March 23, 2018 • 51 mins
In 2010, a computer virus targeting specialized equipment at an Iranian nuclear facility made world news. What was Stuxnet and what did it have to do with uranium enrichment centrifuges?
Learn more about your ad-choices at https://www.iheartpodcastnetwork.com
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:03):
Get in touch with technology with tech Stuff from how
stuff works dot com. Hey there, and welcome to tech Stuff.
I'm your host, Jonathan Strickland. I'm an executive producer here
at how Stuff Works. And yeah, I still kind of
have a cold. You can kind of hear it. It's
not as bad as it was last week when I
(00:25):
was recording those earlier episodes though, So that's something. Uh,
since I have a cold, you know, I thought my
brain got on this little topic. It's sort of this
free association thing technology colds viruses. How about I talk
about a famous virus. So we're going to really dive
in to the story behind stucks net, a famous piece
(00:48):
of malware that made headlines in and I've talked about
it before on this show. In fact, Chris Palette and
I did an episode about stucks net several years ago,
but at the time not as much information was available
about what was going on. Tech Stuff technically launched two
years before stocks Net made headlines. So this is actually
(01:10):
an opportunity for me to look back at something that
developed over the course of the history of this show
and learn more about where it came from, what's purpose was,
and how that whole story unfolded. Before I really dive
into the story, I want to mention one of the
(01:30):
sources I used when I was researching these two episodes. Uh,
this would be a book titled Countdown to Zero Day,
stucks Net and the Launch of the World's First Digital Weapon.
The book goes into great detail regarding the story of
stocks Net. It also gives wonderful background information on the
(01:52):
key figures of cryptography researchers, cybersecurity researchers, all these people
who were very much instrumental in discovering and uncovering stuck
s net and figuring out what it did and and
who was probably behind it since that was never something
that was officially acknowledged, but come on, we know who
(02:12):
it actually was. I'll talk about that in these episodes.
That's a great book. If you want more information about
stucks Net after this episode, go check that out, count
Down to Zero Day, stucks Net and the Launch of
the World's First Digital Weapon. It goes into way more
detail than I'm going to cover in these episodes. Now,
(02:32):
these episodes are also going to contain a lot of
history and politics in them because stucks net, unlike many
other examples of malware was not intended to be a
type of uh computer virus to create monetary gain for
the people who designed it, or even just make people irritated.
(02:57):
It wasn't that kind of malware. You may have a
counter and malware that was meant to try and extort
money from someone where it locks down a computer and
the only way to get access, at least according to
the messengersy receive, is to pay a ransom to the hackers.
We call that ransomware. Stuck's Net was not that type
(03:18):
of malware. Nor was it just some sort of capricious
code that someone created in order to turn computer hard
drives into giant concrete blocks. It was neither of those things.
It had a very specific intent, and it was very
much a at least all signs at least pointed to
(03:40):
it being very much a state sponsored piece of software,
meaning that some government agency or agencies was behind the
development of this. So it sets it apart from a
lot of other versions of malware. And in order to
understand it, I think it's good to begin with a
quick history lesson of Iran's nuclear program, because that was
(04:04):
the ultimate target of stocks net back in the nineteen fifties. Iran,
under the leadership of shaw Mohammad Reza PALAVII, had received
the nod from the world community to pursue a nuclear
power program. At that same time, nuclear powers like the
United States, we're trying to discourage other nations from developing
(04:25):
nuclear weapons. So they were essentially saying, hey, nuclear power,
tots cool nuclear weapons, Let's not make this worse because
nuclear proliferation was becoming a big fear among various powers
in the world and of course populations in the world.
So it was sort of an Atoms for Peace kind
(04:46):
of initiative, saying, let's go and develop nuclear power for
a country's that's great. That way you can generate electricity,
but let's stay away from building the bombs. Iran's program
was launched with the understanding that the country was only
going to build these power plants, not weaponry, although all
indications showed that the long term plan for Iran was
(05:09):
in fact to develop nuclear weapons at some point. As
part of this early agreement, the United States would sell
to Iran the enriched uranium its power plants would need
as fuel, so Iran wouldn't need to create its own
uranium enrichment facilities. It would just purchase enriched uranium ready
to go from the United States. And in fact, the US, Germany,
(05:31):
and France were all totally supportive of Iran's efforts, perhaps
because those countries also stood to benefit from it. They
were all going to make a boatload of cash by
selling equipment and fuel to Iran, so there was a
financial incentive to support Iran's efforts to create nuclear power plants.
(05:54):
All of this was despite the fact that the tools
used to create nuclear power plants could receivably be put
to use to build nuclear weapons. So you could have
someone say, hey, I just need this technology because I
want to make a power plant, but in reality they
might be using that technology to make boom booms. So
the thing that the U United States said that kind
(06:16):
of justified their choice to support this program was, Hey,
the Shah, he's awesome. We get along so well, we're
like besties. And so there's no way that Iran, even
if they did develop nuclear weapons, would be a threat
to US, their their allies. So let's go ahead and
(06:38):
go all in. Let's go ahead and make some money.
Come on, capitalism, woo. It's not like Iran will ever
have a problem with the United States. And then nineteen
seventy nine happened. In nineteen seventy nine, the Ayatollah Ruala
Kamaney overthrew the shop. Now Kamany did not share the
Shah's opinion of the United States, and suddenly the U
(07:01):
S was tugging at its collar and saying yikes. So
Germany in the US withdrew their support for Iran's nuclear
program and the Komani Aetola. Komani was not terribly interested
in pursuing a nuclear power program either, so the power
plants were pretty much abandoned for a few years. They
(07:21):
were also the frequent target of bombing raids during various
conflicts that Iran got into over the course of the eighties.
Now that Aatola would eventually renew the nuclear program. In
the nineteen eighties, after rumors spread that Iraq was developing
nuclear weapons and Saddam Hussein, the leader of Iraq at
(07:42):
the time, had already used chemical weapons against Iran during
the Iran Iraq War, the Aetola hired on an engineer
from Pakistan to help Iran, using plans for centrifuges that
the engineer had stolen from European companies. So This engineer
had worked on behalf of these European companies and then
(08:03):
essentially did a little industrial theft, stealing the plans for
centrifuges so that they could create a similar program in
nations like Pakistan. This was all happening in secret, obviously,
but Iran had gotten word of it, and so they
contacted this Pakistani engineer who agreed to help out Iran.
(08:25):
In nineteen Iran entered into a contract with Russia to
complete a nuclear power reactor at Boucher. This site in
Iran had been one of the original plan power plants
way back in nineteen fifty seven, but the various conflicts
between fifty seven and ninety five had delayed and even
destroyed the work that had been done on the location.
(08:47):
Iran and Russia were going to also build a uranium
enrichment plant kind of co located with this nuclear power plant,
but the United States stepped in and said to Russia, hey,
we think that's like a bad idea man, and Russia
eventually said dah and backed off. And that was supposedly that,
(09:08):
except it totally wasn't just that. In two thousand, Iran
started building a new facility at Natan's another site in Iran.
Iranian officials claimed that this facility was a desert eradication location,
but satellite imagery eventually showed that something else was up
(09:29):
in that site. The design of the facility suggested it
was going to house something super secret that was to
be protected from missile strikes and air strikes. And the
reason they were drawing this conclusion was that Iran was
clearly excavating a lot of land building a large underground
facility something that needed to be uh insulated from potential
(09:54):
air attack, and the entrance hallway into the facility had
a big U turn in it. It wasn't a straight
shot down into the heart of the facility. That you
turn was an indication that perhaps this was a way
to avoid a smart missile flying down the entryway and
hitting a target. If it had to turn nine degrees
(10:16):
or eighty degrees, then chances are no missile would actually
be able to do that, and it was thus a
tactic to avoid damage in the case of an air strike.
But why would you need that for some innocent desert
eradication facility. Why would it need to be underground and
have these kind of measures in place In two thousand two,
(10:38):
some whistleblowers alerted the u N that this facility would
actually be a uranium enrichment plant. Now, Iranian officials eventually said, okay, yeah,
but we were gonna tell you about it. We just
hadn't done that yet because there wasn't really any need to.
Were still months away from going online, so it's not
(11:02):
like there's any chance that this thing is is already
producing enriched uranium. We just want to have a facility
to create nuclear fuel that we're going to use for
our power plants. We want to be self sufficient, is all.
We don't want to have to buy our fuel from
other nations. The u N stepped up inspections of the facility,
or at least attempted to, although it initially encountered a
(11:25):
lot of resistance from Iran. The u N would say,
all right, well, we're ready to come in and investigate
this facility, and then the people in Iran would say, sorry,
it's not ready yet. Come back next month. And then
they would come back next month and say, all right,
we're ready to look at the facility and say, you
know what, we lost the keys, don't know where the
keys are. Could you come back maybe another day, and
(11:45):
it became increasingly clear, at least to the the investigators,
that something was up, and that there was a lot
of activity going on, perhaps to cover tracks, perhaps to
get rid of evidence, although it's impossible to say, because
unless you actually are there to witness what is happening,
you don't really know, but it seemed to imply that
(12:05):
there was something hainky going on. Eventually they were able
to set up a regular inspection schedule of this facility,
and they were there to make sure that the uranium
that was being produced was meant for nuclear power and
not nuclear weapons. And meanwhile, countries like the United States
(12:26):
were getting awfully antsy about Iran. On July six, two
thousand nine, Wiki Leaks hosted a note written by founder
Julian Assange that referenced some sort of serious nuclear accident
that had happened at the uranium enrichment facility. Now this
would have been shortly after the stux Net virus would
(12:47):
initially be released, but at this time, no one outside
of the people involved in stocks Net would have possibly
known about the virus and become public knowledge. Yet, in January,
a United Nations agency called the International Atomic Energy Agency
or I a e A. Began to notice that something
(13:07):
unusual was happening to the centrifuges at Iran's Natan's uranium
enrichment plant. They saw that there was a failure rate
that was unusually high. The agents would inspect the facilities
at least once a month and then occasionally with some
surprise inspections, and the whole point was just to make
sure that nothing illegal was happening, that Iran was in
(13:29):
fact not trying to stockpile enriched uranium in the effort
to build bombs. This was an important uh thing that
the U N was doing, but it also was not
the most efficient way of doing it if you wanted
to recognize trends, because they would swap out who went
(13:51):
to investigate the facility each time. That kind of makes sense.
