Book review: Countdown to Zero Day

Posted by   Virus Bulletin on   Dec 18, 2014

Kim Zetter's book on Stuxnet is a must-read for anyone interested in malware - or in 21st century geopolitics.

There is a tendency among the media to call every hack 'advanced', to blame every attack on a nation state, and to label every industrial failure as 'cyber'. It is good to approach such stories with a healthy dose of scepticism, yet that doesn't mean that such cases only exist in the realm of fantasy.

Enter Stuxnet: malware written by the NSA, probably with the help of Israel's intelligence agencies, which found its way onto the air-gapped computer systems of a nuclear plant in Iran, where it did serious damage to the centrifuges and thus ultimately to the country's uranium enrichment program.

It was Mikko Hyppönen who said that, with Stuxnet, computer science lost its innocence - like nuclear science had done in August 1945 when nuclear bombs were dropped on Hiroshima and Nagasaki. After that day, the atom bomb was no longer something that could happen: it was something that actually had happened. Likewise, a destructive malware attack on an industrial facility isn't something that could theoretically happen: it is something that has happened, and Stuxnet was the first time we learned about it.

It was thus with much eagerness that I looked forward to reading Kim Zetter's book on Stuxnet, Countdown to Zero Day, which came out last month.

Kim Zetter - Countdown to Zero Day

In her book, the Wired journalist tells the story of Stuxnet from its discovery by Sergey Ulasen (then of VirusBlokAda) and takes us through the slow unravelling of the malware by security researchers, who gradually discovered Stuxnet's purpose.

In doing so, the book focuses not only on the technical details, but it also takes a human interest view by focusing on the researchers themselves. As such, we're taken to Liam O'Murchu's birthday party and to the apartment belonging to Costin Raiu's parents, which was nearly blown up by a young Costin's chemistry experiments (leading to his parents buying him a PC instead, which ultimately led to him becoming one of the world's most brilliant anti-virus researchers).

For that reason alone, the book is worth reading. Stuxnet remains unique among known cases of malware, and understanding what happened is as essential for those working in IT security as the stories of Hiroshima and Nagasaki are for nuclear physicists.

Yet unique as it may be (or not, as there is a real possibility that there are other 'Stuxnets' out there that have not yet been discovered), Stuxnet doesn't exist in a void. Countdown to Zero Day also tells the broader story, providing a number of contexts in which the malware exists.

First, there were the worries of Western nations - in particular those of the United States and Israel - about Iran's nuclear ambitions. I am not the biggest fan of United States foreign policy, but after reading the book I came to understand the challenges US intelligence was facing - wanting to prevent Iran from building nuclear weapons, yet trying to avoid dropping bombs on uranium enrichment facilities. At least I came to understand why the decision to build Stuxnet was made.

While Stuxnet was designed only to target one specific facility, the principle of the malware can easily be turned around and it would be possible for rogue actors to use malware to target 'our' industrial control systems, for various definitions of 'our'. Zetter's book contains a chapter on the history of the security (or, often, lack thereof) of industrial control systems, as well as possible attacks on them.

Those who have followed the story of Stuxnet will know of Duqu ('son of Stuxnet') and related attacks such as Flame and Gauss, each of which gets ample attention in the book. Yet what made Stuxnet stand out, even from these equally advanced pieces of malware, was that it was actually destructive - making it one of the few cases for which that so often misused term 'cyberwar' can be used with some justification.

Zetter describes the long history of cyberwar, which goes back more than two decades, and doesn't fail to mention the heated debate surrounding the sale of zero-day vulnerabilities. Stuxnet contained four such vulnerabilities.

I had high expectations of this book, given both the subject matter and Zetter's reputation as a journalist covering cybersecurity. Yet these expectations were easily surpassed, not just because the book puts Stuxnet in a very broad context, but also because of the style in which it is written, which makes it read like a novel. I was reading the book on a plane and I was the last person to get up from my seat when it landed, I was so eager to learn what happened next.

What helps make it such a good read is the fact that the book contains many footnotes that provide background information to the story, without interrupting the text.

To paraphrase the book's final words: now that Pandora's digital box has been opened, other cases of destructive cyber attacks may appear at any time. If only because of this, Countdown to Zero Day is essential reading for anyone interested in cybersecurity. Or, for that matter, in geopolitics.

Countdown to Zero Day is published by The Crown Publishing Group, a subsidiary of Random House.

  Symantec's Liam O'Murchu on stage during VB2010 demonstrating Stuxnet with the help of a balloon. Photo: Andreas Marx.

Posted on 18 December 2014 by Martijn Grooten


Latest posts:

Gábor Szappanos wins fourth Péter Szőr Award

At the VB2017 gala dinner, the fourth Péter Szőr Award was presented to Sophos researcher Gábor Szappanos for his paper "AKBuilder – the crowdsourced exploit kit".

VB2017 paper: Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

We publish the VB2017 paper and video by Kaspersky Lab researchers Juan Andres Guerrero-Saade and Costin Raiu, in which they look at fourth-party collection (spies spying on other spies' campaigns) and its implications for attribution.

Didn't come to VB2017? Tell us why!

Virus Bulletin is a company - and a conference - with a mission: to further the research in and facilitate the fight against digital threats. To help us in this mission, we want to hear from those who didn't come to Madrid. What is your impression of…

Montreal will host VB2018

Last week, we announced the full details of VB2018, which will take place 3-5 October 2018 at the Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada.

VB2017 preview: Beyond lexical and PDNS (guest blog)

In a special guest blog post, VB2017 Silver sponsor Cisco Umbrella writes about a paper that researchers Dhia Mahjoub and David Rodriguez will present at the conference this Friday.