What do you think?
Rate this book
Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon
A top cybersecurity journalist tells the story behind the virus that sabotaged Iran’s nuclear efforts and shows how its existence has ushered in a new age of warfare—one in which a digital attack can have the same destructive capability as a megaton bomb.
“Immensely enjoyable . . . Zetter turns a complicated and technical cyber story into an engrossing whodunit.”— The Washington Post
The virus now known as Stuxnet was unlike any other piece of malware built Rather than simply hijacking targeted computers or stealing information from them, it proved that a piece of code could escape the digital realm and wreak actual, physical destruction—in this case, on an Iranian nuclear facility.
In these pages, journalist Kim Zetter tells the whole story behind the world’s first cyberweapon, covering its genesis in the corridors of the White House and its effects in Iran—and telling the spectacular, unlikely tale of the security geeks who managed to unravel a top secret sabotage campaign years in the making.
But Countdown to Zero Day also ranges beyond Stuxnet itself, exploring the history of cyberwarfare and its future, showing us what might happen should our infrastructure be targeted by a Stuxnet-style attack, and ultimately, providing a portrait of a world at the edge of a new kind of war.
“Immensely enjoyable . . . Zetter turns a complicated and technical cyber story into an engrossing whodunit.”— The Washington Post
The virus now known as Stuxnet was unlike any other piece of malware built Rather than simply hijacking targeted computers or stealing information from them, it proved that a piece of code could escape the digital realm and wreak actual, physical destruction—in this case, on an Iranian nuclear facility.
In these pages, journalist Kim Zetter tells the whole story behind the world’s first cyberweapon, covering its genesis in the corridors of the White House and its effects in Iran—and telling the spectacular, unlikely tale of the security geeks who managed to unravel a top secret sabotage campaign years in the making.
But Countdown to Zero Day also ranges beyond Stuxnet itself, exploring the history of cyberwarfare and its future, showing us what might happen should our infrastructure be targeted by a Stuxnet-style attack, and ultimately, providing a portrait of a world at the edge of a new kind of war.
448 pages, Paperback
First published June 3, 2014
1253 people are currently reading
14162 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 30 of 749 reviews
November 23, 2014
Pretty good for the first 2/3 of the book. Especially interesting if you work in technology. What hurt the book was the last 1/3 of it - in which the author essentially repeated a few things page after page. It was pointless. I have a flaw that makes it very difficult for me NOT to finish a book, and I paid the price on this one.
April 30, 2021
Countdown to Zero day is an investigation of the Stuxnet computer virus that was launched in 2009 and secondary versions in 2010. Stuxnet (named by Microsoft) is, to this day, one of the only attacks the world has seen using digital technology. This 'weapon' seemingly came from nowhere to attack the uranium processing plants of Iran, plants that were believed to be producing weapons-grade uranium.
The first 75% of the book investigates just what Stuxnet was and how it worked, seeking out the very computers it needed to infect while 'sighting' others and leaving them be. Let's be honest, this virus was brilliant. It affected only what it needed to, it hid for many months, it tricked Microsoft's Autorun feature to seek it out and run it without crashing the system, it shut itself down when it was done or found a machine it did not want and it had a built-in shelf life. Kim Zetter investigates just how the virus was launched and the response to it by the world's superpowers. If the virus was designed to hide, how was it eventually discovered, and have there been any other related attacks?
Stuxnet interrupted work and slowed the uranium production in Iran down considerably but it is far from the virus we are used to on our home computers and office networks. It did not seek to infect and steal information or finances, it did not shut down computers, and it did not affect production by merely slowing the computer network. Stuxnet basically told the plant workers that the plant was failing.
The last 25% of the book traces the culprits of the Stuxnet launch and looks at what this could mean for the future. Will cyber warfare take over from the physical warfare, is the world ready to handle this type of attack, what has Stuxnet shown us, and the answers to many other questions. Countdown to Zero day can become quite technical in some places but Zetter does her best to explain the tech talk as we go along. A bit of a geek read, I suppose, but absolutely fascinating.