You don't want one group to get compromised in any
way or fooled in some way. Sending new people sends
new sets of eyes. But it also meant that until
you were looking at aggregated data, you could not necessarily
(14:11):
see that something unusual is happening, And something unusual was
happening specifically to the centrifuges. Now to understand that. It
also helps to understand what the heck the centrifugures were
being used for in the first place, Like what is
their purpose in the process of refining uranium. Well, first,
nuclear fuel needs to be made up of between three
(14:33):
and a half to five percent uranium two thirty five isotope.
So isotopes are two or more forms of the same element,
in which the atoms of the different isotopes have a
different number of neutrons. Chemically, the two atoms behave the
same way, but they'll have different atomic masses because of
the difference in neutrons uh, and they'll have different decay
(14:56):
rates and things of that nature as well. So there
are three may jr isotopes of uranium that occur naturally
uh within the Earth's crust. So if you mine uranium,
you're gonna come up with a mixture of different isotopes
at different concentrations. Most of it, in fact, more than
nine of the stuff that occurs naturally is uranium two
(15:19):
thirty eight, less than one percent of it is uranium
two thirty five, and then you get a ten ty
tiny bit that's uranium two thirty four. If you want
to make nuclear fuel, you need a much higher percentage
of uranium two thirty five than what you find in nature.
In nature it's less than a percent, and fuel you
need it to be at least three and a half
to five percent. By the time you're getting into the
(15:43):
enrichment process. You need the uranium to be in gas form,
so you would get uranium or you would refine that
down to uranium oxide, and then you would take that
to a conversion plant that would take the uranium oxide
and turn it into a gas called uranium hexafluoride. This
gas has various isotubes of uranium in it. You have
(16:05):
both uranium two thirty eight and two thirty five, and
you have it in the concentrations you would expect because
it's from the stuff you mind from the ground. You
then feed that gas into tubes inside a centrifuge. Centrifuges
spin and they can spend it really high velocities. We're
talking tens of thousands of revolutions per minute now. When
(16:25):
they spin, it separates out the materials of different weight
within those tubes. The heavy stuff moves towards the edges
of the tubes, the sides of the tubes, and the
lighter stuff will move towards the center. So if you
spend the centrifugures at the right speed and you then
effectively scoop out the middle of the tube, you can
(16:47):
separate the uranium two thirty five from the uranium two
thirty eight. Now you actually have to do this in
a lot of different stages. You put them through one centrifuge,
you do the scooping process, you doing about another centrifuge.
You have to do this multiple times in order to
really get the right concentrations. Eventually you can do this
enough to manufacture the uranium pellets that you would use
(17:08):
for nuclear fuel. If you wanted to make a nuclear weapon,
you'd follow the same process, but you need way more
uranium two thirty five. Nuclear weapons typically have a proportion
of or more uranium two thirty five in them. Sometimes
it's or greater, so you need a lot more uranium,
and then you have to refine a lot of it
(17:29):
and rich a lot of it in order to get
to that level of uranium two thirty five. But it
is exactly the same process, it's just a matter of
more stuff. Centrifuges, as they turn out, are are delicate.
They're the ones that Iran was using. We're supposed to
have a ten year lifespan, but these are moving pieces
(17:52):
of machinery. They have mechanical parts, and they work at
high speeds, so eventually they'll fail. They may fail because
of mechanical error, human error, all sorts of different stuff
could cause them to break down. And because of that,
typically in a year you might have to replace about
ten of the centrifugures you have, even if they're brand new.
(18:16):
But the thing that the i a e A. Discovered
eventually after they looked at aggregated data, was that the
number of centrifuges that they were replacing at this uranium
and enrichment facility was much higher than that they had
centrifugures at this point, So you would expect about eight
hundred and seventy of them need to be replaced every year,
(18:38):
but apparently the number was actually much higher than that,
perhaps as high as two thousand or more, although the
actual figures were never published. But the i a e A.
Was keeping track of this stuff. They just didn't notice
the trend until they were looking at again a sequence
of these visits and then realized, hey, that that seems
like a pretty high number to place that many centrifuges.
(19:01):
Wonder what's happening with this? Well, while this was going on, uh,
there were other things happening that we're indicating that something
unusual had been unleashed in the world of computers. The
folks at I A e A at this point did
not suspect any kind of computer virus. They weren't sure
what was causing the centrifuges to fail. It could have
(19:23):
just been that they were really bad centrifugus, that Iran
had purchased them from a bad source, although Iran was
stating that they had actually made the whole thing themselves,
that the centrifugures were based off their own design, although
again the United Nations officials the investigators were not buying it.
They said, wow, these things look an awful lot like
(19:45):
the ones that were being used in Europe a few
years ago. In fact, if I didn't know any better,
I would say that these were direct copies of that
and that they were based off stolen information. But Iran's
messaging was that no, these were of our design and
we built them at any rate. I A e A
wasn't sure why these centrifuges were starting to fail at
(20:06):
that same time, or actually a little bit later. In June,
there was a cybersecurity professional named Seragei Ulasson in Belarus
who was investigating some really weird computer behavior that had
been reported in an Iranian computer. The computer in question
was caught in an endless crash and reboot cycle and
(20:29):
they weren't really sure what was causing it. The culprit
looked like it might have been the anti virus software
that was on the computer, that something was not compatible,
and the antivirus software came from the company that uh
Sarageulawson was working for. He was working for this company
called virus Block Ada. The Iranian computer had that anti
(20:52):
virus program on it. It was purchased originally from a reseller,
so it wasn't purchased directly from the Belarus company, but
rather an Ira Auny and company that had the right
to re sell this anti virus software, and originally the
person who owned the computer or the the agency that
owned the computer contacted the reseller and said, I'm getting
(21:15):
this error. It's the computer just keeps crashing and trying
to reboot. What's going on the reseller eventually fielded that
question up to Lawson. Lawson got permission to log into
this problematic computer using a remote log in, and he
began to look around to see what the heck was
going on, and he eventually suspected the machine had been
(21:37):
infected by some malware and that this malware included a
root kit quick refresher. A root kit is software that
gives an unauthorized party access to control of a computer system.
Hackers use this to get a back door access and
get information on computers, or they do it to create
(21:58):
boton nets. Moreover, a root kit masks this activity. It
acts as like a shield to hide it from the
host computer in an effort to escape detection. So a
good root kit is doing all this allowing someone to
remotely access your computer, but you can't tell because it's
hiding all that activity from you. Well, like all malware,
(22:20):
root kits are only useful if the targeted machine doesn't
have suitable anti virus protection on it. It could be
out of date, or it might not have antivirus software
on it at all, or it might be so new
that antivirus software doesn't yet have a profile on that
type of root kit. Which means that it will escape
(22:41):
the anti virus software's detection because it doesn't know to
look for it. Once anti virus software companies learn of
a piece of malware, they can then adjust their software
to identify and block those programs. But if there is
a gap there, the malware can go for a while
without detection, and it means that all machines can be
(23:01):
vulnerable to those attacks until someone catches on. And that
seems to be what was going on in this case.
Now I have a lot more to say about the
early detection of stucks net, but before I get into that,
let's take a quick break to thank our sponsor. Alright,
(23:24):
So a lawson realized that whomever was responsible for creating
this malware that was causing this this computer to crash repeatedly,
had done so by finding what is called a zero
day exploit. A zero day exploit is a vulnerability within
a piece of software code that has not yet been
(23:46):
identified by anybody else, including the people who made the
software code in the first place. The software coders are
likely completely unaware of it. In fact, that's that's really
what makes it zero day is the fact that you know,
you come out with like a new version of of
an operating system, for example, and you are not aware
that that part of that operating system has this glaring
(24:09):
flaw in it that uh could be exploited. That's a
zero day exploit, and that ignorance is an incredibly powerful
weapon for hackers. They will end up writing code that
can exploit this vulnerability, and they know that there's no
protection against it because the responsible parties for the software
have not even realized that there's a potential for exploitation.
(24:33):
The lawson figured out that the malware had to have
been distributed by a USB thumb drive initially. Later on,
researchers would figure out that the code would allow up
to three machines to be infected by the same USB
flash drive before the malware would prompt a computer to
delete the contents of the flash drive, so it's kind
(24:54):
of like a self destruct button. After three infections, the
drive would be wiped. F a propagation could happen across
a compromised network through computer computer connections, and later on
they discovered even other different ways that the virus can
move from computer to computer. It did not, however, move
across the Internet. This was a piece of malware that
(25:17):
was designed to infect computers that were on local networks
but perhaps not connected to the Internet at large. So
that was why they were using USB drives in the
first place. Now, that did come with a disadvantage. It
means that you have to get physical access to a
machine to get the malware from the USB drive onto
(25:39):
the computer, and that drastically reduces the number of computers
you could potentially infect. So why would you do this, Well,
one reason to go with the USB delivery mechanism is
to target computers that have an air gap. And that
air gap is what I was talking about a second ago.
