The United States hacked into critical civilian and military infrastructure in Iran to allow its operatives to disable the country with a devastating series of cyberattacks at a moment's notice, a documentary will claim this week.
The targets of the U.S. hacking operations, covered by the code name "NITRO ZEUS," include power plants, transport infrastructure, and air defenses, the film will state, with agents entering these protected systems nightly to make sure the attacks were still deployable.
The film, Zero Days, by Oscar-winning director Alex Gibney, which is set to premiere at the Berlin film festival on Wednesday, will claim that the U.S.-Israel "Stuxnet" worm — which destroyed around 1 in 5 of the centrifuges used in Iran's nuclear program — was just a small part of a much larger set of offensive capabilities developed against the nation.
Citing at least five confidential U.S. military or intelligence sources with direct knowledge of the programs, the film claims:
• U.S. hackers working from the Remote Operations Center (ROC) in Fort Meade, Maryland, have penetrated huge swaths of Iran's critical infrastructure, and were ready to launch disabling attacks alongside any military operation;
• Some within the State Department and the National Security Agency (NSA) expressed concern around the legality and ethics of some of these operations, which risked disabling civilian as well as military infrastructure;
• Israel modified the Stuxnet worm, targeted at Iranian nuclear facilities, making it far more aggressive, then unilaterally launched the new version. This was the one discovered by security researchers, who eventually traced it back to the two nations' intelligence agencies;
• Intelligence from the UK's GCHQ agency was used in deploying Stuxnet against Iranian facilities.
BuzzFeed News received an advance viewing of Gibney's film, and was given access to additional reporting material and research notes used for its production. These materials have been supplemented by independent reporting, including from previously published NSA documents from the cache leaked by Edward Snowden.
"Stuxnet" was the name given to an unusually sophisticated computer worm when it was discovered by security researchers in 2010. The code was unprecedentedly complex, and included four "zero days" — previously unknown vulnerabilities that guarantee an attack's success and trade for hundreds of thousands of dollars a time on the black market.
Researchers quickly concluded that due to its complexity and use of valuable, previously unknown vulnerabilities, it was almost certainly the work of one or more state actors.
Eventually, it was revealed the Stuxnet worm was the product of a long collaboration between the U.S. and Israel, code-named "Olympic Games", to tackle Iran's nuclear program without resorting to airstrikes or assassinations, both of which Israel had previously deployed or considered in its bid to stall Iran's progress.
The worm worked by changing the programming of the computers controlling the centrifuges used to enrich uranium, reporting back normal behaviors to the facility's operators while actually implanting a series of destructive actions, including even causing the centrifuges to speed up until the pressure on the system's delicate components caused them to explode.
Both nations, the film reports, had full and independent access to the source code of the worm, which in its earlier versions did not spread aggressively, helping keep it contained and undiscoverable.
When a version infected numerous unintended targets in 2009, the workers in the ROC switched almost full-time to silently cleaning up infected computers to prevent the worm's discovery — for fears this would lead to researchers determining who was behind it, potentially prompting retaliatory measures.
This was, Gibney reports, a significant source of anger when several months later Israel reportedly unilaterally released its modified version of the worm. This version traveled far more easily across many more systems, eventually infecting hundreds of thousands of computers in more than 115 countries, inevitably leading to the worm being analysed in detail by security researchers. This in turn led to the public revelation that the U.S. and Israel were behind the attack, despite neither country publicly acknowledging responsibility.
"The secrecy of the operation has been blown," a U.S. source told the filmmakers.
"Our friends in Israel took a weapon that we jointly developed — in part to keep Israel from doing something crazy — and then used it on their own in a way that blew the cover of the operation and could've led to war."
In the months following the publication of a New York Times article identifying the nations behind Stuxnet, U.S. banks suffered a series of crippling cyberattacks publicly ascribed to Iran. State-sponsored cyberattacks have risen in frequency and severity since, with the U.S. openly accusing China of engaging in operations against American companies and public bodies on multiple occasions.
However, the Zero Days film reveals that the "Olympic Games" attack on Iran's nuclear program was a virtual sideshow when compared with a much wider range of operations against Iranian infrastructure, all covered by the code name "NITRO ZEUS."
NITRO ZEUS was formally a "caveat" to Sensitive Compartmentalized Information, more commonly referred to as a "read-on." In practice this refers to some of the most sensitive information held by the NSA and other U.S. intelligence agencies, meaning a controlled list of named individuals were aware of the term and its scope.
The program was run out of U.S. Cyber Command and the NSA, with operations conducted out of the ROC in Fort Meade (motto: "Your data is our data, your equipment is our equipment — anytime, any place, by any legal means") with a mixture of civilian and military staff.
The operations under NITRO ZEUS included Iran's industrial facilities, command-and-control, electrical grid, air defense, and transportation. Gibney describes the operations as "likely the largest and most complex cyber war plan the U.S. has ever created."
The film's sources said NITRO ZEUS involved hundreds of personnel over several years, and cost "hundreds of millions" of dollars — building programs ready to "disrupt, degrade, and destroy" Iranian infrastructure with code intended to leave no direct clues as to who was responsible for the attacks.