The first 75% of the book investigates just what Stuxnet was and how it worked, seeking out the very computers it needed to infect while 'sighting' others and leaving them be. Let's be honest, this virus was brilliant. It affected only what it needed to, it hid for many months, it tricked Microsoft's Autorun feature to seek it out and run it without crashing the system, it shut itself down when it was done or found a machine it did not want and it had a built-in shelf life. Kim Zetter investigates just how the virus was launched and the response to it by the world's superpowers. If the virus was designed to hide, how was it eventually discovered, and have there been any other related attacks?
Stuxnet interrupted work and slowed the uranium production in Iran down considerably but it is far from the virus we are used to on our home computers and office networks. It did not seek to infect and steal information or finances, it did not shut down computers, and it did not affect production by merely slowing the computer network. Stuxnet basically told the plant workers that the plant was failing.
The last 25% of the book traces the culprits of the Stuxnet launch and looks at what this could mean for the future. Will cyber warfare take over from the physical warfare, is the world ready to handle this type of attack, what has Stuxnet shown us, and the answers to many other questions. Countdown to Zero day can become quite technical in some places but Zetter does her best to explain the tech talk as we go along. A bit of a geek read, I suppose, but absolutely fascinating.
March 30, 2015
Honestly, if I were rating the book strictly on its own merits it would only be 3 stars, because it feels like a magazine length article stretched to book form. But 4 stars is lifetime achievement award, because Zetter has been the best mainstream reporter working on this story (and the security beat in general) for a while now. She really gets the details right, and I'm glad a reporter of her caliber tackled this story. I STILL years later am thinking about Stuxnet. It was, and is, an absolutely mind-blowing turn of affairs.
If you're like me and you already know everything about Flame, Duqu, Stuxnet because you're obsessed with the topic, you can probably give Countdown to Zero Day a miss. But if you don't know what any of those things are, buy this book immediately!
If you're like me and you already know everything about Flame, Duqu, Stuxnet because you're obsessed with the topic, you can probably give Countdown to Zero Day a miss. But if you don't know what any of those things are, buy this book immediately!
December 31, 2014
I began reading Countdown to Zero Day thinking it would be a more detailed exploration of the Stuxnet attack against the Iranian uranium enrichment program. That program is a key part of Iran’s nuclear weapons program as it enables Iran to produce bomb grade uranium. Stuxnet was(is) a worm that sought out target computers controlling the Iranian centrifuges and then assumed control of the centrifuges, interfering with the production of uranium hexafluoride gas and causing the destruction of the centrifuges themselves.
While the book does not provide a detailed description of the malware itself it provides so much more that I had been unaware of; the Iranian nuclear program, nukes and uranium processing, watchdog agencies including IAEA and the CIA. It also covers zero day software exploits, the companies that develop them and the consumers of zero day exploits. It also provides insight into the market for malware and exploits and the security industry that tries to stay ahead of malware.
All in all an interesting story and there were plenty of references that allowed me to find much more detailed information about Stuxnet on the web.
I was surprised that it was pretty much accepted that Stuxnet was the work of the US and Israel with the US providing much of the initial technology for weaponized worms. But after reading the book I can’t imagine the attack being produced by anyone else with the possible exception of the Chinese who are without motive.
I was much more surprised… staggered with the descriptions of stolen signing certificates, and attacks on certificate authorities to obtain certificates that allowed Stuxnet to install kernel mode rootkits. Additionally the attackers obtained Microsoft certs by employing sophisticated exploits that utilized MD5 collisions and predicting the time of certificate issuance. Also attacking Microsoft Update! Crazy stuff that attacks the underpinnings of the internet and how users would go about patching Windows.
This book definitely exceeded my expectations and I think everyone interested in the Internet, the use of digital weapons, nuclear weapons and their control and acquisition will find something of interest in it
While the book does not provide a detailed description of the malware itself it provides so much more that I had been unaware of; the Iranian nuclear program, nukes and uranium processing, watchdog agencies including IAEA and the CIA. It also covers zero day software exploits, the companies that develop them and the consumers of zero day exploits. It also provides insight into the market for malware and exploits and the security industry that tries to stay ahead of malware.