That's a computer or even a network of computers that
has no direct connection to the wider Internet at large.
(26:02):
As an air gap between the Internet and the computer
or system of computers, it's kind of like a self
contained island. It's cut off from the rest of the world,
and it keeps the system safe from most forms of
hacker intrusions. If there are no pathways that lead to
the system, there's not a whole lot of hacker can do.
(26:22):
A true air gap system would have no connectivity to
the Internet at all. Now, some systems have what we
call an air gap but they really have limited and
controlled access to the Internet, typically through a computer or router.
The acts as a gatekeeper or portal. But if you
put your malware on a USB stick and then you
convince someone with a physical access to the machine to
(26:44):
insert the USB drive and air gap isn't really a problem.
It might, however, mean that you, as a hacker, will
remain unaware of your success. If the target machine has
no way to phone home, if there's no way for
the target machine to indicate hey, success, then you may
just be hoping that whatever you planned on doing was working. So,
(27:06):
like I said, all the vectors of attack for stocks
net were based off of either USB or local network connections,
but not over the Internet. And also the USB stick
attack did not use auto run, at least not after
the first initial wave of attacks. There were three separate
waves of attacks, and the second and third one did
(27:29):
not use the auto run feature. A lot of malware
does depend on auto run, and that's a feature that
will automatically launch a program from something like a USB
drive or an optical drive once you insert the media.
You're probably familiar with this. Let's say that you've got
a DVD, an actual movie on a DVD and you
put it into your computer, and the computer automatically launches
(27:50):
the DVD player software so that you can watch it
as soon as the DVD has gone into the optical drive. Well,
that speeds things up for the user, makes it more convenient,
you don't have to hunt for the right program. But
it does present a security risk because if the software
on the media is malicious, the computer is just automatically
(28:11):
launched bad software. But here's the thing. You can turn
off the auto run feature and a lot of systems
will do that because it is a way to limit
the risk and the vulnerability of those systems. You just
turn off auto run and then your planned form of
attack is not going to work. Someone puts that media
(28:34):
into a computer where the auto run has been switched off,
they'll get prompted or they'll they'll have the chance to
run that stuff themselves. But chances are you go, if
you don't recognize a program, you're not just gonna launch it.
You might do some snooping first and find out if
this is in fact something you want to run. So
to remove that possibility, you might want to not use
(28:55):
auto run feature to launch your malware. So that's what
the hackers responsible for stucks net did. They decided that
they would use a different approach. They targeted what are
called l n K files. So an l n K
file carries the information to display icons next to file
types and applications like Windows Explorer. So if you've opened
(29:19):
up a file directory type of program and you've seen
those little icons next to file names, that's due to
an l n K file. This was a pretty sophisticated
form of attack, and as far as Lawson could figure out,
it was the first of its type. Not turned out
that it was not the very first of its type,
but the previous implementations of this attack had not really
(29:39):
received widespread coverage, so it was still really new. Adding
to this sophistication was the fact that there were four
different versions of the l en k files on those
USB sticks, and that meant that they could affect up
to seven different versions of Windows. That increased the number
of potential targets for the mal where so if a
(30:00):
computer was running one version of Windows, or maybe the
next one or the next one, it still might be vulnerable.
The only real thing that limited it was it needed
to be a thirty two bit installation of Windows. If
it were a sixty four bit installation, the virus was
not going to work on it. Later on, researchers at
(30:20):
the security firm Kaspersky UH discovered other zero day exploits
that the virus took advantage of. So there wasn't just
one zero day vulnerability that stucks net could glom onto.
There were three more that Kaspersky found at that point.
One exploited a print spooler vulnerability, and it would propagate
(30:42):
the virus across networks that had a shared network printer
and a lot of a lot of networks do the
other two vectors use something called privilege escalation, which is
where a program is able to leverage exploits to gain
eventually a system level control over computer is even if
those computers have been locked down. The combination of all
(31:04):
the exploits suggested that the people responsible for the virus
were serious heavy hitters who really desperately wanted to target
specific computers. And it raised some really big questions why
would you use four zero day exploits because common logic
said you should just stick to one at a time.
(31:24):
Once a zero day exploit is discovered, the clock is
ticking before someone patches that respective software to plug up
that vulnerability so that the exploit won't work anymore. So
the zero day exploit is only really valuable until people
discover it. If you have more than one zero day
exploit involved in your malware, then you run the risk
(31:48):
of someone discovering all of those exploits if the malware
itself becomes evident, and if they find all of those exploits,
that all of those can be patched, which means you
lose all of those vectors of attack in a single
cell swoop. So this was kind of considered a big gamble.
(32:08):
Why would you throw all of your eggs into this
basket having all of four zero day exploits. By the way,
there was a fifth one actually that they had not
yet discovered, though that one ended up getting patched after
the first wave of attacks, uh not because of stocks net.
The fifth vulnerability had been independently discovered through other means
(32:31):
and had been patched, But ultimately that did mean five
different zero day vulnerabilities were used when designing stucks net.
Over the course of the life of stucks neet. On
top of those zero day exploits, the virus used four
other means to copy and send itself along to other machines.
So in total it had nine different methods to spread
(32:53):
the virus. One of them leveraged of vulnerability in special
Semens software to gain system level privileges. Siemens is a
company it's in Germany that creates all sorts of different
kinds of software. The software in particular that stocks net
was concerned with was for something called p lcs programmable
(33:14):
logic circuits, so are controllers rather logic controllers. So these
are little implementations that allow computers to communicate with various devices,
typically that are used in industrial applications, so it might
be like a conveyor belt or valve system, that kind
(33:34):
of thing, which is a pretty odd thing for viruses
to target. Typically, there was another clever way that the
malware could spread. It would create a file sharing server
folder on every computer it infected if that computer were
connected to other infected machines. So it's a computer on
a network and other computers on the network also got
(33:56):
infected by stocks net. They would chat with each other
and they would com hair notes. They would say, hey,
one version of stucks net are you running. I've got
one point two and they might say, well, I've got
one point to one. Hey, your version is more current
than my version is, Give me some of that sweet
stucks net, And sure enough the system would propagate the
(34:17):
latest version of stucks net across its network. So it
was kind of appear to appear approach to spreading the
latest and greatest version of stuck set. And if someone
came in and infected a new computer with an even
more recent version of stocks net, then shortly that version
of stucks net would propagate across the other infected computers
(34:39):
on the network. It was a way of making sure
everyone was on the same page, even without them being
aware of it. The malware would install two driver modules
on the infected computer, and uh these driver modules were
they were posing as as software drivers. Software drivers are
(34:59):
lee aisons between a computer and some other piece of hardware. So,
for example, if you have a separate computer mouse, or
a microphone that you plug into your computer, or a
webcam that you plug into your computer, the driver is
what allows for meaningful communication between that device and your computer.
You may have occasionally had an issue where one of
(35:21):
your peripherals no longer seems to work on your computer,
and it's because the driver is out of date. It
may be that there was an update to the operating
system and that update has broken that communication channel between
your peripheral and your computer, and it requires that you
update your software drivers so that now the two machines
can talk to each other again. That's what the malware
(35:44):
would install. These these apparently innocent, at least on casual glance,
driver modules onto the infected computer. Now normally, later versions
of Windows would send an alert to a user whenever
an up of software was to be installed. If you've
used Windows seven or later than you know about this.
(36:06):
You get that little window that pops up and says, hey,
I see that you're trying to install this thing. Is
that really your intention? Because it gives you the chance
to say, heck no, I didn't know that was happening,
stop it, and then you could investigate, and if it
were malware, you would know something was up and you
can maybe do something about it. So the goal of
the hackers is not to have this window pop up.
(36:29):
So this malware stocks Net was a lot more insidious
than just a fake driver. It contained a digital certificate
from a legitimate Taiwanese hardware company called real tech Semiconductor
digital certificates are like authorized signatures. These are away for
(36:49):
companies to authenticate that the software they distribute in fact
actually comes from them, and big players that are trusted
can use those certificates to authenticate. Driver is another software
machines without the need for that pop up notification. You're
not gonna get it every time, because essentially what's happening
is Microsoft says, hey, there's this software that wants to
(37:10):
execute on this machine. Oh wait, this software is from
such and such company, and I know they're cool, And
it's a digital certificate that tells me that it's absolutely
from that company because they protect their certification process, so
I know it's not from anyone else, so I don't
need to worry the user. I'm not gonna send that
pop up because everything's totally on the up and up,
(37:33):
so as long as the software is authenticated as being
from a trusted source, there's no extra step in there.
But that created a pathway for potential attacks, though at
the time not very many people were considering that. One
person who was was a security expert with the Finnish
company f Secure. That is a company from Finland, not
(37:55):
a company that finished things, and in July he pointed
out that if a hacker were to get access to
digital certificates, they could potentially sneak in malware onto computers
using that, which was exactly what was going on with
stucks net. Now, this researcher wasn't aware of stocks neet
at the time. He was just saying, hey, this is
(38:17):
a potential problem. And as it turns out, it wasn't
just a potential problem, it was a real problem that
was going on at that very moment. Moreover, digital certificates
have an expiration date, and this is to help make
sure that they remain secure. You have to renew your
certificate so that it doesn't stick around long enough for
bad actors to get hold of it and then leverage
(38:38):
it the way the malware authors had done in the
case of stocks net. So you end up creating a
certificate that has an expiration date on it. After the
expiration date, you you then administer a new certificate that
has new code on it, but it still has that authentication.
