Olympic Games | Investigation
47:47 Share

Welcome to True Spies. Week by week, mission by mission, you'll hear the true stories behind the world's greatest espionage operations. You'll meet the people who navigate this secret world. What do they know? What are their skills? And what would you do in their position?

This is True Spies. There was this ticking time bomb aspect to it where this could shut down electricity, it could shut down water, it could shut down airports, it could cause explosions and it could do that anywhere in the world. This is True Spies. Episode 33: Olympic Games. In 2010, the discovery of a vicious computer virus announced the dawn of a new era of warfare.

One that could be conducted without the firing of a single weapon, but where capacity for destruction knew no bounds. It was the first time we'd ever seen code that could affect change in the real world. This is the story of a piece of code

A series of zeros and ones that would transcend the digital realm and change the geopolitical landscape forever. It could actually make equipment function differently and potentially cause explosions. It's the story of a technological revolution, a watershed moment in the history of modern espionage. And yet the two characters at the center of this tale are not spies. And for them, this story begins as every day does.

with them sitting behind adjoining desks in a run-of-the-mill office space in Los Angeles, California. My name is Liam O'Merku and I'm a Director with Security Response with Symantec. My name is Eric Chin and I'm a Technical Director at Symantec. Meet Eric Chin and Liam O'Merku, two cheerful code analysts working at Symantec, a company that sounds more likely to install your new computer than to involve itself in games of international espionage.

But you'd be making a big mistake if you were to judge this book by its cover. Symantec is a powerhouse in the murky world of cybersecurity. This private company deals in software that protects all of us from the constantly growing threat of digital infiltration and exploitation. Banks, governments, regulatory bodies that ensure the execution of fair elections, Symantec counts all of them amongst its clients.

In this world, people like Eric and Liam are known as defenders. In some ways, it is a little bit like the spy world. You know, the best layman's example I can give of what we're doing on a day-to-day basis, it's like we're given some sort of package that is encrypted or coded, and we have to come up with tools to basically decipher it and figure out what is the intention of this blob of data that has been received on your machine.

And it's not written in straightforward English. It's literally in zeros and ones. We're taking zeros and ones and translating them back into sort of real-world behaviors. This work may take place in the digital realm.

But it has more in common with traditional tradecraft than you might think. Often we are tracking attackers where we're trying to figure out where they are, where they're located, why are they doing this, how much money are they making? And we're trying to do this all undercover so that they don't know that we're so close to them or that we're going to catch them or that we have such insight into their operation. In 2010, Liam and Eric would discover just how high the stakes could climb in this digital game of cat and mouse.

when they stumbled directly into the most ambitious act of cyber warfare ever recorded. Yet this wasn't always such an ominous business, and Liam and Eric never chose to enter into such a dangerous world. So I started off interested in security when I was in college. This was around 1995.

Another student in university released a worm onto the university network. So when you went to use your workstation, a window would pop up with 10 questions and they were questions from Lord of the Rings and things like that. And if you didn't answer those 10 questions correctly, you couldn't get onto your computer.

I just thought this was absolutely fascinating. And I started digging in to understand how did it work and who had written it and where had it originated and how could it spread and how could you defeat it? I got bitten by the bug at that stage of security and particularly viruses and analyzing code. That was it then. I just wanted to do that for my career. In their early years at Symantec, at the start of the 2000s,

Most of the threats that Eric and Liam encountered weren't much more threatening than that Tolkien pop quiz. The vast majority of things we were protecting people from were things like mass mailing email worms or things that were trying to steal people's credit card numbers. 99 out of 100 things were that, or even more, you know, 999 out of 1,000. These were the activities of cyber gangs and bored teenagers, out to make a quick buck in the unregulated hinterland of this new digital age. But

We were starting to see just on the edges some different types of attacks. And they were primarily actually coming out of China. And they were probably believed to be sort of the first more nation-state likely attacks. These attacks accounted for a tiny minority of cases. But they taught Liam and Eric an important lesson.