All in all an interesting story and there were plenty of references that allowed me to find much more detailed information about Stuxnet on the web.
I was surprised that it was pretty much accepted that Stuxnet was the work of the US and Israel with the US providing much of the initial technology for weaponized worms. But after reading the book I can’t imagine the attack being produced by anyone else with the possible exception of the Chinese who are without motive.
I was much more surprised… staggered with the descriptions of stolen signing certificates, and attacks on certificate authorities to obtain certificates that allowed Stuxnet to install kernel mode rootkits. Additionally the attackers obtained Microsoft certs by employing sophisticated exploits that utilized MD5 collisions and predicting the time of certificate issuance. Also attacking Microsoft Update! Crazy stuff that attacks the underpinnings of the internet and how users would go about patching Windows.
This book definitely exceeded my expectations and I think everyone interested in the Internet, the use of digital weapons, nuclear weapons and their control and acquisition will find something of interest in it
October 7, 2019
For a SOFTWARE engineer of any level, this book has a lot of great ideas to make your code more readable and maintainable. I wish I had DSICOVERED it earlier.
August 9, 2016
NSA Agent Num 1: So you remember that really bad idea for a weapon that nearly destroyed the planet that we came up with in the 1940s?
NSA Agent Num 2: Yeah, what about it?
NSA Agent Num 1: I have an idea just as bad as that one.
NSA Agent Num 2: Wow, what is it, we better get everyone we can on something that wonderful.
NSA Agent Num 1: We should create a virus that will take control of systems in a facility in another country and destroy them, not only will this show hackers all around the world how to do this, but it will spark off a cyber arms race that any country in the world can join in, not just the rich ones, like those with nuclear bombs. And it will be much harder to track down who has these capabilities than Nuclear Bombs.
NSA Agent Num 2: That's incredible, let's talk to president Bush, I hear he's a real smart guy, I know he will approve it instantly.
And thus we have history and the subject of this book.
NSA Agent Num 2: Yeah, what about it?
NSA Agent Num 1: I have an idea just as bad as that one.
NSA Agent Num 2: Wow, what is it, we better get everyone we can on something that wonderful.
NSA Agent Num 1: We should create a virus that will take control of systems in a facility in another country and destroy them, not only will this show hackers all around the world how to do this, but it will spark off a cyber arms race that any country in the world can join in, not just the rich ones, like those with nuclear bombs. And it will be much harder to track down who has these capabilities than Nuclear Bombs.
NSA Agent Num 2: That's incredible, let's talk to president Bush, I hear he's a real smart guy, I know he will approve it instantly.
And thus we have history and the subject of this book.
March 18, 2019
Excellent story about Iran's nuclear project and how USA/Israel sabotaged it by all means (including cyber- and physical-attacks on people involved with the program).
February 20, 2022
I remember it like yesterday: watching the news as the mysterious events surrounding Stuxnet unfolded, only to add to the mystery in some aspects. But that was more than 10 years ago!
Then I remember watching "Zero Days", a jaw dropping documentary.
Finally, I had the opportunity to read this excellent book. Top-notch technical journalism! The author managed to pull of a difficult feat: it's not easy at all to write about such a complex technical subject, in addition to describing the socio-political and historical context surrounding it, and still be able to produce a page-turner.
I'm neither a lay person, nor a cybersecurity expert. But I had my share of software & network security incidents and witnessed first-hand how challenging it can be secure digital systems against countless number of know, and more worryingly, unknown, type of digital attacks.
If you are curious about how far the nation states with almost unlimited financial and human resources can go in order to develop complex software to silently penetrate network and software systems, this book is the perfect starting point.
Oh, by the way, some parts reminded me of Cryptonomicon, and this should be considered high praise ;)
Then I remember watching "Zero Days", a jaw dropping documentary.
Finally, I had the opportunity to read this excellent book. Top-notch technical journalism! The author managed to pull of a difficult feat: it's not easy at all to write about such a complex technical subject, in addition to describing the socio-political and historical context surrounding it, and still be able to produce a page-turner.
I'm neither a lay person, nor a cybersecurity expert. But I had my share of software & network security incidents and witnessed first-hand how challenging it can be secure digital systems against countless number of know, and more worryingly, unknown, type of digital attacks.
If you are curious about how far the nation states with almost unlimited financial and human resources can go in order to develop complex software to silently penetrate network and software systems, this book is the perfect starting point.
Oh, by the way, some parts reminded me of Cryptonomicon, and this should be considered high praise ;)
September 25, 2014
Best non fiction book of 2014. The entire story of this digital weapon and the aftermath of if it, including the new questions raised going forward was a really compelling tell. By making it read like a really intense mystery narrative it transcended the typically dry fact based story that some books about digital technology find themselves in. One part of me while reading wished that the outcome hadnt already been known and that the US could have been successful in keeping Stuxnet underwraps while continuing to thwart the efforts of rouge states nuclear efforts running haywire. The book was great and all of the footnotes informative and even provocative. Definitely a must read of 2014.
December 5, 2014
I loved the first 4/5's of the book - in which the real story of Stuxnet is told. The last 1/5 is a somewhat tedious timeline of events without much narrative to support it; while interesting, it wasn't nearly as good as the rest of the book. Still, I can easily recommend this if you are interested at all in Cyber-warfare, computer viruses, or the curious relationship between the US and Iran in the first decade of the 21st century.
June 28, 2015
Here we have a thrilling plot and a very good storyteller. Zetter goes beyond stuxnet with a vivid narrative of historical, technical and political contexts. The whole thing is entertaining (should also be alarming) because of how the events were knitted together. You may also feel motivated to become an expert in malware analysis. Hoping for peace between Iran and Israel though.
December 17, 2014
not a great achievement in research or writing or insight or anything, but a pretty competent assembly of timelines and people. feels like it could have been a much more compelling 35-page michael lewis vanity fair article.
July 21, 2019
Executive Summary: A bit longer than I'd have liked, going deeper into history on some things than I was interested in, but the tech stuff was pretty fascinating. 3.5 stars.
Audiobook: For fiction I always want a memorable narrator, but for nonfiction someone forgettable is best. I want the story to speak for itself. I thought Joe Ochman fit the bill nicely for me.
Full Review
I'm always fascinated by computer history, and the story behind Stuxnet is both fascinating and terrifying. Here we are many years later and it doesn't seem like computer security has improved all that much.
It's easy to think that Iran just isn't as advanced as the US, and that's how they were susceptible, but the reality is more about the amount of money spent and probably the fear of retaliation. We may never know the full details of Stuxnet, but this book seems to do a pretty good job of not only attempting to put all the pieces together but fill in the history of the events that led to the attack.
As I read this for technical side, I found my attention drifting at times when she would focus more on the history of Iran and its nuclear program. Overall I'd have liked for it to be a bit shorter, maybe summarizing some of the historical elements more, but still a pretty enjoyable read.
Audiobook: For fiction I always want a memorable narrator, but for nonfiction someone forgettable is best. I want the story to speak for itself. I thought Joe Ochman fit the bill nicely for me.
Full Review
I'm always fascinated by computer history, and the story behind Stuxnet is both fascinating and terrifying. Here we are many years later and it doesn't seem like computer security has improved all that much.
It's easy to think that Iran just isn't as advanced as the US, and that's how they were susceptible, but the reality is more about the amount of money spent and probably the fear of retaliation. We may never know the full details of Stuxnet, but this book seems to do a pretty good job of not only attempting to put all the pieces together but fill in the history of the events that led to the attack.
As I read this for technical side, I found my attention drifting at times when she would focus more on the history of Iran and its nuclear program. Overall I'd have liked for it to be a bit shorter, maybe summarizing some of the historical elements more, but still a pretty enjoyable read.
August 18, 2018
(3.5) Started off well (could've been 4 or 4.5), following the researchers uncovering stuxnet's secrets, then covered a lot of side topics and eventually sort of retold the whole story chronologically with repetition and speculation
Lots of research went into this (resulting in some excellent footnotes--to the point that many of them should've just been included in the main text). I enjoyed the investigative aspect, following VirusBlokAda, Symantec, Kaspersky as they teased apart how the worm spread, how it found and attacked its targets, how it deployed its attack and avoided collateral damage, how it evolved as the attackers got both more sophisticated and more aggressive.
There was some good background on other cyberwarfare, on the Iran nuclear program, on nuclear proliferation in general. A lot of this was of some interest, but definitely off topic of stuxnet and in some cases kind of redundant. I'll take the background stuff though as it was informative. Would've loved even more depth on the inner workings of stuxnet and techniques to uncover them, however.
But about 2/3 in, she starts trying to re-tell the whole thing chronologically. It could've been cool as a chronological narrative from the attackers' point of view, even if she had to do a fair amount of speculation at times where there are hazy dates, hazy actors and other unknowns. But instead, there was kind of a dry coverage of what likely happened, with lots of repetition (kept having deja vu with very specific side notes and even nearly duplicate footnotes). Hard to tell the same story twice in one book without running into problems like this. Probably could've left it at the 2/3 point.
Then there's a section looking at the implications of the deployment and detection of stuxnet and what the future of (cyber)warfare will be. It's interesting (she says 'ironic') to note that as the US government started warning itself and its people of our vulnerability to digital attacks, it was engaging in high stakes digital attacks of its own. Probably related, and we seem to be fortunate that we've had several years' time to make headway protecting critical infrastructure. Not sure we've really capitalized on it however, as it's hard to protect against everything everywhere in the face of high costs for unknown cost avoidance.
Still, on the whole, I learned quite a bit, and have a lot of good Kindle Notes & Highlights to show for it. ;)
Lots of research went into this (resulting in some excellent footnotes--to the point that many of them should've just been included in the main text). I enjoyed the investigative aspect, following VirusBlokAda, Symantec, Kaspersky as they teased apart how the worm spread, how it found and attacked its targets, how it deployed its attack and avoided collateral damage, how it evolved as the attackers got both more sophisticated and more aggressive.
There was some good background on other cyberwarfare, on the Iran nuclear program, on nuclear proliferation in general. A lot of this was of some interest, but definitely off topic of stuxnet and in some cases kind of redundant. I'll take the background stuff though as it was informative. Would've loved even more depth on the inner workings of stuxnet and techniques to uncover them, however.
But about 2/3 in, she starts trying to re-tell the whole thing chronologically. It could've been cool as a chronological narrative from the attackers' point of view, even if she had to do a fair amount of speculation at times where there are hazy dates, hazy actors and other unknowns. But instead, there was kind of a dry coverage of what likely happened, with lots of repetition (kept having deja vu with very specific side notes and even nearly duplicate footnotes). Hard to tell the same story twice in one book without running into problems like this. Probably could've left it at the 2/3 point.
Then there's a section looking at the implications of the deployment and detection of stuxnet and what the future of (cyber)warfare will be. It's interesting (she says 'ironic') to note that as the US government started warning itself and its people of our vulnerability to digital attacks, it was engaging in high stakes digital attacks of its own. Probably related, and we seem to be fortunate that we've had several years' time to make headway protecting critical infrastructure. Not sure we've really capitalized on it however, as it's hard to protect against everything everywhere in the face of high costs for unknown cost avoidance.
Still, on the whole, I learned quite a bit, and have a lot of good Kindle Notes & Highlights to show for it. ;)
December 17, 2014
We were in a cyber war with Iran. Kim Zetter unravels the story of Stuxnet, the US computer attack on Iran's nuclear program in Countdown to Zero Day.
A few months ago, I read A Time to Attack: The Looming Iranian Nuclear Threat urging a US military attack on Iran. That book highlighted how Iran had been building a nuclear program for several years. That included several years of centrifuges spinning to extract enriched uranium.
It has taken so long to extract uranium because, according to Zetter, the United States has been running a sophisticated attack on the computer systems that run those centrifuges. The United States and Israel planted sophisticated tools on those computers designed to alter the speeds of the centrifuges and the flow of gas into and out of them.
We have entered an age where warfare can been broken into digital attacks and kinetic attacks. Computer geeks and fighter jocks can both engage with the enemy. Stuxnet was a replacement for dropping bombs on the enrichment facilities.
