Countdown to Zero Day

I started working in Infosec in 2013 at a power utility company. At the time, Stuxnet was a buzzword frequently used in onboarding sessions and internal Information Security (Infosec) awareness campaigns. However, I never delved deeply into the history of the malware or its implications. A couple of months ago, I decided to dive into its full story by reading what I believe to be the best source: Countdown to Zero Day (Crown, 1st edition). After finishing it, I realized that Stuxnet was much more significant than I had originally thought. In the following lines, I'll share my review of this book to encourage you to explore it as well.

Plot

It's widely known that Stuxnet 👾 was the first digital weapon ever created, designed to sabotage Iran's 🇮🇷 nuclear program in the late 2000s. The malware is considered a game-changer in the cybersecurity field for many reasons. 1️⃣ First, it was the first known cyber weapon to cause physical damage to a target, similar to a kinetic weapon. 2️⃣ Second, it exploited multiple zero-day vulnerabilities, which are unknown software vulnerabilities, making it especially hard to defend against. If a malware has just one zero-day, we consider it powerful, but Stuxnet had five! 3️⃣ Third, it was highly sophisticated, requiring a deep understanding of uranium enrichment processes ☢️ and industrial control systems (ICS) to be effective. 4️⃣ Fourth, it operated autonomously 🤖, spreading through the target network, updating itself, learning about ICS devices, and sabotaging them without human intervention. Lastly, Stuxnet was a joint operation between the United States 🇺🇸 and Israel 🇮🇱, making it a state-sponsored cyber weapon --more on this later.

Stuxnet hijacked the programmable logic controllers (PLCs) of uranium enrichment centrifuges --devices that spin so fast that, as the book explains, even microbes left on them could pulverize the machines, turning them into powder. This showcases the level of sophistication involved and the immense risk posed by the malware. But could Stuxnet have caused a nuclear explosion? The answer is no, because it operated at the enrichment level, not at the weaponization stage. However, the malware specifically targeted centrifuges processing highly enriched uranium at the final stages of enrichment. If a centrifuge were to spin out of control, it could have caused a radioactive leak, potentially leading to a nuclear accident.

While many could write a purely technical book about Stuxnet, almost like Symantec did with their excellent Stuxnet Dossier, Kim Zetter takes a broader approach. She covers the geopolitical context, the history of Iran's nuclear program, post-9/11 US policies, how Stuxnet was discovered, and how the operation was unraveled. Zetter provides a 360-degree view of Stuxnet, its "cousins" Duqu and Flame, and their global impact. Stuxnet was part of a larger operation, Olympic Games, which began years before its discovery. However, espionage and sabotage via cyber means were not new; as the author explains, similar sabotage tactics had been used before, such as the 1982 Russian gas pipeline explosion --more on that here.

Impressions

I really enjoyed reading Countdown to Zero Day. Kim Zetter did an impressive job with research and investigation, which is evident from the wealth of references she provides. The book is structured like a documentary, with the facts presented as they were discovered, intertwined with relevant contextual data. For instance, Zetter first explains how Stuxnet was found and what the malware was doing, followed by details about zero-days, uranium enrichment, and Iran's relationships with nuclear agencies. As the story unfolds, new revelations about Stuxnet's modus operandi and its connections to other malware like Duqu and Flame are examined. This repeated deep dive into each layer of the story keeps the book engaging and easy to follow.

The book demystifies the notion of a lone hacker developing malware with multiple zero-days in a basement. Instead, it shows that such an operation involves numerous actors (e.g., nuclear scientists, ICS engineers, hackers), resources (financial and technological), and intelligence. It also debunks the idea that analysis of complex malware like Stuxnet is a solo effort. Stuxnet's dissection required teams to focus on different aspects, such as zero-days and PLCs.

What I found especially appealing is the full context the book provides: from Stuxnet to Flame, from Iran to the US, and from nuclear programs to cyber warfare. Most documents I've read on Stuxnet focus solely on technical aspects, but this book goes beyond that. It answers questions like: What is an enrichment centrifuge? Why was Iran considered a threat? Why was the US so advanced in cyber warfare when unencrypted HTTP was still common? Even when the answers aren't clear, the book explains the context. In the world of nation-state actors, espionage, and sabotage, certainty is rare; we often speak in terms of "high confidence." As Zetter notes, they never found incontrovertible proof that Stuxnet targeted Natanz. 👀😱 That's the nature of the game.

The book also explores the implications of cyber warfare. While there are international treaties governing nuclear and biological weapons, no such agreements exist for cyber weapons. Zetter discusses the challenges of stopping a cyber weapon once it's launched. Unlike biological weapons, which have limited range, cyber weapons can spread and be reused by anyone --"a cyberweapon is the type of weapon that you fire and it doesn’t die. Somebody can pick it up and fire it right back at you."

This is a must-read book for understanding the history of cyber warfare and its real-world implications. Toward the end, Zetter even questions Stuxnet's true effectiveness, noting that while the Iranian nuclear program wasn't halted, it was delayed. Nonetheless, the operation ushered in a new era of cyber warfare, and despite the side effects, the mission was ultimately successful.

As noted, the author provides numerous references --perhaps too many. She mixes simple references like URLs or interviews with additional notes that expand on the text, which can interrupt the flow of reading. I think using footnotes or endnotes to separate references from additional insights would have improved the structure. Some chapters have more than 40 references, which feels excessive for a non-academic book.

Bottom Line

Countdown to Zero Day is essential reading for anyone interested in cybersecurity, ICS security, or geopolitics. It portrays a pivotal moment when cyber weapons became reality, replacing kinetic weapons. The late 2000s marked a turning point in Infosec with events like Operation Aurora, the coining of the term Advanced Persistent Threat (APT), and the rise of nation-state hackers. However, don’t expect a technical book with code snippets or network diagrams. This is more like a Cyber Threat Intelligence (CTI) book that provides context, actors, and implications of Stuxnet and its "cousins" Duqu and Flame.

If, like me, you started in the Infosec trenches in the early 2010s and never fully grasped the Stuxnet story, this book is for you. It's a great way to understand the historical context and how the cybersecurity field has evolved since then. ICS professionals will also benefit, as the book explains how malware can sabotage industrial devices. For Stuxnet, while Windows vulnerabilities were exploited, the true target was the PLCs, not the operating system. This insight prompts us to think about detecting and preventing such attacks at the PLC level in the future.

Recently, pagers used by Hezbollah members exploded simultaneously. Nothing indicates a cyber attack, but it does suggest a supply chain attack. With the background provided by this book, I noticed operational similarities with Stuxnet and its surroundings, which also involved a supply chain attack and explosives --see here for details on the number of Iranian nuclear scientists attacked around 2010, when Stuxnet was discovered. This book will help you reach that level of understanding and more.

Finally, this book was published in 2015, and new analyses may change our understanding of events. I haven’t searched for updates, but if you do and find something, please let me know. ✌🏻