It was becoming crucial that they could recognize these new, different kind of attacks when they saw one. We would see like an infection in a hotel or a bunch of hotels in a region. And we might just think, oh, I don't know, they're just going to go after some sort of money situation in that hotel, try to steal money from them. That sounds plausible, right? There's a lot of money coming in and out of expensive hotels. These attackers must be looking for an easy, lucrative payday. But before you put this case to bed, perhaps you should dig a little deeper.

Step outside the world of zeros and ones for just a moment. Pick up a newspaper. Turn on the TV. You never know where you might find a new dimension to an open and shut case like this one. Liam and Eric started to look more closely. And then... You realize, oh, wait a second. In that time period, the G20 was meeting there. And suddenly you realize, wait a second, they're not really going after the hotels. They're really going after the people who are staying in the hotels.

What Eric and Liam were seeing was the first fumbling gestures of a new breed of espionage, one that took place exclusively in the digital realm and offered nation-states unprecedented opportunities for gathering intel. This type of activity was, for the time being, an outlier in cyberspace. But it wouldn't stay that way for long.

What really changed was about a decade ago, we had this threat Stuxnet. In 2010, a new virus landed on the digital desk of Symantec. I remember clearly receiving the file. It was a Friday afternoon and this report came in from Belarus that they had discovered a piece of software that was very unusual and that was able to spread via USBs. A quick malware 101 for the uninitiated.

A virus usually spreads from computer to computer by tricking you into clicking a link or downloading a file. Once that file is opened, the malware runs and bingo, your device is in the hands of an unknown attacker. A terrifying thought, no? But what Liam is describing here is something even more ominous. This was no regular virus. This was a worm. A piece of malware that could spread itself from machine to machine without its victim needing to do anything at all.

No clicking on a link, no opening a file. This worm simply writhes around undetected, infecting every Windows machine that stood in its path. And it looked like it could even spread via a USB key, one of those little drives you carry around on your keychain to store photos and files.

This was not normal malware behavior. So we received this report, it had an initial analysis of what was happening and then we started to dig in and straight away, you know, red flags just went up as we analyzed the code. Eric and Liam spend all day, every day, looking at viruses. It takes something very special to capture their attention. This threat, which they dubbed Stuxnet, in reference to a couple of decipherable lines in its code, immediately piqued their interest.

The average threat, to be honest, we don't even have to look at as humans. We have machines that can automate them and look at them, understand them, create protection for them automatically. We're getting a million samples every day. Humans aren't looking at everything.

And even the average threat that a human has to look at takes us 10, 20 minutes to look at, understand, create protection for, and then move on to the next thing. And Stuxnet, we spent I don't know how many hours, I mean, we ultimately spent six months looking at it. So you can just see the order of magnitude here is extraordinary. It is really nothing we've ever seen before. And since that time, still nothing we've ever seen since.

It wasn't just the fact that this worm could spread via a USB key that troubled Eric and Liam. As they began to scratch away at Stuxnet, they found some troubling hints at the virus's purpose.

One of the first things we do is we run something called strings, where we just try to find human readable text inside these binary blobs. And we saw these strings that were saying things like Siemens, PLC, WinCC. No idea what those terms mean, but you just Google them. And as soon as you Google them, you realize it is specialized computers that are utilized for critical infrastructure, factories, power plants, you know, all of this kind of stuff. So that immediately was like, what is this?

It was clear to us from the code that it was physical equipment that was being targeted. We'd never seen this in code before, and it was clear that this piece of software was going to have a real physical damage possibility in the real world. And that was kind of mind-blowing, to be honest with you. Take a moment here to think about the world beyond the lines of code that are filling your screen. You've dealt with malware before, but this is different.

You recognize in this code a new breed of threat. This virus is targeting the machinery that controls energy grids, power plants, transport hubs. Do you have any idea what that means? The worm called Stuxnet might just breach the parameters of cyberspace and cause real destruction in the physical world. So what would you do with this information? For Liam and Eric, the answer was obvious. They looked for backup.

We cooperate in this security world. We weren't necessarily the only ones looking at this thing. And everyone else sort of immediately just put it aside and thought, "Ah, this is probably just some sort of espionage thing." They're trying to steal some documents about how some factory works to improve their process. At the other cybersecurity firms, Stuxnet had already been written off. Just another case of corporate espionage.