And that way, if anyone tries to use the old
(38:59):
certific of get, then an operating system like Windows can
say wait a minute, that certificate is out of date. Uh,
I'm going to alert the user because that could be
an indication that someone had gotten a hold of an
old authentication certificate and they're trying to pass it off
as legitimate. So anytime a certificate expires, it's no longer
(39:19):
really useful for the case of malware distributors. So some
companies will hire out their certificates, like they'll create certificates,
and then other parties will come to them and say, hey,
we have created the software. We would like to say
that we created it in partnership with you, and in return,
you can put your authentication certificate on this software, which
(39:43):
will help us out a lot. Uh So some companies
will actually do that. Others are way more protective of
their digital certificates. No one was sure at this point
if Real Tech had their certificate stolen somehow, if if
the hackers had managed to uh illegally get hold of
this digit at all certificate, or if there had been
some other form of transaction involved, if fuel Ticket perhaps
(40:06):
licensed out essentially they're certificate. Circumstantial evidence suggested that it
was a stolen certificate. Looking at the malware code, it
appeared that one of the driver modules had its certification
signed to it just six minutes after the original code
had been compiled. This was found out by converting the
code into binary and then being very meticulous about looking
(40:29):
for the data for any sort of time stamp information. Now,
it is possible to fudge things like the date and
time of compiling, but that's not necessarily easy to do,
so you could say that the compiled dates not really
a smoking gun, but it does suggest that the certification
had been sticking around in the pocket of whomever had
(40:51):
been designing stucks net and then immediately slapped onto stucks
net once the code was compiled and ready to go. Now,
I've got a lot more to say in the first
episode about stuck s net, but before I continue, let's
take another quick break to thank our sponsor. Lawson would
(41:13):
reach out to both real Tech and Microsoft to alert
both companies of this vulnerability because it had that digital
certification from real Tech and it was affecting Microsoft based machines.
He had not figured out what the malware was actually
for yet that would be the payload. He was understanding
(41:34):
a little bit of how the malware would infect machines,
but he didn't know what it was supposed to do.
He didn't know it could potentially infect millions of computers
around the world because that digital certification gave it kind
of a v I P pass onto machines, and if
it was meant to steal information or cause mischief, he
(41:55):
wanted to nip that in the bud. One interesting tidbit
is whomever it des I in the malware have been
really careful to do it in such a way that
the major anti virus packages out there wouldn't suspect a thing.
It was compatible with all the major anti virus packages,
so most people wouldn't have any way of telling that
something hinky was going on. Clearly, the hackers who designed
(42:19):
this had worked with computers that had these anti virus
software packages installed on them to make sure that it
would slip under the radar. But Virus Block Ada was
a small operation, and it may have been able to
have this this incompatibility problem where it was causing the
computer to crash and reboot over and over again, simply
(42:41):
because the people who were designing the stux Net virus
had never really encountered this particular anti virus platform before,
and they weren't able to make sure that stux Net
would not be picked up by it, and so it
was a real enigma. Lawson couldn't even get the virus
to regularly replicate the problems he was seeing, so he
(43:05):
wasn't really certain what was happening. Uh. It was largely
a matter of luck that this happened at all and
brought people's attention to it. After two weeks without hearing
anything back from Microsoft Real Tech Who, Lawson posted information
about what he had found both to his company's website
and on an English speaking cyber security forum. He did
(43:27):
that on July twelve, two thousand and ten. That was
the same day that the Finnish security firm was talking
about how digital certificates from trusted sources could become a
vector for malware on July. Just a few days later,
security researcher and tech journalist Brian Krebs posted about the malware,
and it quickly became the talk of the cyber security
(43:48):
sphere at that point. Microsoft is the company that actually
gave the malware its name, and the company named it
that by combining some elements of code that were found
in the virus itself, including the file name for one
of the driver modules, which was m R x net
dot sis. At this time, virus Block Ada had updated
(44:10):
its anti virus software to sniff out stucks net. It
was looking for any sort of markers that would identify
stucks net, and the company discovered that the malicious code
had infected many computers across the Middle East. In particular,
on July, a Slovakian security firm called e Set e
(44:30):
s Et discovered a new driver module that seemed to
be very similar to the stocks net one that was
previously identified. This one had a digital certificate from a
different company called j Micron Technology, which was also from
Taiwan and in fact was located just a couple of
blocks away from Real Tech. The malware appeared otherwise to
(44:51):
be pretty much the same as its predecessor, So why
did it have a different digital certificate? Well, part of
the reason was that the real tex orti get had
expired in June two thousand and ten, so you couldn't
infect new computers using it. Windows would not allow a
driver with an expired digital certificate to install itself on
a computer without notifying the user. The new legitimate digital
(45:13):
certificate from j Micron Technology could sidestep that problem. The
new attack may have launched on July four, just two
days after Ulison had made his findings public, and it's
possible that the malware was released hurriedly in reaction to
the announcement, and it what might have been an attempt
(45:33):
to infect as many computers as possible before Microsoft could
patch the vulnerability. There's some evidence to support this hypothesis,
as the code in this release was a little less
buttoned down than the original attack had been back in
two thousand nine. And by some evidence, I mean there
were some sloppy mistakes. The digital certificate contained a block
of information about the company that issued the certificate, kind
(45:57):
of like a you know, a little bit of information
about J Mikron, and that bit of information included a
u r L to a J Mikron website, except there
was a typo in the u r L, and so
any attempt to visit that particular address would return a
Server not Found error. Uh. If anyone had tried it,
(46:17):
they might have said, well, this is kind of strange
that a company would issue a digital certificate and yet
have the wrong u r L in there. You would
think that for something that important they would make absolutely
certain they had correct information included so that was one
red flag. There were also fields within the certificate that
had the value change me written in them instead of
(46:38):
whatever information should have been there. Now clearly that was
a note written by a hacker to his or her
team as a placeholder, you know, don't let this go
out before you change it, but it was never actually
replaced or changed. Those elements suggest the malware was rushed
out the door ahead of plan. Researchers later determined that
the original attacks happened in three waves. June of two
(47:01):
thousand nine was the first one and used an auto
run attack. March and April were the second two attacks,
and then after that you end up with these approaches
that we're using a different digital certificate. It didn't appear
to have anything to do with identity theft, didn't have
anything to do with creating a botan net, So why
(47:23):
would you design code that can infect millions of machines
but it didn't actually cause harm to the host computers
or do anything else of any real consequence. Frank Baldwin,
a cybersecurity expert in Germany, discovered the first clues as
two stucks nets purpose. Baldwin had analyzed the code and
(47:45):
noticed that appeared to have been designed to target computers
that had a particular type of software on it. That
software came from the German company Siemens that I mentioned earlier. Now,
they make lots of different stuff, including software for other
businesses and particular software, or to be more specific, the
two programs that this virus was searching for. Whenever it
(48:07):
would infect a computer, it would look to see if
one or both of these programs was installed. Also on
that computer, there were for industrial control systems. It's the
sort of thing you would find in a manufacturing facility,
so again like the controllers for things like valves or
conveyor belts or other simple interconnected systems. Now, Baldwin's hypothesis
(48:29):
was that the malware was a type of industrial espionage.
He thought perhaps a company had created this malware in
an attempt to spy on competitors and learn how they
operate in an effort to gain a market advantage over them.
That wasn't exactly the right track, but at least showed
that this malware was meant for a very specific reason.
(48:51):
What that reason was I've kind of alluded to already,
but we're going to dive into more of that in
our next episode to really look at how ducks Net
unraveled and what were the motivations behind it, who was responsible,
and what was the fallout from this stuff. Uh, there's
no pun in that there was no nuclear fallout. I
(49:13):
want to be clear about that, because otherwise this would
be a very dark series of episodes. As it stands,
it's still pretty scary because we're talking about cyber warfare
at this point, using computers to create real world physical effects,
which is pretty phenomenal. Up to this point, most people
(49:33):
thought of that as being just theoretical, that computers could
do a lot of damage to data and could create
a nuisance, but couldn't necessarily cause physical damage to the
real world around us. Stocks Net proved we shouldn't be
so sure about that again. I'll talk about that more
in our next episode. If you guys have suggestions for
(49:53):
tech topics I should cover in the future, maybe it's
a company, maybe it's a specific technology, maybe it's a
per soon in tech who you think I should profile,
let me know. Or if there's someone you think I
should interview or have on as a guest co host,
let me know that as well. You can get in
touch with me through email. The address for the show
is tech stuff at how stuff works dot com, or
(50:16):
draw me a line on Facebook or Twitter. The handle
for both of those is tech stuff hs W. Follow
us on Instagram, and of course you can watch me
record this show live at twitch dot tv slash tech stuff.
I typically record on Wednesdays and Friday's. There's a chat
room there. You can join in on the merry band
and have fund high spirited conversation about that weird thing
(50:41):
I just said and had to go back and fix
so that the podcast listeners will never know, but you'll
know because you're pretty darn cool. Well that's it for
me for now. I'll talk to you again really soon
for more on this and thousands of other topics. Is
(51:02):
that how stuff works dot com m
Get in touch with technology with tech Stuff from how
stuff works dot com. Hey there, and welcome to tech Stuff.
