The idea behind the Stuxnet computer worm is actually quite simple. We don't want Iran to get the bomb. Their major asset for developing nuclear weapons is the Natanz uranium enrichment facility. The gray boxes that you see, these are real-time control systems. Now if we manage to compromise these systems that control drive speeds and valves, we can actually cause a lot of problems with the centrifuge. The gray boxes don't run Windows software; they are a completely different technology. But if we manage to place a good Windows virus on a notebook that is used by a maintenance engineer to configure this gray box, then we are in business. And this is the plot behind Stuxnet.
Ideja koja stoji iza Stuxnet računalnog crva zapravo je prilično jednostavna. Ne želimo da Iran proizvede atomsku bombu. Njihovo je glavno sredstvo za razvijanje nuklearnog oružja Natanz postrojenje za obogaćivanje urana. Sive kutije, koje vidite, jesu kontrolni sistemi. Ako uspijemo onesposobiti te sustave koji kontroliraju brzinu i ventile, možemo stvoriti puno problema s centrifugom. Sive kutije ne podržavaju Windows software; one koriste posve drugačiju tehnologiju. Ali ako uspijemo staviti dobar Windows virus na laptop koji koristi inženjer za održavanje sustava prilikom konfiguriranja sustava, na konju smo. I to je pozadina Stuxneta.
So we start with a Windows dropper. The payload goes onto the gray box, damages the centrifuge, and the Iranian nuclear program is delayed -- mission accomplished. That's easy, huh? I want to tell you how we found that out. When we started our research on Stuxnet six months ago, it was completely unknown what the purpose of this thing was. The only thing that was known is it's very, very complex on the Windows part, the dropper part, used multiple zero-day vulnerabilities. And it seemed to want to do something with these gray boxes, these real-time control systems. So that got our attention, and we started a lab project where we infected our environment with Stuxnet and checked this thing out. And then some very funny things happened. Stuxnet behaved like a lab rat that didn't like our cheese -- sniffed, but didn't want to eat. Didn't make sense to me. And after we experimented with different flavors of cheese, I realized, well, this is a directed attack. It's completely directed. The dropper is prowling actively on the gray box if a specific configuration is found, and even if the actual program code that it's trying to infect is actually running on that target. And if not, Stuxnet does nothing.
Započinjemo Windows "dropper" virusom. Virus uđe u sivu kutiju, ošteti centrifugu i time odgodi iranski nuklearni program -- misija završena. Jednostavno, zar ne? Želim vam objasniti kako smo to otkrili. Kada smo prije šest mjeseci započeli istraživati Stuxneta, svrha mu je bila potpuno nepoznata. Jedino što se znalo je njegov iznimno složen softverski dio, složen "dropper" dio te da koristi mnoge neotkrivene slabosti Windowsa. Činilo se kako želi nešto s tim sivim kutijama, odnosno s kontrolnim sustavom. To je privuklo našu pozornost, pa smo počeli s laboratorijskim projektom u kojem smo zarazili našu okolinu sa Stuxnetom i promatrali što se događa. Počele su se događati čudne stvari. Stuxnet se ponašao poput laboratorijskog štakora koji nije želio naš sir -- pomirišao ga je, ali ga nije htio jesti. To nije imalo smisla. Nakon što smo eksperimentirali sa sirevima različitih okusa, shvatio sam kako se radi o direktnom napadu. Potpuno je režiran. "Dropper" se aktivno prikrada sivoj kutiji, ako pronađe određenu konfiguraciju i ako se program kojeg pokušava "zaraziti" odvija na željenoj meti. Ako ne, Stuxnet ne čini ništa.
So that really got my attention, and we started to work on this nearly around the clock, because I thought, "Well, we don't know what the target is. It could be, let's say for example, a U.S. power plant, or a chemical plant in Germany. So we better find out what the target is soon." So we extracted and decompiled the attack code, and we discovered that it's structured in two digital bombs -- a smaller one and a bigger one. And we also saw that they are very professionally engineered by people who obviously had all insider information. They knew all the bits and bites that they had to attack. They probably even know the shoe size of the operator. So they know everything.