If Liam and Eric wanted to carry on pulling at this threat, they had to be prepared to do it alone. We stuck with it, and ultimately, every single day, if not every single hour, there was something brand new that singularly by itself in this threat would have put this threat above and beyond anything we had seen. To understand the scale of some of those discoveries, you'll need to know more about the shadowy space that hackers move in.

In essence, what a cyber-attacker does is look for flaws in software, little portals created in error, that can be exploited to gain entrance to a victim's machine. There are legions of defenders just like Liam and Eric, whose job it is to find these portals and close them, ensuring they can never be exploited again. But some of those flaws remain unknown, and are therefore vulnerable for attack.

A code built to attack one of these previously unregistered floors is what's known as a zero-day exploit. You can get into someone's computer very easily using these zero days because essentially nobody knows about them. You have a secret key to get onto anybody's machine. A zero-day exploit allows an attacker to stay one step ahead of a defender. It is an extremely valuable piece of code.

It is not uncommon for a new zero-day exploit to change hands on the dark web for hundreds of thousands of dollars. It was extremely rare for Liam and Eric to come across even one new exploit in the course of their work. In that year, that whole year, there were only 12 found total in the whole threat landscape, and four of them turned out to be inside a Stuxnet.

Four zero-day exploits meant four opportunities to spread, infect, destroy. Completely undetected. This was unprecedented. Never had so much value been invested into one single virus. It was becoming eminently clear to Eric and Liam that whoever had created Stuxnet had very deep pockets.

And a level of determination that far surpassed your run-of-the-mill cybergang. It started to sink in that this was something that had some geopolitical associations and that was written likely by a government. It was pretty clear that we were stumbling onto something that we had never done before and this was new territory and that we really didn't know how things would turn out. And while they still didn't know who was behind this revolutionary new virus,

Eric and Liam were beginning to get an idea of who its target might be. We have basically sensors all around the world and we could see where the infections were popping up all over the world. And while they were all over the world, they were the vast, vast majority coming out of Iran. Cast your mind back to the year 2010. If you picked up a newspaper on any given day that year, you would have been likely to find some troubling story or another making its way out of Iran.

The country was still reeling from the previous year's election, the highly contested results of which delivered a renewal of power for President Mahmoud Ahmadinejad. The leader of Iran was much maligned in the West for his hardline religious fundamentalism and for his open hostility towards the US and its allies. The explicit purpose of Stuxnet remained shrouded in mystery

But in the volatile political situation bubbling up in Iran, Liam and Eric sensed they might find the answers they were looking for. So we began to follow the news in Iran, especially in regards to critical infrastructure. And one of our first guesses was obviously something related to oil or gas. What happened during that time was there were actually multiple unexplained explosions of gas pipelines coming in and out of Iran. Stop to think this through for a second.

You've just discovered a revolutionary new virus, one that you know has the capacity for real physical destruction. And all signs indicate that this virus is targeting Iran. At the very same time, a series of unexplained explosions are devastating Iran's gas pipelines. It doesn't take a codebreaker to put two and two together here now, does it?

It was interesting analyzing Stuxnet because it was the first time we'd ever seen code that could affect change in the real world. It could actually make equipment function differently and potentially cause explosions. So when we started looking at what was happening in Iran, we saw explosions on gas pipelines. That lined up with what we expected from our initial analysis of the code. And just because Stuxnet was targeting Iran, there were no guarantees its destruction could be contained by national borders.

We didn't know that this code would only affect gas pipelines in Iran. We didn't know if it spread to nearby countries or if it spread to the US. Was it also going to cause explosions at facilities all around the world, in the US, in UK, Germany? So there was real pressure on us to get the analysis done and to understand what was really happening. The truth is, Liam and Eric's pipeline theory was still exactly that, a theory.

