Countdown To Zero Day

May 24, 2020 · 2 mins read By Kim Zetter

The crazy story of Stuxnet and reflexions on the age of cyber warfare.

It reads like a spy novel. A case of reality being almost movie-like.

Different “kinds” of chapters intersected:

  • Story of how the Stuxnet (and its derivatives) got discovered and dissected, mostly the first chapters of the book (Chap. 1, 2, 4, 6, 8, 10, 13, 14, 15)
  • Developments of the Nuclear Iranian program, and the effects of Stuxnet on it (Chap. 5, 17, 18)
  • Description of how the attack was planned by the US (Chap. 11, 16).
  • “Context” chapters:
    • Natanz (Chap. 3): about the Iranian nuclear program.
    • Zero-Day Paydays (Chap. 7): about the market for zero-days.
    • Industrial Controls Out Of Control (Chap. 9): Introduction to industrial control systems and description of their poor security.
    • A new fighting domain (Chap. 12): how the military started to take interest in cyberwarfare.
    • Digital Pandora (Chap. 19): the last chapter of the book is a reflexion on the legacy of the first discovered major cyber attack.

No chapter-by-chapter summary for this one, but the highlights of what I learned:

  • The Iranian nuclear program is a contentious political subject that is a real threat.
  • There are a lot more zero days that I thought:

    His group, he said, had a huge repository of zero-day vulnerabilities at their disposal—“tens of thousands of ready-to-use bugs” in software applications and operating systems for any given attack. “Literally, if you can name the software or the controller, we have ways to exploit it,” he said. Patched holes didn’t worry them, because for every vulnerability a vendor fixed, they had others to replace it.

  • Launching an attack like this from the US, which has a lot of old, unsecured infrastructure was a bold move:

    The nations, of course, that are most at risk of a destructive digital attack are the ones with the greatest connectivity. Marcus Ranum, one of the early innovators of the computer firewall, called Stuxnet “a stone thrown by people who live in a glass house.”

Note: Other resources on the subject:

  • The Quora answer where I first read about sophisticated it was:
  • The Darknet Diaries episode with the author as a guest: