Book review: Countdown to Zero Day

Posted by   Virus Bulletin on   Dec 18, 2014

Kim Zetter's book on Stuxnet is a must-read for anyone interested in malware - or in 21st century geopolitics.

There is a tendency among the media to call every hack 'advanced', to blame every attack on a nation state, and to label every industrial failure as 'cyber'. It is good to approach such stories with a healthy dose of scepticism, yet that doesn't mean that such cases only exist in the realm of fantasy.

Enter Stuxnet: malware written by the NSA, probably with the help of Israel's intelligence agencies, which found its way onto the air-gapped computer systems of a nuclear plant in Iran, where it did serious damage to the centrifuges and thus ultimately to the country's uranium enrichment program.

It was Mikko Hyppönen who said that, with Stuxnet, computer science lost its innocence - like nuclear science had done in August 1945 when nuclear bombs were dropped on Hiroshima and Nagasaki. After that day, the atom bomb was no longer something that could happen: it was something that actually had happened. Likewise, a destructive malware attack on an industrial facility isn't something that could theoretically happen: it is something that has happened, and Stuxnet was the first time we learned about it.

It was thus with much eagerness that I looked forward to reading Kim Zetter's book on Stuxnet, Countdown to Zero Day, which came out last month.

Kim Zetter - Countdown to Zero Day

In her book, the Wired journalist tells the story of Stuxnet from its discovery by Sergey Ulasen (then of VirusBlokAda) and takes us through the slow unravelling of the malware by security researchers, who gradually discovered Stuxnet's purpose.

In doing so, the book focuses not only on the technical details, but it also takes a human interest view by focusing on the researchers themselves. As such, we're taken to Liam O'Murchu's birthday party and to the apartment belonging to Costin Raiu's parents, which was nearly blown up by a young Costin's chemistry experiments (leading to his parents buying him a PC instead, which ultimately led to him becoming one of the world's most brilliant anti-virus researchers).

For that reason alone, the book is worth reading. Stuxnet remains unique among known cases of malware, and understanding what happened is as essential for those working in IT security as the stories of Hiroshima and Nagasaki are for nuclear physicists.

Yet unique as it may be (or not, as there is a real possibility that there are other 'Stuxnets' out there that have not yet been discovered), Stuxnet doesn't exist in a void. Countdown to Zero Day also tells the broader story, providing a number of contexts in which the malware exists.

First, there were the worries of Western nations - in particular those of the United States and Israel - about Iran's nuclear ambitions. I am not the biggest fan of United States foreign policy, but after reading the book I came to understand the challenges US intelligence was facing - wanting to prevent Iran from building nuclear weapons, yet trying to avoid dropping bombs on uranium enrichment facilities. At least I came to understand why the decision to build Stuxnet was made.

While Stuxnet was designed only to target one specific facility, the principle of the malware can easily be turned around and it would be possible for rogue actors to use malware to target 'our' industrial control systems, for various definitions of 'our'. Zetter's book contains a chapter on the history of the security (or, often, lack thereof) of industrial control systems, as well as possible attacks on them.

Those who have followed the story of Stuxnet will know of Duqu ('son of Stuxnet') and related attacks such as Flame and Gauss, each of which gets ample attention in the book. Yet what made Stuxnet stand out, even from these equally advanced pieces of malware, was that it was actually destructive - making it one of the few cases for which that so often misused term 'cyberwar' can be used with some justification.

Zetter describes the long history of cyberwar, which goes back more than two decades, and doesn't fail to mention the heated debate surrounding the sale of zero-day vulnerabilities. Stuxnet contained four such vulnerabilities.

I had high expectations of this book, given both the subject matter and Zetter's reputation as a journalist covering cybersecurity. Yet these expectations were easily surpassed, not just because the book puts Stuxnet in a very broad context, but also because of the style in which it is written, which makes it read like a novel. I was reading the book on a plane and I was the last person to get up from my seat when it landed, I was so eager to learn what happened next.

What helps make it such a good read is the fact that the book contains many footnotes that provide background information to the story, without interrupting the text.

To paraphrase the book's final words: now that Pandora's digital box has been opened, other cases of destructive cyber attacks may appear at any time. If only because of this, Countdown to Zero Day is essential reading for anyone interested in cybersecurity. Or, for that matter, in geopolitics.

Countdown to Zero Day is published by The Crown Publishing Group, a subsidiary of Random House.

  Symantec's Liam O'Murchu on stage during VB2010 demonstrating Stuxnet with the help of a balloon. Photo: Andreas Marx.

Posted on 18 December 2014 by Martijn Grooten


Latest posts:

Subtle change could see a reduction in installation of malicious Chrome extensions

Google has made a subtle change to its Chrome browser, banning the inline installation of new extensions, thus making it harder for malware authors to trick users into unwittingly installing malicious extensions.

Paper: EternalBlue: a prominent threat actor of 2017–2018

We publish a paper by researchers from Quick Heal Security Labs in India, who study the EternalBlue and DoublePulsar exploits in full detail.

'North Korea' a hot subject among VB2018 talks

Several VB2018 papers deal explicitly or implicitly with threats that have been attributed to North Korean actors.

Expired domain led to SpamCannibal's blacklist eating the whole world

The domain of the little-used SpamCannibal DNS blacklist had expired, resulting in it effectively listing every single IP address.

MnuBot banking trojan communicates via SQL server

Researchers at IBM X-Force have discovered MnuBot, a banking trojan targeting users in Brazil, which is noteworthy for using SQL Server for command and control communication.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.