And until they could definitively prove Stuxnet's purpose, they couldn't rest. At this point, it becomes scary because we know the capabilities are inside the software, but we really don't know the actual target. Even if the target was in Iran, and it could make something blow up in Iran and literally kill people, we didn't know if maybe it wasn't designed properly. Maybe it had a

a bug in it, a fault, a mistake in the code that would cause the same thing, for example, to happen in the US. And we had customers calling us going, "Hey, look, I actually found an infection on my Windows computer in my plant. Is it going to shut my plant down? Is it going to cause the pipeline to go off? Is it going to go the power to go off?" And the reality is we didn't have the answer to that question.

You'll remember that Eric described the process of unpicking malware as a sort of game of translation, where a package of zeros and ones must be converted into their real-world intentions. The real-world intentions of Stuxnet, when translated, appeared to correspond to a machine known as a PLC, or a Programmable Logic Controller.

These are basically specialized tiny computers that are used to control all kinds of critical infrastructures, flipping on pressure switches or adjusting even the lights or making a robot arm move. These tiny computers play a part in everything from air traffic control to the safe operation of amusement park rides. Though Liam and Eric knew that PLCs were the principal target of Stuxnet, they had no idea in which context those PLCs were being targeted.

Did the architects of Stuxnet want to shut down the power grid? Did they want to bring planes crashing out of the sky? The truth is, Eric and Liam simply did not know. What we were able to figure out at that point was that it's going to set this variable, this setting to 1064.

But what does that mean? Does that mean the gas pressure is going to go to 1064? Does that mean a motor is going to spin up to 1064? You know, we could see that then it flips these two things off, sets them to zero, and then these other two things on, it sets those to one. And then it waits a period of time. So we can map out all the code and exactly what it would do on a computer. But what that computer was connected to and what that real world effect was, we didn't know yet.

As is so often the case in stories like these, their breakthrough, when it came, had as much to do with the winds of fortune as anything else. What happened was we were publishing all of our reports online every week. All the while that Liam and Eric were investigating Stuxnet, the virus was spreading to far corners of the world, cropping up in factories and warehouses.

As part of their effort to keep their clients up to speed, Eric and Liam were releasing their findings on a weekly basis. And at the bottom of each of our little reports, we would have a little call to people out there saying that anyone knows anything about critical infrastructures, PLCs, contact us, you know, because we weren't experts in that space. And to be honest, no one really contacted us except for one guy.

One guy who happened to be something of an expert when it came to PLCs. He had a throwaway line in his email. It wasn't even the purpose of his email. And he just said, you know, every device that's connected to these PLCs has a 16-bit identifier, like a little fingerprint code. I was reading this mail in my cube and Liam sits right next to me in the cube. And when we stand up, we can see into each other's cubes. And I popped right up and I said, hey, read this.

Eric and Liam had been puzzling over one such 16-bit code, something they'd uncovered in their first analysis of Stuxnet, but hadn't been able to understand until now. And then when we looked that up, it mapped to these frequency converters, and those frequency converters were used to spin centrifuges. Centrifuges? Frequency converters?

You'll be forgiven for missing out on the eureka moment buried within this discovery. But type the make and model of this specific frequency converter into Google and you'll find a revealing detail. We saw that it had an export control license. So if you wanted to buy this piece of equipment, you needed to have an export control license in order to be able to sell that to certain countries.

Why on earth would something as benign sounding as a frequency converter require such strict regulation? And that was when we discovered that this is a piece of equipment that can specifically be used for uranium enrichment. Since the day this virus landed on your desk, you have known it has a real-world target. And finally, you have found its destination.

The target of Stuxnet is the centrifuge that is employed in nuclear facilities all around the world for the enrichment of uranium. Hello, True Spies listener. This episode is made possible with the support of June's Journey, a riveting little caper of a game which you can play right now on your phone. Since you're listening to this show, it's safe to assume you love a good mystery, some compelling detective work, and

and a larger-than-life character or two. You can find all of those things in abundance in June's Journey. In the game, you'll play as June Parker, a plucky amateur detective trying to get to the bottom of her sister's murder. It's all set during the roaring 1920s.

And I absolutely love all the little period details packed into this world. I don't want to give too much away because the real fun of June's journey is seeing where this adventure will take you. But I've just reached a part of the story that's set in Paris.