I'm your host, Jonathan Strickland. I'm an executive producer here
at how Stuff Works. And yeah, I still kind of
have a cold. You can kind of hear it. It's
not as bad as it was last week when I
(00:25):
was recording those earlier episodes though, So that's something. Uh,
since I have a cold, you know, I thought my
brain got on this little topic. It's sort of this
free association thing technology colds viruses. How about I talk
about a famous virus. So we're going to really dive
in to the story behind stucks net, a famous piece
(00:48):
of malware that made headlines in and I've talked about
it before on this show. In fact, Chris Palette and
I did an episode about stucks net several years ago,
but at the time not as much information was available
about what was going on. Tech Stuff technically launched two
years before stocks Net made headlines. So this is actually
(01:10):
an opportunity for me to look back at something that
developed over the course of the history of this show
and learn more about where it came from, what's purpose was,
and how that whole story unfolded. Before I really dive
into the story, I want to mention one of the
(01:30):
sources I used when I was researching these two episodes. Uh,
this would be a book titled Countdown to Zero Day,
stucks Net and the Launch of the World's First Digital Weapon.
The book goes into great detail regarding the story of
stocks Net. It also gives wonderful background information on the
(01:52):
key figures of cryptography researchers, cybersecurity researchers, all these people
who were very much instrumental in discovering and uncovering stuck
s net and figuring out what it did and and
who was probably behind it since that was never something
that was officially acknowledged, but come on, we know who
(02:12):
it actually was. I'll talk about that in these episodes.
That's a great book. If you want more information about
stucks Net after this episode, go check that out, count
Down to Zero Day, stucks Net and the Launch of
the World's First Digital Weapon. It goes into way more
detail than I'm going to cover in these episodes. Now,
(02:32):
these episodes are also going to contain a lot of
history and politics in them because stucks net, unlike many
other examples of malware was not intended to be a
type of uh computer virus to create monetary gain for
the people who designed it, or even just make people irritated.
(02:57):
It wasn't that kind of malware. You may have a
counter and malware that was meant to try and extort
money from someone where it locks down a computer and
the only way to get access, at least according to
the messengersy receive, is to pay a ransom to the hackers.
We call that ransomware. Stuck's Net was not that type
(03:18):
of malware. Nor was it just some sort of capricious
code that someone created in order to turn computer hard
drives into giant concrete blocks. It was neither of those things.
It had a very specific intent, and it was very
much a at least all signs at least pointed to
(03:40):
it being very much a state sponsored piece of software,
meaning that some government agency or agencies was behind the
development of this. So it sets it apart from a
lot of other versions of malware. And in order to
understand it, I think it's good to begin with a
quick history lesson of Iran's nuclear program, because that was
(04:04):
the ultimate target of stocks net back in the nineteen fifties. Iran,
under the leadership of shaw Mohammad Reza PALAVII, had received
the nod from the world community to pursue a nuclear
power program. At that same time, nuclear powers like the
United States, we're trying to discourage other nations from developing
(04:25):
nuclear weapons. So they were essentially saying, hey, nuclear power,
tots cool nuclear weapons, Let's not make this worse because
nuclear proliferation was becoming a big fear among various powers
in the world and of course populations in the world.
So it was sort of an Atoms for Peace kind
(04:46):
of initiative, saying, let's go and develop nuclear power for
a country's that's great. That way you can generate electricity,
but let's stay away from building the bombs. Iran's program
was launched with the understanding that the country was only
going to build these power plants, not weaponry, although all
indications showed that the long term plan for Iran was
(05:09):
in fact to develop nuclear weapons at some point. As
part of this early agreement, the United States would sell
to Iran the enriched uranium its power plants would need
as fuel, so Iran wouldn't need to create its own
uranium enrichment facilities. It would just purchase enriched uranium ready
to go from the United States. And in fact, the US, Germany,
(05:31):
and France were all totally supportive of Iran's efforts, perhaps
because those countries also stood to benefit from it. They
were all going to make a boatload of cash by
selling equipment and fuel to Iran, so there was a
financial incentive to support Iran's efforts to create nuclear power plants.
(05:54):
All of this was despite the fact that the tools
used to create nuclear power plants could receivably be put
to use to build nuclear weapons. So you could have
someone say, hey, I just need this technology because I
want to make a power plant, but in reality they
might be using that technology to make boom booms. So
the thing that the U United States said that kind
(06:16):
of justified their choice to support this program was, Hey,
the Shah, he's awesome. We get along so well, we're
like besties. And so there's no way that Iran, even
if they did develop nuclear weapons, would be a threat
to US, their their allies. So let's go ahead and
(06:38):
go all in. Let's go ahead and make some money.
Come on, capitalism, woo. It's not like Iran will ever
have a problem with the United States. And then nineteen
seventy nine happened. In nineteen seventy nine, the Ayatollah Ruala
Kamaney overthrew the shop. Now Kamany did not share the
Shah's opinion of the United States, and suddenly the U
(07:01):
S was tugging at its collar and saying yikes. So
Germany in the US withdrew their support for Iran's nuclear
program and the Komani Aetola. Komani was not terribly interested
in pursuing a nuclear power program either, so the power
plants were pretty much abandoned for a few years. They
(07:21):
were also the frequent target of bombing raids during various
conflicts that Iran got into over the course of the eighties.
Now that Aatola would eventually renew the nuclear program. In
the nineteen eighties, after rumors spread that Iraq was developing
nuclear weapons and Saddam Hussein, the leader of Iraq at
(07:42):
the time, had already used chemical weapons against Iran during
the Iran Iraq War, the Aetola hired on an engineer
from Pakistan to help Iran, using plans for centrifuges that
the engineer had stolen from European companies. So This engineer
had worked on behalf of these European companies and then
(08:03):
essentially did a little industrial theft, stealing the plans for
centrifuges so that they could create a similar program in
nations like Pakistan. This was all happening in secret, obviously,
but Iran had gotten word of it, and so they
contacted this Pakistani engineer who agreed to help out Iran.
(08:25):
In nineteen Iran entered into a contract with Russia to
complete a nuclear power reactor at Boucher. This site in
Iran had been one of the original plan power plants
way back in nineteen fifty seven, but the various conflicts
between fifty seven and ninety five had delayed and even
destroyed the work that had been done on the location.
(08:47):
Iran and Russia were going to also build a uranium
enrichment plant kind of co located with this nuclear power plant,
but the United States stepped in and said to Russia, hey,
we think that's like a bad idea man, and Russia
eventually said dah and backed off. And that was supposedly that,
(09:08):
except it totally wasn't just that. In two thousand, Iran
started building a new facility at Natan's another site in Iran.
Iranian officials claimed that this facility was a desert eradication location,
but satellite imagery eventually showed that something else was up
(09:29):
in that site. The design of the facility suggested it
was going to house something super secret that was to
be protected from missile strikes and air strikes. And the
reason they were drawing this conclusion was that Iran was
clearly excavating a lot of land building a large underground
facility something that needed to be uh insulated from potential
(09:54):
air attack, and the entrance hallway into the facility had
a big U turn in it. It wasn't a straight
shot down into the heart of the facility. That you
turn was an indication that perhaps this was a way
to avoid a smart missile flying down the entryway and
hitting a target. If it had to turn nine degrees
(10:16):
or eighty degrees, then chances are no missile would actually
be able to do that, and it was thus a
tactic to avoid damage in the case of an air strike.
But why would you need that for some innocent desert
eradication facility. Why would it need to be underground and
have these kind of measures in place In two thousand two,
(10:38):
some whistleblowers alerted the u N that this facility would
actually be a uranium enrichment plant. Now, Iranian officials eventually said, okay, yeah,
but we were gonna tell you about it. We just
hadn't done that yet because there wasn't really any need to.
Were still months away from going online, so it's not
(11:02):
like there's any chance that this thing is is already
producing enriched uranium. We just want to have a facility
to create nuclear fuel that we're going to use for
our power plants. We want to be self sufficient, is all.
We don't want to have to buy our fuel from
other nations. The u N stepped up inspections of the facility,
or at least attempted to, although it initially encountered a
(11:25):
lot of resistance from Iran. The u N would say,
all right, well, we're ready to come in and investigate
this facility, and then the people in Iran would say, sorry,
it's not ready yet. Come back next month. And then
they would come back next month and say, all right,
we're ready to look at the facility and say, you
know what, we lost the keys, don't know where the
keys are. Could you come back maybe another day, and
(11:45):
it became increasingly clear, at least to the the investigators,
that something was up, and that there was a lot
of activity going on, perhaps to cover tracks, perhaps to
get rid of evidence, although it's impossible to say, because
unless you actually are there to witness what is happening,
you don't really know, but it seemed to imply that
(12:05):
there was something hainky going on. Eventually they were able
to set up a regular inspection schedule of this facility,
and they were there to make sure that the uranium
that was being produced was meant for nuclear power and
not nuclear weapons. And meanwhile, countries like the United States
(12:26):
were getting awfully antsy about Iran. On July six, two
thousand nine, Wiki Leaks hosted a note written by founder
Julian Assange that referenced some sort of serious nuclear accident
that had happened at the uranium enrichment facility. Now this
would have been shortly after the stux Net virus would
(12:47):
initially be released, but at this time, no one outside
of the people involved in stocks Net would have possibly
known about the virus and become public knowledge. Yet, in January,
a United Nations agency called the International Atomic Energy Agency
or I a e A. Began to notice that something
(13:07):
unusual was happening to the centrifuges at Iran's Natan's uranium
enrichment plant. They saw that there was a failure rate
that was unusually high. The agents would inspect the facilities
at least once a month and then occasionally with some
surprise inspections, and the whole point was just to make
sure that nothing illegal was happening, that Iran was in
(13:29):
fact not trying to stockpile enriched uranium in the effort
to build bombs. This was an important uh thing that
the U N was doing, but it also was not
the most efficient way of doing it if you wanted
to recognize trends, because they would swap out who went
(13:51):
to investigate the facility each time. That kind of makes sense.