To je zaokupilo moju pažnju, i počeli smo neprestano raditi na tome jer sam mislio "Dobro, ne znamo što je meta. Mogla bi to biti, primjerice, američka nuklearna elektrana ili kemijsko postrojenje u Njemačkoj. Bolje nam je da što prije otkrijemo metu. Izdvojili smo i rastavili šifru napada te smo otkrili da je sastavljena u dvije digitalne bombe -- manje i veće. Isto tako, shvatili smo da su ih vrlo profesionalno sastavili ljudi koji su očito imali informacije iznutra. Znali su sve sitnice koje su morali napasti. Vjerojatno su znali i veličinu cipela rukovaoca. Znali su sve.
And if you have heard that the dropper of Stuxnet is complex and high-tech, let me tell you this: the payload is rocket science. It's way above everything that we have ever seen before. Here you see a sample of this actual attack code. We are talking about -- around about 15,000 lines of code. Looks pretty much like old-style assembly language. And I want to tell you how we were able to make sense out of this code. So what we were looking for is, first of all, system function calls, because we know what they do.
Ako ste čuli da je Stuxnetov program za instaliranje virusa kompeksan i visoko tehnološki razvijen, reći ću vam sljedeće: on je zapravo "kvantna fizika". Daleko je iznad svega što smo do sada vidjeli. Ovdje vidite uzorak stvarne šifre napada. Govorimo o otprilikie 15 tisuća redaka programskog koda. Izgleda kao stari asemblerski jezik. I želim vam reći kako smo uspjeli shvatiti smisao tog programskog koda. Prvo smo tražili pozive funkcija sistema jer smo znali što one rade.
And then we were looking for timers and data structures and trying to relate them to the real world -- to potential real world targets. So we do need target theories that we can prove or disprove. In order to get target theories, we remember that it's definitely hardcore sabotage, it must be a high-value target and it is most likely located in Iran, because that's where most of the infections had been reported. Now you don't find several thousand targets in that area. It basically boils down to the Bushehr nuclear power plant and to the Natanz fuel enrichment plant.
Onda smo tražili vremenske zapise i strukture podataka i pokušali ih povezati sa stvarnim svijetom -- s potencijalnim metama iz stvarnog svijeta. Znači, ipak trebamo teorije o ciljevima kako bismo ih mogli dokazati ili opovrgnuti. Kako bi došli do teorija o ciljevima, trebamo imati na umu kako se sigurno radi o ozbiljnoj sabotaži, visoko vrijednom cilju koji se najvjerojatnije nalazi u Iranu jer je tamo prijavljen najveći broj zaraza ovim crvom. Nećete naći nekoliko tisuća meta u tom području. Načelno se to svodi na nuklearnu elektranu Bushehr i na pogon za obogaćivanje goriva Natanz.
So I told my assistant, "Get me a list of all centrifuge and power plant experts from our client base." And I phoned them up and picked their brain in an effort to match their expertise with what we found in code and data. And that worked pretty well. So we were able to associate the small digital warhead with the rotor control. The rotor is that moving part within the centrifuge, that black object that you see. And if you manipulate the speed of this rotor, you are actually able to crack the rotor and eventually even have the centrifuge explode. What we also saw is that the goal of the attack was really to do it slowly and creepy -- obviously in an effort to drive maintenance engineers crazy, that they would not be able to figure this out quickly.
Rekao sam svom pomoćniku, "Nabavi mi popis svih stručnjaka za centrifuge i elektrane iz naše baze klijenata." Ja sam ih tada nazvao, te sam se potrudio ukopiti njihove spoznaje s onim što smo našli u programskom kodu i podacima. I to je funkcioniralo prilično dobro. Uspjeli smo povezati malu digitalnu bojnu glavu s kontrolom rotora. Rotor je ovaj pokretni dio unutar centrifuge, crni objekt koji vidite. Ako manipulirate brzinom tog rotora, u mogućnosti ste slomiti rotor i u konačnici postići eksploziju centrifuge. Također smo vidjeli da je cij napada učiniti to sporo i jezivo -- očito u nadi da izludite inžinjere održavanja, kako ne bi bili u mogućnosti naći rješenje u kratkom roku.