Hello, listeners. This is Anne Bogle, author, blogger, and creator of the podcast, What Should I Read Next? Since 2016, I've been helping readers bring more joy and delight into their reading lives. Every week, I tech all things books and reading with a guest and guide them in discovering their next read. What should I read next?

They share three books they love, one book they don't, and what they've been reading lately. And I recommend three titles they may enjoy reading next. Guests have said our conversations are like therapy, troubleshooting issues that have plagued their reading lives for years, and possibly the rest of their lives as well. And of course, recommending books that meet the moment, whether they are looking for deep introspection to spur or encourage a life change, or a frothy page-turner to help them escape the stresses of work, or a book that they've been reading for years.

school, everything. You'll learn something about yourself as a reader, and you'll definitely walk away confident to choose your next read with a whole list of new books and authors to try. So join us each Tuesday for What Should I Read Next? Subscribe now wherever you're listening to this podcast and visit our website, whatshouldireadnextpodcast.com to find out more. Let's return to Iran. There's another important aspect to the story of Iran and its conflict with the West during the 2000s.

A large part of the reason that the US and its allies were so disgruntled by the prospect of another term for the Iranian president was because of his enthusiasm for, and acceleration of, Iran's nuclear program. Under Ahmadinejad, Iran was massively increasing its capacity for uranium enrichment. The ultimate goal, according to Iran's terrified critics in the West, was nuclear armament. Suddenly, it all began to click.

We knew uranium enrichment is a very, very hot topic in Iran and all governments trying to prevent that happening. It fitted in with the pieces that we had in the code. It fitted in with the political story. Talk about doing work that you never expected. The International Atomic Energy Association publishes manuals for inspectors of uranium enrichment facilities and they tell the inspectors exactly what to look for.

And by reading those documents, we were able to then reference the Stuxnet code and we could see, okay, you need 168 of these centrifuges connected in an array. And oh, look here in the Stuxnet code, we have messages being sent to 168 devices. And we were able to go through the entire inspection document and we could map out all of the equipment that we saw in the document back to the instructions that were being sent in Stuxnet, which was amazing.

It was honestly just mind blowing. Stuxnet was never targeting oil and gas pipelines. It was infiltrating Iran's nuclear weapons program. And that's not all. The same online training manual revealed the specific location that Stuxnet wanted to attack. Then we were able to actually not just narrow down to uranium centrifuge, but just specifically in its hands.

Natanz was and is Iran's largest nuclear facility, the central headquarters of their operation to increase capacity for uranium enrichment. So this is the triumphant moment you've been waiting for, right? After countless hours spent scratching away at the dense layers of binary code, your search has led you to the heart of Iran's nuclear weapons program. You have uncovered the endgame of this virus. High fives and congratulations all round, surely?

Or perhaps not. That breakthrough moment for me was a very scary moment. That solidified in my mind that this was a spy operation and that there was a lot of money and a lot of people and a lot of power behind this and that we were, unbeknownst to ourselves up to this point, essentially meddling in that operation. And that made it very real for me. This is your wake-up call.

Up to this point, you've been running on professional instinct. You're simply doing the job that you're paid to do. But have you stopped to think about the consequences of your discovery? Have you considered just how dangerous a game you've been playing? You should think this through before you take your next step. You know, the funny thing, there's obviously that moment, that "Oh my God" moment, but

There was no end to it. Even though you think that's the moment, that's not the moment. The moment then now is, now that I know it's the Tans, what is it doing? Does it just turn it off? What is it doing? Every time we hold on one thread, there's a whole 'nother set of things to go figure out. Eric and Liam nearly had the full picture of Stuxnet's purpose.

But they still didn't know what happened to these spinning centrifuges once they had been infected. We were able to get in touch with some centrifuge enrichment experts and we told them what we saw happening. So they were able to paint the real world picture for us of what would happen in that Nittan's plant. And what would happen when Stuxnet triggered would be the centrifuges would basically spin up to 1400 Hz and basically go through something called a resonant frequency.

where the vibrations would build on themselves at that speed such that the tubes would essentially spin so fast and vibrate so much that they would shatter. Boom. Utter devastation. It would have this domino effect.