Zero day refers to an attack using a previously unknown computer security vulnerability. One attack detailed in Countdown to Zero Day used a "god-mode exploit" that was even more potent. For anyone involved in cybersecurity, the book may make you want to curl up in a ball and hide in the corner.
The book is well-written and well-researched. It's always great to grab a book like this that is enjoyable to read and able to explain complicated situations.
The publisher kindly sent me an advance reader copy of the book in hopes of me writing a review. Countdown to Zero Day goes on sale on November 11.
A few months ago, I read A Time to Attack: The Looming Iranian Nuclear Threat urging a US military attack on Iran. That book highlighted how Iran had been building a nuclear program for several years. That included several years of centrifuges spinning to extract enriched uranium.
It has taken so long to extract uranium because, according to Zetter, the United States has been running a sophisticated attack on the computer systems that run those centrifuges. The United States and Israel planted sophisticated tools on those computers designed to alter the speeds of the centrifuges and the flow of gas into and out of them.
We have entered an age where warfare can been broken into digital attacks and kinetic attacks. Computer geeks and fighter jocks can both engage with the enemy. Stuxnet was a replacement for dropping bombs on the enrichment facilities.
Zero day refers to an attack using a previously unknown computer security vulnerability. One attack detailed in Countdown to Zero Day used a "god-mode exploit" that was even more potent. For anyone involved in cybersecurity, the book may make you want to curl up in a ball and hide in the corner.
The book is well-written and well-researched. It's always great to grab a book like this that is enjoyable to read and able to explain complicated situations.
The publisher kindly sent me an advance reader copy of the book in hopes of me writing a review. Countdown to Zero Day goes on sale on November 11.
September 10, 2021
Non-proliferation meets cyber security in this non-fiction thriller! (lol)
May 19, 2025
história real do vírus (de computador) que foi projetado para, sorrateiramente, sabotar o programa nuclear do Irã.
é importante ser sorrateiro porque, se detectado, é "fácil" trocar/eliminar o que precisa.
ao ser "indetectável", os cientisticas iranianos perdem tempo e dinheiro em outras hipóteses.
o nível de sofisticação desse vírus é impressionante.
da pra contar nos dedos quantas organizações têm tamanha capacidade técnica e financeira
é importante ser sorrateiro porque, se detectado, é "fácil" trocar/eliminar o que precisa.
ao ser "indetectável", os cientisticas iranianos perdem tempo e dinheiro em outras hipóteses.
o nível de sofisticação desse vírus é impressionante.
da pra contar nos dedos quantas organizações têm tamanha capacidade técnica e financeira
September 10, 2020
Super interesting read, really gives a good understanding of the technical side of stuxnet as well as how it has/can impact tension and policies between countries.
February 6, 2017
Great read on Stuxnet and digital weapons/cyber war. The author did a great job writing a book that is appealing and understandable to non-technical readers while still giving enough details to be of value to someone with in-depth knowledge of cybersecurity. If you want to learn more about these topics this book is a great starting point.
May 29, 2017
This requires more of a technical background than I have. That is not necessarily a shortcoming of the book, but it is hard to have opinions about things I know that I don't know. A couple weeks after finishing it, I wondered: Is it possible I'd just been tired or unfocused? I picked it up again and opened to a random page:
If you can handle that, this might be a good book for you, all >400 pages of it. Mostly what I got from it is the delightful phrase "radical skunkworks project." I do not know what that means, but it sounds cool.
"Falliere used the key embedded in the malware to decrypt the .DLL and found that it contained all of the same functionality as the legitimate Step 7 .DLL. But it also contained some suspicious code that included commands like 'write' and 'read.' Falliere had seen enough malware in his career to know exactly what he was looking at — Stuxnet's Step 7 .DLL was acting as a rootkit, lurking on the system silently, waiting to hijack, or hook, these functions anytime the system attempted to read or write code blocks to or from the targeted PLCs. Similar to the rootkit in the missile portion of Stuxnet, this one was hooking to the read function to hide something that Stuxnet was doing to the PLCs. It was the first time, as far as he knew, that anyone had created a rootkit for an industrial control system." (p. 117)
If you can handle that, this might be a good book for you, all >400 pages of it. Mostly what I got from it is the delightful phrase "radical skunkworks project." I do not know what that means, but it sounds cool.
