China, Russia, the UK, Israel, France, Germany, North Korea, even Iron itself. They all started pouring resources into developing their own cyber warfare capabilities, offensive and defensive. But maybe the trickiest part is what you just said, attribution,
knowing who actually launched an attack. There was this simulation run at Televi University in twenty thirteen. It showed just how easily a cyber incident could spiral out of control in the real world conflict, especially the leaders aren't sure who's attacking them. Imagine Country AID attacks Country B but makes it look like country SE did it. These would
get kinetic fast based on bad information. Stucks Net technically is still the only known case of cyber warfare on record where code was used by one nation to cause physical damage in another during peacetime, but that digital Pandora's box, it's wide open. Now. We live in a world where civilian infrastructure of power grids, water systems, hospitals is potentially on the front line, and maybe, just maybe defense is the only viable offense anymore.
It's been quite a journey, hasn't it, From that small firm in Belarus finding something odd all the way to this global shift in security and warfare. Stucks Net really left us with two big things. It's sheer technical brilliance as a weapon, yes, but also how it ripped the veil off these deep, deep vulnerabilities in the systems we all rely on every single day.
Absolutely, and this raises an important question for you, as we're now in this world where digital attacks can cause real physical harm, but figuring out who did it is incredibly difficult. So how do you think nations can even begin to set rules for this, clear rules of engagement for cyber conflict, And maybe closer to home, what responsibility do we all have to push for better security in this super connected world we've built?
Definitely a lot. Tom all over there, thank you for joining us on this deep dive. We really hope you'll keep exploring this stuff. Until next time, stay curious,