These arrays of centrifuges all standing up and they would just domino pieces of aluminum would be flying across the room in shattered shards. You know, uranium gas leaking everywhere and literally if there was someone in that room, you know, they likely would have died. This was sabotage. This was not espionage, but it was actually software trying to control equipment, trying to control the centrifuges and break the centrifuges. And that became very real for us because if they were willing to do sabotage, what else were they willing to do?

The gruesome answer to that question came in the form of a news story straight out of Iran. What experts call a precision kill. A nuclear scientist who was a key player in Iran's nuclear program killed in broad daylight. Eric and Liam were used to seeking out context in the news, but this particular story left them shaken to the core.

These Iranian nuclear scientists were driving to work, for example, in their car. And these guys on these motorbikes would pull up very quickly and attach these magnetic sticky bombs to their car. And then they would blow up and literally kill them. Here we are exposing this whole nuclear sabotage operation. And at the same time, they're killing people related to it.

There were five such assassination attempts, four of them successful, between 2010 and 2012 in Iran. Four expert scientists, integral to the development of Iran's nuclear program, neutralized on the most brutal terms possible. This was the other side to the Stuxnet coin, another version of the sabotage written in its code. These attacks made one detail horrifically clear to Liam and Eric.

Whoever was behind Stuxnet, they were willing to go to extraordinary lengths to guarantee the success of their mission. You'll remember that Eric and Liam had been publishing the findings of their investigation online in real time.

They had, to all intents and purposes, loudly declared their intention to uncover who was behind this virus. And in doing so, they now realized they had placed a target on their backs. So putting that together, a sabotage operation, plus if the sabotage doesn't work, there's another plan for assassinations, that really...

up the stakes for us and it made us very worried actually about our own security and how much information we should release and what we should do with the knowledge that we had. You are very, very far out of your element here. Forget corporate espionage or hackers on the hunt for a quick buck. The stakes here are real. Explosions, assassinations, nuclear weapons. Is this really a story you want to follow to its conclusion? It might not end well for you.

After all, nationality and profession don't guarantee immunity in this world. There's a very famous story of the Greece wiretapping incident at the time of the 2004 Olympics where Ericsson and Vodafone equipment was tapped and used for spying. We had followed that operation because there was malicious software used and what was in the news afterwards was some suspicious deaths of some engineers who had been working at Vodafone in relation to that incident.

Eric and Liam were all too aware of the nasty precedent that had been set. When civilians stray into spaces they're not welcome, the consequences can be life and death. They were rattled. Those sort of suspicious deaths were all apparent suicides. And so maybe we were half joking, you know, we would go to lunch during the day and be like, hey, look, you know, we're going into the weekend and if I'm found dead this weekend...

I am not suicidal. But underneath the half jokes, there lurked a very real fear. I'm not exaggerating when I say that when I left the office, I would look under my car. I pulled out of the office parking lot one time, turned right onto the street. And just as I pulled out, this guy in a motorcycle out of nowhere, all dressed in black and a black helmet, comes speeding up right next to me.

And you know, you're just sitting there in your car at that moment, just holding the steering wheel going, "Okay, I hope this isn't it. I hope this isn't it." This might sound like your garden variety paranoia, but you have to remember that Eric and Liam are trained to pick up on unusual activity, to recognize when something's off. And during their analysis of Stuxnet, alarm bells have been ringing all over the place.

I'm Irish but I'm living in Los Angeles so I would make a lot of calls home to Ireland and I had never noticed any interference on my calls. And suddenly around the time of Stuxnet when we started publishing information and it became clear that we were doing a large investigation into Stuxnet, I started to notice unusual activity on all my international phone calls. Taking longer to connect, extra noises, extra static.

And in one case, I made a phone call and somebody picked up the call and answered before the person who had actually called answered. Technical difficulties on a long-distance call. A man dressed in black pulling up beside your car on a motorbike. These tiny moments could mean nothing or they could mean everything.

