Review: Iran cyber hack opened a Pandora’s box

July 29, 2016

The author is a Reuters Breakingviews columnist. The opinions expressed are her own.

A cyber attack on Iran opened a Pandora’s box. “Zero Days” takes a thriller-style look at the unprecedented hacking of the country’s Natanz nuclear facility using the so-called Stuxnet virus. The documentary delves into the lack of norms in this new kind of war. What’s left unexplored is how companies have become collateral damage in national cyber battles.

Six years ago cyber-security experts detected a uniquely sophisticated form of “malware” – intrusive software – that seemed to target Iran. “Zero Days” follows two sleuths from Symantec, and others, who slowly traced the attack back to the U.S. and Israeli governments. The film’s title refers to a vulnerability that affects a network before the victim has a chance to fix the hole. That gives it zero days to react.

The Stuxnet attack exploited four such vulnerabilities. It was 20 times bigger than normal code, which usually takes only a few minutes to crack. Symantec’s Eric Chien and Liam O’Murchu spent a month working out what had happened. The film presents technical details in a digestible way, providing a fascinating look at the malware’s enormous capabilities.

Stuxnet was unusual in that it destroyed physical products. It targeted the industrial controllers that operated Natanz’s centrifuges, causing nearly 20 percent of them to fall apart. Yet the facility’s system was telling employees that the centrifuges were operating correctly because Stuxnet simultaneously relayed old data recorded before the attack.

Experts line up to highlight the masterful nature of the ambush. It’s a testament to director Alex Gibney’s perseverance that he gets them to appear on camera. Many others declined to comment on the record, or refused to discuss Stuxnet. Amos Yadlin, former head of Israeli military intelligence, says a hack is the best weapon because “the enemy doesn’t even understand what is happening to them.”

Yet while the aggressive attack was a success, it triggered a widespread backlash. The documentary goes on to explore what Stuxnet unleashed, with Russia and other countries getting hold of the malware and engaging in a new kind of warfare that doesn’t operate under international norms. “Do whatever you can get away with” is how Colonel Gary Brown, the staff judge advocate for U.S. Cyber Command, describes the new rules of engagement.

The film explains how Iran ramped up its cyber capabilities and went after civilian targets. In 2012, a destructive computer virus was unleashed at Saudi Aramco, erasing about 75 percent of the oil company’s data and replacing it with a picture of a burning American flag. Iran also hit the websites of nearly 50 U.S. banks, including JPMorgan, Bank of America and Capital One.

It’s an illustration of how companies have become casualties in a bigger battle. North Korea was widely blamed for the 2014 breach at Sony Pictures that destroyed files and debilitated the entertainment company, which had released a comedy about a plot to assassinate the hermit state’s leader, Kim Jong Un. The same year, Iran hacked the Las Vegas Sands LVS.N casino, owned by billionaire Sheldon Adelson. He had given a speech that called for the United States to threaten to “wipe out” the country if it didn’t halt its nuclear program.

These kinds of attacks have forced companies to examine why a nation would want to hack them and defend themselves accordingly, without the benefit of government intelligence or resources. For example, the Obama administration declined to intervene when Iran targeted U.S. banks.

Yet instead of exploring the uncharted territory many companies find themselves in since Stuxnet, “Zero Days” spends too much time going through the history of Iran’s nuclear program. As a result, the film offers a compelling account of the hack, but fails to tell the whole story of the wider turmoil it unleashed.

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/