The big digital warhead -- we had a shot at this by looking very closely at data and data structures. So for example, the number 164 really stands out in that code; you can't overlook it. I started to research scientific literature on how these centrifuges are actually built in Natanz and found they are structured in what is called a cascade, and each cascade holds 164 centrifuges. So that made sense, that was a match.
Veliku digitalnu bojnu glavu -- imali smo priliku pomno promatriti podatke i strukture podataka. Tako naprimjer, broj 164 se zbilja ističe u tom kodu; ne možete ga previdjeti. Počeo sam istraživati znanstvenu literaturu i otkrio kako su centrifuge zapravo napravljene u Natanzu i saznao sam da su strukturirane u tzv. kaskadu, od kojih svaka sadrži 164 centrifuge. To je imalo smisla te se podudaralo.
And it even got better. These centrifuges in Iran are subdivided into 15, what is called, stages. And guess what we found in the attack code? An almost identical structure. So again, that was a real good match. And this gave us very high confidence for what we were looking at. Now don't get me wrong here, it didn't go like this. These results have been obtained over several weeks of really hard labor. And we often went into just a dead end and had to recover.
Čak je postalo bolje. Te su centrifuge u Iranu podijeljene u 15 tzv. faza. Pogodite što smo našli u kodu napada? Gotovo identičnu strukturu. Dakle, to je bila odlična podudarnost. To nam je dalo veliko samopouzdanje u ono što smo proučavali. Nemojte me pogrešno shvatiti, nije išlo lako. Ovi rezultati dobiveni su tijekom nekoliko tjedana zaista teškog rada. I često bi došli do mrtve točke i trebali smo se vratiti natrag.
Anyway, so we figured out that both digital warheads were actually aiming at one and the same target, but from different angles. The small warhead is taking one cascade, and spinning up the rotors and slowing them down, and the big warhead is talking to six cascades and manipulating valves. So in all, we are very confident that we have actually determined what the target is. It is Natanz, and it is only Natanz. So we don't have to worry that other targets might be hit by Stuxnet.
Tako smo shvatili kako su obje digitalne bojne glave zapravo usmjerene na jedan cilj, ali iz različitih kutova. Mala bojna glava zauzima jednu kaskadu, okreće rotore te ih usporava, a velika bojna glava komunicira sa šest kaskada i manipulira ventilima. Dakle jedino u što smo sigurni je da smo zapravo odredili što je cilj. To je Natanz, i to samo Natanz. Ne moramo se brinuti oko drugih meta koje bi mogle biti pogođene Stuxnetom.
Here's some very cool stuff that we saw -- really knocked my socks off. Down there is the gray box, and on the top you see the centrifuges. Now what this thing does is it intercepts the input values from sensors -- so for example, from pressure sensors and vibration sensors -- and it provides legitimate program code, which is still running during the attack, with fake input data. And as a matter of fact, this fake input data is actually prerecorded by Stuxnet. So it's just like from the Hollywood movies where during the heist, the observation camera is fed with prerecorded video. That's cool, huh?
Evo neke zgodne stvari koju smo uočili -- koja me zaista iznenadila. Tu dolje je siva kutija, a na vrhu vidite centrifuge. E sad, ono što ta stvar radi je hvatanje ulaznih vrijednosti sa senzora -- tako da se na primjer, sa senzora za pritisak i senzora za vibraciju stvara pravi programski kod koji još uvijek radi za vrijeme napada s lažnim ulaznim podacima. Zapravo su ovi lažni ulazni podaci unaprijed snimljni od strane Stuxneta. To je baš kao u Hollywoodskim filmovima gdje za vrijeme pljačke sigurnosna kamera prikazuje prethodno snimljeni video. To je cool, zar ne?
The idea here is obviously not only to fool the operators in the control room. It actually is much more dangerous and aggressive. The idea is to circumvent a digital safety system. We need digital safety systems where a human operator could not act quick enough. So for example, in a power plant, when your big steam turbine gets too over speed, you must open relief valves within a millisecond. Obviously, this cannot be done by a human operator. So this is where we need digital safety systems. And when they are compromised, then real bad things can happen. Your plant can blow up. And neither your operators nor your safety system will notice it. That's scary.
Ovdje očito ideja nije samo zavarati operatere u kontrolnoj sobi. Zapravo je mnogo opasnija i agresivnija. Ideja je nadmudriti digitalni sigurnosni sustav. Trebamo digitalne sigurnosne sustave tamo gdje ljudi ne mogu djelovati dovoljno brzo. Na primjer, u elektrani, gdje velika parna turbina dobiva veliko ubrzanje, morate otvoriti ventile unutar milisekunde. Očito da to ne može obaviti čovjek. Stoga su tu digitalni sigurnosni sistemi zaista potrebni. A kada su kompromitirani, mogu se dogoditi stvarno loše stvari. Vaša elektrana može eksplodirati. A ni vaši operateri niti vaš sigurnosni sistem neće to uočiti. To je strašno.
But it gets worse. And this is very important, what I'm going to say. Think about this: this attack is generic. It doesn't have anything to do, in specifics, with centrifuges, with uranium enrichment. So it would work as well, for example, in a power plant or in an automobile factory. It is generic. And you don't have -- as an attacker -- you don't have to deliver this payload by a USB stick, as we saw it in the case of Stuxnet. You could also use conventional worm technology for spreading. Just spread it as wide as possible. And if you do that, what you end up with is a cyber weapon of mass destruction. That's the consequence that we have to face. So unfortunately, the biggest number of targets for such attacks are not in the Middle East. They're in the United States and Europe and in Japan. So all of the green areas, these are your target-rich environments. We have to face the consequences, and we better start to prepare right now.
I postaje još gore. Ovo što ću sada reći jako je bitno. Razmislite o ovome: ovaj napad je opći. Nema neke konkretne veze sa centrifugama niti s obogaćivanjem urana. Tako da bi mogao funkcionirao, na primjer, u elektrani ili u automobilskoj tvornici. On je opći. Ne morate -- kao napadač -- dostaviti virus preko USB stick-a kao u slučaju Stuxneta. Možete koristiti i uobičajenu metodu zaraze računala putem crva. Samo ga proširite što je više moguće. Ako to učinite, kao rezultat dobit ćete virtualno oružje za masovno uništenje. To je posljedica s kojom se moramo suočiti. Tako da nažalost, najveći broj meta za takve napade nije na Bliskom Istoku. One su u Sjedinjenim Američkim Državama, Europi i Japanu. Sva zelena područja, to su vaše mete. Moramo se součiti s posljedicama, i bolje nam je da se odmah pripremimo na njih.
Thanks.
Hvala.
(Applause)
(Pljesak)
Chris Anderson: I've got a question. Ralph, it's been quite widely reported that people assume that Mossad is the main entity behind this. Is that your opinion?
Chris Anderson: Imam pitanje. Ralph, poprilično je zastupljeno mišljenje, ljudi pretpostavljaju da se Mossad krije iza svega. Dijelite li i Vi to mišljenje?
Ralph Langner: Okay, you really want to hear that? Yeah. Okay. My opinion is that the Mossad is involved, but that the leading force is not Israel. So the leading force behind that is the cyber superpower. There is only one, and that's the United States -- fortunately, fortunately. Because otherwise, our problems would even be bigger.
Ralph Langner: U redu, stvarno želite čuti? Da, onda uredu. Moje mišljenje je da Mossad je umiješan, ali Izrael nije vodeća sila. Vodeća sila koja stoji iza svega je virtualna supersila. Samo je jedna takva, Sjedinjene Američke Države -- na sreću. U protivnom naši bi problemi bili još veći.
CA: Thank you for scaring the living daylights out of us. Thank you, Ralph.
CA: Hvala vam što ste nas tako isprepadali. Hvala, Ralph.
(Applause)
(Pljesak)