The timing of it was so suspicious. We knew that there was interest from governments in our analysis and what we were doing. We hadn't got to the crux of Stuxnet yet. We hadn't understood exactly what it was that it was doing. And it was clear that there were people who wanted to know, were we going to get there? Were we going to publish it? What information did we have? Were they exposed? So I have no doubt at all that we were being spied on at that time. These men are not spies and they would never claim to be.

This world of wiretaps and sticky explosives is not their natural habitat. And yet, during the most stressful, dangerous period of their lives, they demonstrated a sense of duty that any operative would take pride in. We had a philosophy of our job is to protect our customers. That was sort of the very thick line of the reason why we needed to continue looking at it.

Their investigation into Stuxnet took them to terrifying new places, to the core of an international conspiracy for sabotage and assassination, and yet never once did they waver in their resolve.

There was a big responsibility to the world. We didn't know initially that it was just targeting Natanz and Iran, where this could shut down electricity, it could shut down water, it could shut down airports, it could cause explosions, and it could do that anywhere in the world. And there was a huge driving force to defend all of those places and to defend critical infrastructure, to defend people, to defend lives. That's a really huge driving factor.

Defending those lives meant carrying on this investigation and answering its final unsolved question: Who was behind Stuxnet? They didn't have the proof they needed, but they were picking up on some hints. Of course we knew if Iran is the target and uranium enrichment is the target, there's only a handful of governments that are likely to be able to do this, that are sophisticated enough, that can write code this good and can have an operation this big.

And their suspicions were only reinforced by some of the details they had uncovered in Stuxnet's code. There was a large configuration file in the code that made it clear to us that there was legal oversight of the operation. In particular, there was one date in there, it was a cut-off date, and it was one day before the inauguration of President Obama. Why on earth would a renegade virus, designed to infiltrate and ruthlessly attack its target,

Potentially killing people in the process need a cut-off date. And why would that date coincide so precisely with the arrival of a new American president?

That gave us a clear indication that this is a large operation that has legal oversight and for legal reasons they have to end the operation at the end of Bush's presidency and they have to get it re-enabled when Obama becomes president. So that's a very strong indicator to us that it is a US government operation. Bingo. Eric and Liam had uncovered the shocking truth behind Stuxnet. But it was not until years later that they would have their proof.

Since that time, there's been both the Snowden leaks and something called the Shadow Brokers leak. The Shadow Brokers leak were the leak of the tools of the NSA. And there are basically pieces of code in those leaks that marry up to Stuxnet. The final anonymous helper in this game of cat and mouse, a group of hackers who infiltrated America's National Security Agency network and published the tools they had developed for cyber espionage.

Amongst those tools, a virus that bore a shocking resemblance to Stuxnet. This was all the proof Eric and Liam needed. Since those leaks, multiple journalists, citing government sources, have corroborated this version of events. Stuxnet was created by the US government and its chief ally in the Middle East, Israel, with the explicit intention of crippling Iran's nuclear program. Their articles revealed something else.

For the US and Israeli intelligence agencies who had a hand in it, Stuxnet was never called Stuxnet. To them, it was Operation Olympic Games. If their reports are to be believed, Operation Olympic Games was never designed to spread outside of Natanz. That it ended up infecting machines all over the planet was a simple case of human error, a flaw in the code. It was that flaw that ultimately delivered Stuxnet to the hands of Liam and Eric.

and placed two cyber defenders working for a private security company in Los Angeles at the very heart of a profoundly dangerous game of international sabotage. The only question left to answer is whether Operation Olympic Games succeeded in its aim.

We were able to then go back to the IEA docks once again and those inspector reports and inspectors were recording every time new centrifuges were brought in and old centrifuges or broken really centrifuges were brought out. And so there were reports from a year prior from the IEA that they brought out at least a thousand centrifuges. Iran in this and all matters prefers to keep its cards close to its chest.

and the true extent of Stuxnet's damage to the Natanz plant is still cause for speculation in the West. But this report revealed that at least 1,000 shattered centrifuges were removed from the nuclear facility in the year 2009. What this told Eric and Liam was that for at least a year before Stuxnet landed on their desks, this revolutionary virus had been wreaking havoc undetected in the plant.