You don't want one group to get compromised in any
way or fooled in some way. Sending new people sends
new sets of eyes. But it also meant that until
you were looking at aggregated data, you could not necessarily
(14:11):
see that something unusual is happening, And something unusual was
happening specifically to the centrifuges. Now to understand that. It
also helps to understand what the heck the centrifugures were
being used for in the first place, Like what is
their purpose in the process of refining uranium. Well, first,
nuclear fuel needs to be made up of between three
(14:33):
and a half to five percent uranium two thirty five isotope.
So isotopes are two or more forms of the same element,
in which the atoms of the different isotopes have a
different number of neutrons. Chemically, the two atoms behave the
same way, but they'll have different atomic masses because of
the difference in neutrons uh, and they'll have different decay
(14:56):
rates and things of that nature as well. So there
are three may jr isotopes of uranium that occur naturally
uh within the Earth's crust. So if you mine uranium,
you're gonna come up with a mixture of different isotopes
at different concentrations. Most of it, in fact, more than
nine of the stuff that occurs naturally is uranium two
(15:19):
thirty eight, less than one percent of it is uranium
two thirty five, and then you get a ten ty
tiny bit that's uranium two thirty four. If you want
to make nuclear fuel, you need a much higher percentage
of uranium two thirty five than what you find in nature.
In nature it's less than a percent, and fuel you
need it to be at least three and a half
to five percent. By the time you're getting into the
(15:43):
enrichment process. You need the uranium to be in gas form,
so you would get uranium or you would refine that
down to uranium oxide, and then you would take that
to a conversion plant that would take the uranium oxide
and turn it into a gas called uranium hexafluoride. This
gas has various isotubes of uranium in it. You have
(16:05):
both uranium two thirty eight and two thirty five, and
you have it in the concentrations you would expect because
it's from the stuff you mind from the ground. You
then feed that gas into tubes inside a centrifuge. Centrifuges
spin and they can spend it really high velocities. We're
talking tens of thousands of revolutions per minute now. When
(16:25):
they spin, it separates out the materials of different weight
within those tubes. The heavy stuff moves towards the edges
of the tubes, the sides of the tubes, and the
lighter stuff will move towards the center. So if you
spend the centrifugures at the right speed and you then
effectively scoop out the middle of the tube, you can
(16:47):
separate the uranium two thirty five from the uranium two
thirty eight. Now you actually have to do this in
a lot of different stages. You put them through one centrifuge,
you do the scooping process, you doing about another centrifuge.
You have to do this multiple times in order to
really get the right concentrations. Eventually you can do this
enough to manufacture the uranium pellets that you would use
(17:08):
for nuclear fuel. If you wanted to make a nuclear weapon,
you'd follow the same process, but you need way more
uranium two thirty five. Nuclear weapons typically have a proportion
of or more uranium two thirty five in them. Sometimes
it's or greater, so you need a lot more uranium,
and then you have to refine a lot of it
(17:29):
and rich a lot of it in order to get
to that level of uranium two thirty five. But it
is exactly the same process, it's just a matter of
more stuff. Centrifuges, as they turn out, are are delicate.
They're the ones that Iran was using. We're supposed to
have a ten year lifespan, but these are moving pieces
(17:52):
of machinery. They have mechanical parts, and they work at
high speeds, so eventually they'll fail. They may fail because
of mechanical error, human error, all sorts of different stuff
could cause them to break down. And because of that,
typically in a year you might have to replace about
ten of the centrifugures you have, even if they're brand new.
(18:16):
But the thing that the i a e A. Discovered
eventually after they looked at aggregated data, was that the
number of centrifuges that they were replacing at this uranium
and enrichment facility was much higher than that they had
centrifugures at this point, So you would expect about eight
hundred and seventy of them need to be replaced every year,
(18:38):
but apparently the number was actually much higher than that,
perhaps as high as two thousand or more, although the
actual figures were never published. But the i a e A.
Was keeping track of this stuff. They just didn't notice
the trend until they were looking at again a sequence
of these visits and then realized, hey, that that seems
like a pretty high number to place that many centrifuges.
(19:01):
Wonder what's happening with this? Well, while this was going on, uh,
there were other things happening that we're indicating that something
unusual had been unleashed in the world of computers. The
folks at I A e A at this point did
not suspect any kind of computer virus. They weren't sure
what was causing the centrifuges to fail. It could have
(19:23):
just been that they were really bad centrifugus, that Iran
had purchased them from a bad source, although Iran was
stating that they had actually made the whole thing themselves,
that the centrifugures were based off their own design, although
again the United Nations officials the investigators were not buying it.
They said, wow, these things look an awful lot like
(19:45):
the ones that were being used in Europe a few
years ago. In fact, if I didn't know any better,
I would say that these were direct copies of that
and that they were based off stolen information. But Iran's
messaging was that no, these were of our design and
we built them at any rate. I A e A
wasn't sure why these centrifuges were starting to fail at
(20:06):
that same time, or actually a little bit later. In June,
there was a cybersecurity professional named Seragei Ulasson in Belarus
who was investigating some really weird computer behavior that had
been reported in an Iranian computer. The computer in question
was caught in an endless crash and reboot cycle and
(20:29):
they weren't really sure what was causing it. The culprit
looked like it might have been the anti virus software
that was on the computer, that something was not compatible,
and the antivirus software came from the company that uh
Sarageulawson was working for. He was working for this company
called virus Block Ada. The Iranian computer had that anti
(20:52):
virus program on it. It was purchased originally from a reseller,
so it wasn't purchased directly from the Belarus company, but
rather an Ira Auny and company that had the right
to re sell this anti virus software, and originally the
person who owned the computer or the the agency that
owned the computer contacted the reseller and said, I'm getting
(21:15):
this error. It's the computer just keeps crashing and trying
to reboot. What's going on the reseller eventually fielded that
question up to Lawson. Lawson got permission to log into
this problematic computer using a remote log in, and he
began to look around to see what the heck was
going on, and he eventually suspected the machine had been
(21:37):
infected by some malware and that this malware included a
root kit quick refresher. A root kit is software that
gives an unauthorized party access to control of a computer system.
Hackers use this to get a back door access and
get information on computers, or they do it to create
(21:58):
boton nets. Moreover, a root kit masks this activity. It
acts as like a shield to hide it from the
host computer in an effort to escape detection. So a
good root kit is doing all this allowing someone to
remotely access your computer, but you can't tell because it's
hiding all that activity from you. Well, like all malware,
(22:20):
root kits are only useful if the targeted machine doesn't
have suitable anti virus protection on it. It could be
out of date, or it might not have antivirus software
on it at all, or it might be so new
that antivirus software doesn't yet have a profile on that
type of root kit. Which means that it will escape
(22:41):
the anti virus software's detection because it doesn't know to
look for it. Once anti virus software companies learn of
a piece of malware, they can then adjust their software
to identify and block those programs. But if there is
a gap there, the malware can go for a while
without detection, and it means that all machines can be
(23:01):
vulnerable to those attacks until someone catches on. And that
seems to be what was going on in this case.
Now I have a lot more to say about the
early detection of stucks net, but before I get into that,
let's take a quick break to thank our sponsor. Alright,
(23:24):
So a lawson realized that whomever was responsible for creating
this malware that was causing this this computer to crash repeatedly,
had done so by finding what is called a zero
day exploit. A zero day exploit is a vulnerability within
a piece of software code that has not yet been
(23:46):
identified by anybody else, including the people who made the
software code in the first place. The software coders are
likely completely unaware of it. In fact, that's that's really
what makes it zero day is the fact that you know,
you come out with like a new version of of
an operating system, for example, and you are not aware
that that part of that operating system has this glaring
(24:09):
flaw in it that uh could be exploited. That's a
zero day exploit, and that ignorance is an incredibly powerful
weapon for hackers. They will end up writing code that
can exploit this vulnerability, and they know that there's no
protection against it because the responsible parties for the software
have not even realized that there's a potential for exploitation.
(24:33):
The lawson figured out that the malware had to have
been distributed by a USB thumb drive initially. Later on,
researchers would figure out that the code would allow up
to three machines to be infected by the same USB
flash drive before the malware would prompt a computer to
delete the contents of the flash drive, so it's kind
(24:54):
of like a self destruct button. After three infections, the
drive would be wiped. F a propagation could happen across
a compromised network through computer computer connections, and later on
they discovered even other different ways that the virus can
move from computer to computer. It did not, however, move
across the Internet. This was a piece of malware that
(25:17):
was designed to infect computers that were on local networks
but perhaps not connected to the Internet at large. So
that was why they were using USB drives in the
first place. Now, that did come with a disadvantage. It
means that you have to get physical access to a
machine to get the malware from the USB drive onto
(25:39):
the computer, and that drastically reduces the number of computers
you could potentially infect. So why would you do this, Well,
one reason to go with the USB delivery mechanism is
to target computers that have an air gap. And that
air gap is what I was talking about a second ago.
