Malware of Mass Destruction: Meet Nitro Zeus

Who needs nuclear weapons when you can bring down an entire nation’s infrastructure and kill millions of people from the comfort of your own home? That’s what it’s come down to. You can kill people and disable nations with a few lines of computer code. The ability to bring down an entire nation is the fundamental goal of the U.S. government’s new mega malware, Nitro Zeus.

This malware came to light in the recent documentary film, Zero Days, which traced the history and implications of the Stuxnet worm, one of the most complex malware packages ever put together. However, comparing Stuxnet to Nitro Zeus is like comparing a high school football team to an NFL team. Yes, they are both football teams and follow the same rules, but that’s where the comparison ends.

I don’t want to give a detailed account of Stuxnet. I’ve done that elsewhere. However, here are the key points that need to be kept in mind. First of all, the malware did not need an internet connection to disable Iran’s centrifuges. In other words, it was designed to attack air-gapped computers or equipment. There are a number of ways to do this (see my post on attacking air-gapped computers), but most people continue to believe that a computer not connected to the internet is safe from attack. As the informant in the film put it, “we laughed when people thought they were protected by an air gap”. The Stuxnet malware attacked the programmable logic controllers (PLC) which ran the centrifuges. It would change the operating parameters of the centrifuges, making them spin out of control and, basically, destroy themelves. At the same time, the malware would compromise the control systems and make them show the operators that nothing was wrong and all systems were running smoothly.

Stuxnet could be used against any machine or device which depended on PLCs, so the malware’s designers made sure it was adjusted to attack only the centrifuges. That was all fine until it escaped into the wild, according to some, through Israel’s mismanagement. Now, the Stuxnet code is widely available and can be modified to attack anything from cars to nuclear power plants. As retired General Michael Hayden noted, “There are those out there who can take a look at this… and maybe even attempt to turn it to their own purposes”.

To raise Stuxnet to the level of Nitro Zeus, you really only have to ask one question: Why should we worry about disabling individual machines or small control networks when we can take out the entire power grid? In fact, they both operate in a similar way. With this threat in their arsenal and with the likelihood that Nitro Zeus was already sitting within Iran’s infrastructure just waiting for the word to be deployed, the U.S. and other western nations convinced Iran to agree to the terms of the nuclear agreement offered them. It was an either or proposition that Iran simply couldn’t risk challenging.

Had it been necessary, the U.S. could have staged a demo strike, taking out the power in a localized area. Maybe they did. Who knows? According to experts, they could have also shut down its communications and air defense systems and much more. In any event, the threat worked… kind of. The problem is that Iran probably got its hands on Stuxnet and was then able to modify it for their own purposes.

And it didn’t take them long. In 2013, it was announced that Iran was scanning control systems within the U.S. power grid and actually breached the control system of a small dam near New York. This was Iran’s own demo attack. It was more of a counter threat – you take out our grid and we’ll take out yours.

Programmable Logic Controllers, PLCs, are just that, programmable. This means that they respond to commands written in a variety of programming languages. PLCs are widely used in industries and other areas of key infrastructure, thus, hacking one of these devices, often through computers running a Windows operating system, could cause anything from a minor disruption to a catastrophe.

siemens plc

The Siemen’s PLC

 It is widely accepted that the Iranians aren’t alone in being positioned in vulnerable parts of the US infrastructure. Other nation-states, such as Russia and China, are also known to be there. Of course, the US is also probably positioned in their infrastructures. This is what supplies the dangerous balancing act. No one dares do too much to another country for fear of a reprisal which may escalate into full scale cyberwar.

A country like Iran may not have malware as sophisticated as Nitro Zeus, but even if they ‘only’ have a Stuxnet variation, here are a few things they could do. Some of these have been demonstrated as feasible and some are theoretical.

Take Control of Traffic Lights – This has been demonstrated as possible. An attacker could, for example, make all lights in a city green. Numerous accidents would likely result causing widespread disruptions and traffic gridlock. Though the situation could be remedied relatively quickly, this sort of attack could be used as a distraction for a more serious terrorist attack.

Take Control of Air Traffic Control Systems – Demonstrated as possible. It is easy to imagine the disasters that could result from having planes land, take off, and maneuver in ways that they shouldn’t.

Cause Massive Destruction to Factories – This would be similar to what Stuxnet did to the centrifuges in Iran. Basically, all factories use some or many PLCs to keep machines running within certain safe parameters. It would be possible to destroy machinery that depends on these PLCs and stop all production for a considerable period of time. Hitting a number of interrelated factories could cause massive economic damage.

Shut Down Power Plants – This has been demonstrated as possible, not only that, it has been described by some researchers as “shockingly easy”. Even more surprising is the fact that power plants are frequently and successfully attacked. According to one investigation, “more often than once a week, the physical and computerized security mechanisms intended to protect Americans from widespread power outages are affected by attacks, with less severe cyberattacks happening even more often.” Power stations are, after all, similar to factories with their product being electrical power. Destroying their ability to produce power can knock out a section of a nation’s power grid and, in some cases, produce a cascading failure. This is the true doomsday scenario as large regions of a country could be left without power for days or more.

People tend to equate power loss with the lights going out, but it is far more sinister than that. Where would you get water from if the pumps won’t work? How would you flush a toilet? How could you use a cell phone or the internet? What about the food in your refrigerator or freezer? How long can a hospital’s backup generators perform? How do you cook or heat your home? How do you contact the police, the fire department, or an ambulance? How would you get gas for your car or the money to pay for it even if you could get it? Remember banks and ATM machines would be shut down and there would be no devices to accept a credit card.

Factories, businesses, and stores would be forced to close. Airplanes, cars, trains, and subways would crash and then stop completely. Many people would die. How many? That would depend on the length of the outage. However, according to a 2014 Federal Energy Regulatory Commission report, if an attacker could “destroy nine interconnection substations and a transformer manufacturer …the entire United States grid would be down for at least 18 months, probably longer.” This is not some wild-eyed survivalist predicting the end of the world. This is a legitimate government agency. Could you survive in a world without electricity for a year-and-a-half?

This is not to say that such an attack would be easy. It wouldn’t be. However, it would be possible with the right malware. Other, smaller countries, like Iran, could be more easily plunged into a doomsday scenario, especially by an adversary who controlled something as powerful as Nitro Zeus. The results would be just as devastating as a nuclear attack. This is why the informant in the Zero Days film agreed to come forward. She, and others, did not want to participate in an attack that would cause so much ‘collateral damage’. Besides, launching such an attack would be, in effect, distributing the Nitro Zeus malware kit. The U.S. may bring down Iran, at least for a while, but then what? Would Iran or another nation working with them, like their long-term friend, Russia, be able to back-engineer the malware to have their own copy? If that happens, we become enmeshed in a cyber cold war where we live in the fear that some unstable dictator or rogue state may get their hands on such a weapon of mass destruction.

For now, the Nitro Zeus program has been put on ice, but Pandora’s Box has been opened, and we’ve officially entered a new era of cyber politics.



3 thoughts on “Malware of Mass Destruction: Meet Nitro Zeus

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s