1,000 broken centrifuges meant a significant dent in Iran's capacity for uranium enrichment and a knockback on their timeline for achieving nuclear armament. The worm called Stuxnet had, for the time being at least, crippled the nuclear capacity of one of the US's greatest enemies. In other words, Stuxnet had been a triumph for its architects. But now, thanks to Eric and Liam's investigation, it had also been exposed.

Surely, now that the US government had been all but caught with a smoking gun in their hands, they would have to retire this piece of code. We expected that the attackers would go away and we would never see these attackers again. And we were completely shocked. My jaw dropped when a year later we saw the same type of code being used in another threat. And for us, it just reinforced the fact that

We're dealing with some very sophisticated attackers who don't particularly care that they've been outed and are just going to continue their operations. And then of course we saw another attack, another operation that had similar code, and another, and another, and we realized that they weren't going away. If there is a moment where you might allow yourself to take a breath, perhaps this is it. The US government has followed your investigation closely.

has charted your progress as you edge closer and closer to the shocking revelation at its core. It has held you between its fingers and wondered whether to squeeze. But ultimately, the architects of this sabotage did not care that they had been outed.

With Stuxnet, they'd made the opening play in a new age of cyber warfare. And neither they, nor their enemies elsewhere, saw reason to stop now. Stuxnet was a watershed moment insofar as before Stuxnet, we were not tracking any known government operations. And now we track hundreds. It opened Pandora's box. Everybody saw that not only can you do this, you can use it for espionage, you can use it for sabotage.

Here's the blueprints of how you do it. And that allowed governments all over the world to start their own programs and to realize the power of what it is that they could do just with code.

If you think about how much money and effort it takes to build a nuclear missile, which is maybe the ultimate in security offense for a nation state. But in today's world, you could maybe have some similar effects by mounting a cyber offensive campaign where you get, you know, five people out of college, you get them to write some digital zero ones and zero code and be able to turn the lights off in a country without having to launch any missiles or infantry or anything.

So it became very obvious to us that all kinds of nation states were going to be launching cyber offensive campaigns. There's a before Stuxnet and an after Stuxnet. Once its potential for damage had been revealed, it could not be unseen.

And before long, digital sabotage became just another everyday aspect of Eric and Liam's work. Russia turned off the power in the Ukraine twice now in the middle of winter. We saw Russian actors on US critical infrastructure, literally at the control panel of a power station where they could have literally flipped the switch. They were taking screenshots. We were able to intercept those screenshots and see the control panel and they had the mouse control to flip things on and off.

So these attacks continue and the stakes are much, much higher now. Because despite the growing frequency of these attacks, we are still wading into uncharted territory. I think some people are surprised to learn there are actually rules to war. There's established international norms for rules to war. Not for quote-unquote cyber war. There are no rules. There are no treaties right now. There are no international norms right now. It's a bit of a Wild West. And in the Wild West, anything goes.

This story has a postscript: In 2020, a full decade after Stuxnet was first uncovered, two news stories arrived in short succession and brought with them a vivid sense of déjà vu. What exactly happened at the Natanz nuclear facility last week? It's a question people in Iran and around the world have been asking since a fire was reported at Iran's main uranium enrichment facility on Thursday.

First, a fire at Netanzas' centrifuge assembly facility. And second? Breaking news for you, Iranian state media are saying one of the country's top nuclear scientists has been assassinated. Espionage and sabotage, virus and murder, the digital world and the physical, the lines have blurred once again. For Eric and Liam, news stories like this remind them that the shift is permanent

and that their lives have been altered forever. We are in a world now where cyber warfare exists. And you have to remember, at least in the US, when we talk about critical infrastructure, critical infrastructure is run by private companies that is protected by a private company, such as Symantec, that has two guys like Liam and Eric sitting there making sure that the lights are on every day. I'm Vanessa Kirby.

Join us next week for another brush with true spies. We all have valuable spy skills and our experts are here to help you discover yours. Get an authentic assessment of your spy skills created by a former head of training at British Intelligence for free now at Spyscape.com.