NITRO ZEUS was not just some theoretical battle plan, Gibney reports. Operatives had already gained access to all the relevant systems to execute the attacks if the order was given, and checked back on a near-nightly basis to ensure all the access points were still live and operational, and that the attack code wouldn't interfere with any other code on the systems, to reduce the risk of discovery — or accidental triggering. The number of implants in Iranian targets was reportedly in the hundreds of thousands.
The film's supporting research material also reveals an array of concerns about such capabilities within the U.S. government and agencies. The State Department was seen by those in other agencies as a "wet blanket" when it came to operations for expressing concerns about violating the sovereignty of third-party nations' cyberspace, or about operations that could have significant impact on civilians.
The legality around cyberattacks that disable real-world infrastructure is complex and not yet established under international law, though targets such as power stations would often count as legitimate targets in conventional warfare.
However, one confidential source expressed concerns to Gibney about the extent of NITRO ZEUS, saying some planners had "no fucking clue" as to the consequences of some of the proposed attacks.
"You take down part of a grid," they told him, "you can accidentally take down electricity in the entire country."
Other U.S. cyberattacks are believed to have already had such inadvertent side effects, albeit on a less dramatic scale. In November 2012, almost the entirety of the Syrian internet suddenly went offline, in what was believed at the time to be a deliberate act by the Syrian government to thwart opposition groups.
However, in August 2014, Edward Snowden told Wired magazine the outage had actually been caused accidentally by NSA hackers attempting to gain access to the routers providing the backbone of the country's networks.
Even those who are usually among U.S. intelligence's staunchest defenders have expressed concerns about the country's cyber capabilities and doctrine for using them.
Michael Hayden, a former director of both the CIA and the NSA, told Gibney the U.S. action risks creating new international norms of cyber warfare.
"I know no operational details and don't know what anyone did or didn't do before someone decided to use the weapon, all right," he said. "I do know this: If we go out and do something, most of the rest of the world now thinks that's a new standard, and it's something they now feel legitimated to do as well.
"But the rules of engagement, international norms, treaty standards, they don't exist right now."
In public remarks, Hayden once noted of Stuxnet "this has the whiff of 1945. Someone just used a new weapon." He also said the secrecy around the U.S.'s cyber programs was stifling the ability to have a public debate about their consequences.
"This stuff is hideously overclassified and it gets into the way of a mature public discussion as to what it is we as a democracy want our nation to be doing up here in the cyber domain," Hayden said.
"Now, this is a former director of NSA and CIA saying this stuff is overclassified. One of the reasons it's as highly classified as it is… This is a peculiar weapon system. This is a weapon system that's come out of the espionage community, and so those people have a habit of secrecy."
The film seeks to warn that the norms of nation states' cyberattacks — "the norm in cyberspace is do whatever you can get away with," one contributor states — have been set by Stuxnet and its discovery, and leave the U.S. at risk as a major and vulnerable potential target.
"It's much more difficult in the cyber area to construct an international regime based on treaty commitments and rules of the road and so forth," explains Gary Samore, Obama's WMD czar from 2009 to 2013. "Although we've tried to have discussions with the Chinese and Russians and so forth about that, but it's very difficult."
BuzzFeed News asked the Office of the Director of National Intelligence for comment on the "Olympic Games" and NITRO ZEUS revelations, as well as a series of questions on how the targeting decisions under the programs were made, whether the U.S. had changed how it cooperates with Israel on cyber operations, and whether the U.S. supports introducing treaties governing the use of cyber weapons. The agency declined to comment.
The Zero Days film will also raise questions for the UK's GCHQ intelligence agency, which cooperates closely with the NSA as part of the Five Eyes intelligence-sharing coalition. The film reports intelligence from GCHQ provided part of the bedrock for deploying Olympic Games, as well as for NITRO ZEUS operations, though it does not reveal whether GCHQ was aware of the final use to which its information was being put.
This would reflect a longstanding legal concern within GCHQ as to whether its intelligence could be used for U.S. or Israeli operations that would not be allowed under UK law.
A top-secret memo prepared ahead of a 2013 visit by then GCHQ director Iain Lobban to the NSA shows such matters — especially in relation to Israel and Iran — had been a topic of discussion at the top of both agencies.
The memo, published by The Intercept, notes "it is possible Sir Iain may ask about what safeguards NSA may be putting in place to prevent UK data from being provided to others, the Israelis for instance, who might use that intelligence to conduct lethal operations."
The memo also noted Lobban may ask for "views on what is going to happen with Iran, to include potential Israeli support," and reminds its recipients that GCHQ and the NSA worked "jointly" on "high-priority surges" including in response to Iran's discovery of FLAME, another sophisticated cyberattack aimed at the nation.
BuzzFeed News asked GCHQ whether its contribution to Olympic Games and NITRO ZEUS had been made with the prior consent and knowledge of the agency, who authorised such cooperation if so, and how such operations would sit within UK law.
"We have no comment to make," a spokesperson for GCHQ said.