That's a computer or even a network of computers that
has no direct connection to the wider Internet at large.
(26:02):
As an air gap between the Internet and the computer
or system of computers, it's kind of like a self
contained island. It's cut off from the rest of the world,
and it keeps the system safe from most forms of
hacker intrusions. If there are no pathways that lead to
the system, there's not a whole lot of hacker can do.
(26:22):
A true air gap system would have no connectivity to
the Internet at all. Now, some systems have what we
call an air gap but they really have limited and
controlled access to the Internet, typically through a computer or router.
The acts as a gatekeeper or portal. But if you
put your malware on a USB stick and then you
convince someone with a physical access to the machine to
(26:44):
insert the USB drive and air gap isn't really a problem.
It might, however, mean that you, as a hacker, will
remain unaware of your success. If the target machine has
no way to phone home, if there's no way for
the target machine to indicate hey, success, then you may
just be hoping that whatever you planned on doing was working. So,
(27:06):
like I said, all the vectors of attack for stocks
net were based off of either USB or local network connections,
but not over the Internet. And also the USB stick
attack did not use auto run, at least not after
the first initial wave of attacks. There were three separate
waves of attacks, and the second and third one did
(27:29):
not use the auto run feature. A lot of malware
does depend on auto run, and that's a feature that
will automatically launch a program from something like a USB
drive or an optical drive once you insert the media.
You're probably familiar with this. Let's say that you've got
a DVD, an actual movie on a DVD and you
put it into your computer, and the computer automatically launches
(27:50):
the DVD player software so that you can watch it
as soon as the DVD has gone into the optical drive. Well,
that speeds things up for the user, makes it more convenient,
you don't have to hunt for the right program. But
it does present a security risk because if the software
on the media is malicious, the computer is just automatically
(28:11):
launched bad software. But here's the thing. You can turn
off the auto run feature and a lot of systems
will do that because it is a way to limit
the risk and the vulnerability of those systems. You just
turn off auto run and then your planned form of
attack is not going to work. Someone puts that media
(28:34):
into a computer where the auto run has been switched off,
they'll get prompted or they'll they'll have the chance to
run that stuff themselves. But chances are you go, if
you don't recognize a program, you're not just gonna launch it.
You might do some snooping first and find out if
this is in fact something you want to run. So
to remove that possibility, you might want to not use
(28:55):
auto run feature to launch your malware. So that's what
the hackers responsible for stucks net did. They decided that
they would use a different approach. They targeted what are
called l n K files. So an l n K
file carries the information to display icons next to file
types and applications like Windows Explorer. So if you've opened
(29:19):
up a file directory type of program and you've seen
those little icons next to file names, that's due to
an l n K file. This was a pretty sophisticated
form of attack, and as far as Lawson could figure out,
it was the first of its type. Not turned out
that it was not the very first of its type,
but the previous implementations of this attack had not really
(29:39):
received widespread coverage, so it was still really new. Adding
to this sophistication was the fact that there were four
different versions of the l en k files on those
USB sticks, and that meant that they could affect up
to seven different versions of Windows. That increased the number
of potential targets for the mal where so if a
(30:00):
computer was running one version of Windows, or maybe the
next one or the next one, it still might be vulnerable.
The only real thing that limited it was it needed
to be a thirty two bit installation of Windows. If
it were a sixty four bit installation, the virus was
not going to work on it. Later on, researchers at
(30:20):
the security firm Kaspersky UH discovered other zero day exploits
that the virus took advantage of. So there wasn't just
one zero day vulnerability that stucks net could glom onto.
There were three more that Kaspersky found at that point.
One exploited a print spooler vulnerability, and it would propagate
(30:42):
the virus across networks that had a shared network printer
and a lot of a lot of networks do the
other two vectors use something called privilege escalation, which is
where a program is able to leverage exploits to gain
eventually a system level control over computer is even if
those computers have been locked down. The combination of all
(31:04):
the exploits suggested that the people responsible for the virus
were serious heavy hitters who really desperately wanted to target
specific computers. And it raised some really big questions why
would you use four zero day exploits because common logic
said you should just stick to one at a time.
(31:24):
Once a zero day exploit is discovered, the clock is
ticking before someone patches that respective software to plug up
that vulnerability so that the exploit won't work anymore. So
the zero day exploit is only really valuable until people
discover it. If you have more than one zero day
exploit involved in your malware, then you run the risk
(31:48):
of someone discovering all of those exploits if the malware
itself becomes evident, and if they find all of those exploits,
that all of those can be patched, which means you
lose all of those vectors of attack in a single
cell swoop. So this was kind of considered a big gamble.
(32:08):
Why would you throw all of your eggs into this
basket having all of four zero day exploits. By the way,
there was a fifth one actually that they had not
yet discovered, though that one ended up getting patched after
the first wave of attacks, uh not because of stocks net.
The fifth vulnerability had been independently discovered through other means
(32:31):
and had been patched, But ultimately that did mean five
different zero day vulnerabilities were used when designing stucks net.
Over the course of the life of stucks neet. On
top of those zero day exploits, the virus used four
other means to copy and send itself along to other machines.
So in total it had nine different methods to spread
(32:53):
the virus. One of them leveraged of vulnerability in special
Semens software to gain system level privileges. Siemens is a
company it's in Germany that creates all sorts of different
kinds of software. The software in particular that stocks net
was concerned with was for something called p lcs programmable
(33:14):
logic circuits, so are controllers rather logic controllers. So these
are little implementations that allow computers to communicate with various devices,
typically that are used in industrial applications, so it might
be like a conveyor belt or valve system, that kind
(33:34):
of thing, which is a pretty odd thing for viruses
to target. Typically, there was another clever way that the
malware could spread. It would create a file sharing server
folder on every computer it infected if that computer were
connected to other infected machines. So it's a computer on
a network and other computers on the network also got
(33:56):
infected by stocks net. They would chat with each other
and they would com hair notes. They would say, hey,
one version of stucks net are you running. I've got
one point two and they might say, well, I've got
one point to one. Hey, your version is more current
than my version is, Give me some of that sweet
stucks net, And sure enough the system would propagate the
(34:17):
latest version of stucks net across its network. So it
was kind of appear to appear approach to spreading the
latest and greatest version of stuck set. And if someone
came in and infected a new computer with an even
more recent version of stocks net, then shortly that version
of stucks net would propagate across the other infected computers
(34:39):
on the network. It was a way of making sure
everyone was on the same page, even without them being
aware of it. The malware would install two driver modules
on the infected computer, and uh these driver modules were
they were posing as as software drivers. Software drivers are
(34:59):
lee aisons between a computer and some other piece of hardware. So,
for example, if you have a separate computer mouse, or
a microphone that you plug into your computer, or a
webcam that you plug into your computer, the driver is
what allows for meaningful communication between that device and your computer.
You may have occasionally had an issue where one of
(35:21):
your peripherals no longer seems to work on your computer,
and it's because the driver is out of date. It
may be that there was an update to the operating
system and that update has broken that communication channel between
your peripheral and your computer, and it requires that you
update your software drivers so that now the two machines
can talk to each other again. That's what the malware
(35:44):
would install. These these apparently innocent, at least on casual glance,
driver modules onto the infected computer. Now normally, later versions
of Windows would send an alert to a user whenever
an up of software was to be installed. If you've
used Windows seven or later than you know about this.
(36:06):
You get that little window that pops up and says, hey,
I see that you're trying to install this thing. Is
that really your intention? Because it gives you the chance
to say, heck no, I didn't know that was happening,
stop it, and then you could investigate, and if it
were malware, you would know something was up and you
can maybe do something about it. So the goal of
the hackers is not to have this window pop up.
(36:29):
So this malware stocks Net was a lot more insidious
than just a fake driver. It contained a digital certificate
from a legitimate Taiwanese hardware company called real tech Semiconductor
digital certificates are like authorized signatures. These are away for
(36:49):
companies to authenticate that the software they distribute in fact
actually comes from them, and big players that are trusted
can use those certificates to authenticate. Driver is another software
machines without the need for that pop up notification. You're
not gonna get it every time, because essentially what's happening
is Microsoft says, hey, there's this software that wants to
(37:10):
execute on this machine. Oh wait, this software is from
such and such company, and I know they're cool, And
it's a digital certificate that tells me that it's absolutely
from that company because they protect their certification process, so
I know it's not from anyone else, so I don't
need to worry the user. I'm not gonna send that
pop up because everything's totally on the up and up,
(37:33):
so as long as the software is authenticated as being
from a trusted source, there's no extra step in there.
But that created a pathway for potential attacks, though at
the time not very many people were considering that. One
person who was was a security expert with the Finnish
company f Secure. That is a company from Finland, not
(37:55):
a company that finished things, and in July he pointed
out that if a hacker were to get access to
digital certificates, they could potentially sneak in malware onto computers
using that, which was exactly what was going on with
stucks net. Now, this researcher wasn't aware of stocks neet
at the time. He was just saying, hey, this is
(38:17):
a potential problem. And as it turns out, it wasn't
just a potential problem, it was a real problem that
was going on at that very moment. Moreover, digital certificates
have an expiration date, and this is to help make
sure that they remain secure. You have to renew your
certificate so that it doesn't stick around long enough for
bad actors to get hold of it and then leverage
(38:38):
it the way the malware authors had done in the
case of stocks net. So you end up creating a
certificate that has an expiration date on it. After the
expiration date, you you then administer a new certificate that
has new code on it, but it still has that authentication.
And that way, if anyone tries to use the old
(38:59):
certific of get, then an operating system like Windows can
say wait a minute, that certificate is out of date. Uh,
I'm going to alert the user because that could be
an indication that someone had gotten a hold of an
old authentication certificate and they're trying to pass it off
as legitimate. So anytime a certificate expires, it's no longer
(39:19):
really useful for the case of malware distributors. So some
companies will hire out their certificates, like they'll create certificates,
and then other parties will come to them and say, hey,
we have created the software. We would like to say
that we created it in partnership with you, and in return,
you can put your authentication certificate on this software, which
(39:43):
will help us out a lot. Uh So some companies
will actually do that. Others are way more protective of
their digital certificates. No one was sure at this point
if Real Tech had their certificate stolen somehow, if if
the hackers had managed to uh illegally get hold of
this digit at all certificate, or if there had been
some other form of transaction involved, if fuel Ticket perhaps
(40:06):
licensed out essentially they're certificate. Circumstantial evidence suggested that it
was a stolen certificate. Looking at the malware code, it
appeared that one of the driver modules had its certification
signed to it just six minutes after the original code
had been compiled. This was found out by converting the
code into binary and then being very meticulous about looking
(40:29):
for the data for any sort of time stamp information. Now,
it is possible to fudge things like the date and
time of compiling, but that's not necessarily easy to do,
so you could say that the compiled dates not really
a smoking gun, but it does suggest that the certification
had been sticking around in the pocket of whomever had
(40:51):
been designing stucks net and then immediately slapped onto stucks
net once the code was compiled and ready to go. Now,
I've got a lot more to say in the first
episode about stuck s net, but before I continue, let's
take another quick break to thank our sponsor. Lawson would
(41:13):
reach out to both real Tech and Microsoft to alert
both companies of this vulnerability because it had that digital
certification from real Tech and it was affecting Microsoft based machines.
He had not figured out what the malware was actually
for yet that would be the payload. He was understanding
(41:34):
a little bit of how the malware would infect machines,
but he didn't know what it was supposed to do.
He didn't know it could potentially infect millions of computers
around the world because that digital certification gave it kind
of a v I P pass onto machines, and if
it was meant to steal information or cause mischief, he
(41:55):
wanted to nip that in the bud. One interesting tidbit
is whomever it des I in the malware have been
really careful to do it in such a way that
the major anti virus packages out there wouldn't suspect a thing.
It was compatible with all the major anti virus packages,
so most people wouldn't have any way of telling that
something hinky was going on. Clearly, the hackers who designed
(42:19):
this had worked with computers that had these anti virus
software packages installed on them to make sure that it
would slip under the radar. But Virus Block Ada was
a small operation, and it may have been able to
have this this incompatibility problem where it was causing the
computer to crash and reboot over and over again, simply
(42:41):
because the people who were designing the stux Net virus
had never really encountered this particular anti virus platform before,
and they weren't able to make sure that stux Net
would not be picked up by it, and so it
was a real enigma. Lawson couldn't even get the virus
to regularly replicate the problems he was seeing, so he
(43:05):
wasn't really certain what was happening. Uh. It was largely
a matter of luck that this happened at all and
brought people's attention to it. After two weeks without hearing
anything back from Microsoft Real Tech Who, Lawson posted information
about what he had found both to his company's website
and on an English speaking cyber security forum. He did
(43:27):
that on July twelve, two thousand and ten. That was
the same day that the Finnish security firm was talking
about how digital certificates from trusted sources could become a
vector for malware on July. Just a few days later,
security researcher and tech journalist Brian Krebs posted about the malware,
and it quickly became the talk of the cyber security
(43:48):
sphere at that point. Microsoft is the company that actually
gave the malware its name, and the company named it
that by combining some elements of code that were found
in the virus itself, including the file name for one
of the driver modules, which was m R x net
dot sis. At this time, virus Block Ada had updated
(44:10):
its anti virus software to sniff out stucks net. It
was looking for any sort of markers that would identify
stucks net, and the company discovered that the malicious code
had infected many computers across the Middle East. In particular,
on July, a Slovakian security firm called e Set e
(44:30):
s Et discovered a new driver module that seemed to
be very similar to the stocks net one that was
previously identified. This one had a digital certificate from a
different company called j Micron Technology, which was also from
Taiwan and in fact was located just a couple of
blocks away from Real Tech. The malware appeared otherwise to
(44:51):
be pretty much the same as its predecessor, So why
did it have a different digital certificate? Well, part of
the reason was that the real tex orti get had
expired in June two thousand and ten, so you couldn't
infect new computers using it. Windows would not allow a
driver with an expired digital certificate to install itself on
a computer without notifying the user. The new legitimate digital
(45:13):
certificate from j Micron Technology could sidestep that problem. The
new attack may have launched on July four, just two
days after Ulison had made his findings public, and it's
possible that the malware was released hurriedly in reaction to
the announcement, and it what might have been an attempt
(45:33):
to infect as many computers as possible before Microsoft could
patch the vulnerability. There's some evidence to support this hypothesis,
as the code in this release was a little less
buttoned down than the original attack had been back in
two thousand nine. And by some evidence, I mean there
were some sloppy mistakes. The digital certificate contained a block
of information about the company that issued the certificate, kind
(45:57):
of like a you know, a little bit of information
about J Mikron, and that bit of information included a
u r L to a J Mikron website, except there
was a typo in the u r L, and so
any attempt to visit that particular address would return a
Server not Found error. Uh. If anyone had tried it,
(46:17):
they might have said, well, this is kind of strange
that a company would issue a digital certificate and yet
have the wrong u r L in there. You would
think that for something that important they would make absolutely
certain they had correct information included so that was one
red flag. There were also fields within the certificate that
had the value change me written in them instead of
(46:38):
whatever information should have been there. Now clearly that was
a note written by a hacker to his or her
team as a placeholder, you know, don't let this go
out before you change it, but it was never actually
replaced or changed. Those elements suggest the malware was rushed
out the door ahead of plan. Researchers later determined that
the original attacks happened in three waves. June of two
(47:01):
thousand nine was the first one and used an auto
run attack. March and April were the second two attacks,
and then after that you end up with these approaches
that we're using a different digital certificate. It didn't appear
to have anything to do with identity theft, didn't have
anything to do with creating a botan net, So why
(47:23):
would you design code that can infect millions of machines
but it didn't actually cause harm to the host computers
or do anything else of any real consequence. Frank Baldwin,
a cybersecurity expert in Germany, discovered the first clues as
two stucks nets purpose. Baldwin had analyzed the code and
(47:45):
noticed that appeared to have been designed to target computers
that had a particular type of software on it. That
software came from the German company Siemens that I mentioned earlier. Now,
they make lots of different stuff, including software for other
businesses and particular software, or to be more specific, the
two programs that this virus was searching for. Whenever it
(48:07):
would infect a computer, it would look to see if
one or both of these programs was installed. Also on
that computer, there were for industrial control systems. It's the
sort of thing you would find in a manufacturing facility,
so again like the controllers for things like valves or
conveyor belts or other simple interconnected systems. Now, Baldwin's hypothesis
(48:29):
was that the malware was a type of industrial espionage.
He thought perhaps a company had created this malware in
an attempt to spy on competitors and learn how they
operate in an effort to gain a market advantage over them.
That wasn't exactly the right track, but at least showed
that this malware was meant for a very specific reason.
(48:51):
What that reason was I've kind of alluded to already,
but we're going to dive into more of that in
our next episode to really look at how ducks Net
unraveled and what were the motivations behind it, who was responsible,
and what was the fallout from this stuff. Uh, there's
no pun in that there was no nuclear fallout. I
(49:13):
want to be clear about that, because otherwise this would
be a very dark series of episodes. As it stands,
it's still pretty scary because we're talking about cyber warfare
at this point, using computers to create real world physical effects,
which is pretty phenomenal. Up to this point, most people
(49:33):
thought of that as being just theoretical, that computers could
do a lot of damage to data and could create
a nuisance, but couldn't necessarily cause physical damage to the
real world around us. Stocks Net proved we shouldn't be
so sure about that again. I'll talk about that more
in our next episode. If you guys have suggestions for
(49:53):
tech topics I should cover in the future, maybe it's
a company, maybe it's a specific technology, maybe it's a
per soon in tech who you think I should profile,
let me know. Or if there's someone you think I
should interview or have on as a guest co host,
let me know that as well. You can get in
touch with me through email. The address for the show
is tech stuff at how stuff works dot com, or
(50:16):
draw me a line on Facebook or Twitter. The handle
for both of those is tech stuff hs W. Follow
us on Instagram, and of course you can watch me
record this show live at twitch dot tv slash tech stuff.
I typically record on Wednesdays and Friday's. There's a chat
room there. You can join in on the merry band
and have fund high spirited conversation about that weird thing
(50:41):
I just said and had to go back and fix
so that the podcast listeners will never know, but you'll
know because you're pretty darn cool. Well that's it for
me for now. I'll talk to you again really soon
for more on this and thousands of other topics. Is
(51:02):
that how stuff works dot com m
TechStuff News
Hosts And Creators
Oz Woloshyn
Karah Preiss
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!