January 10, 2015
Top grade cyber thriller made all the more fascinating by being real. I'm not a techie at all but Zetter has a real gift of turning often complicated and detailed machine/code babble, into something easy and palatable for a reader like myself.
It really is a great story and we get to see the full scope from its beginnings, inception, it's destructive phase and the aftermath. One of the things that was so awesome was the fact that this computer virus actually caused things to physically destroy themselves. It is also Scarey as hell when you consider the implications and how vulnerable we all actually are. In the wake of recent cyber attacks, it hits home even more so. Go get a copy.
I was given a copy of this book by BloggingforBooks in exchange for an honest review.
It really is a great story and we get to see the full scope from its beginnings, inception, it's destructive phase and the aftermath. One of the things that was so awesome was the fact that this computer virus actually caused things to physically destroy themselves. It is also Scarey as hell when you consider the implications and how vulnerable we all actually are. In the wake of recent cyber attacks, it hits home even more so. Go get a copy.
I was given a copy of this book by BloggingforBooks in exchange for an honest review.
March 19, 2015
An excellent account of Stuxnet. As a subject matter expert employed in the field, I watched this intently as it unfolded, and was familiar with much of the material in the book, but still found it enjoyable and informative. For anyone who hasn't been following Stuxnet and related issues closely, this book would be an excellent introduction. Even without a technical background, it would be easy to follow the human and political implications.
(Second book I've read this year (audible audiobook, in this case, unabridged))
(Second book I've read this year (audible audiobook, in this case, unabridged))
June 16, 2015
The first shot on the bow of any international conflict will probably be some kind of sophisticated cyber attack. This book presents an egaging account of the goings on in the dark web and the dedication of tireless 'security researchers' who spend hundreds of hours making sense of these attacks.
December 24, 2014
A world that I never knew about. Although, the writing is packed with computer/technology terms in the beginning, this book is worth it.
Read on to see where our society is heading...
Read on to see where our society is heading...
July 13, 2025
Operation Olympic Games is the US military code name that refers to the first ever act of real cyber warfare. Many journalists have told bits and pieces of the story since the attacks became public in 2010, but none have come close to telling the complete story. In "Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon," Kim Zetter changes that situation. She takes an extremely complicated subject in terms of technical detail, political fallout, and philosophical conundrums and makes it easy for the security practitioner to understand. It is a masterful bit of juggling and storytelling and it's a CyberCanon Hall of Fame inductee.
When she wrote it, Kim Zetter had been at WIRED magazine since 2003. Since then, she has become one of the cyber security community’s go-to journalists to explain what is really happening within the space. When I heard that she was writing a book about the Stuxnet attacks, I was thrilled. I knew if anybody could take on this complicated subject, Zetter could.
One of the annoying truisms of keeping up with cyber security events in the news is that journalists rarely go back and attempt to tell a complete story. When cyber security events occur —like the Target breach, the Sony breach, and the Home Depot breach to name three — news organizations print the big headlines initially and then trickle out new information over the next days and weeks as it becomes available. For cyber security professionals trying to keep up to date on industry news, we rarely get the opportunity to see the big picture in one lump sum. We are not going to get that kind of story in a news article. You need a book to cover the detail, and there have been some good ones in the past.
Mark Bowden’s Worm, another CyberCanon Hall of Fame inductee about the Conficker worm and the cabal that tried to stop it, is one good example. Another is The Cuckoo’s Egg, a CyberCanon Hall of Fame inductee about the first publicly documented cyber espionage attack in the late 1980s. Zetter’s book is the latest in the line and it's really good.
In June 2012, David E. Sanger published an article in The New York Times proclaiming for the first time that the United States, in conjunction with Israel, was indeed behind the infamous Stuxnet malware attacks that targeted the Iranian nuclear enrichment plant at Natanz. Sanger followed that article, along with others, with his book "Confront and Conceal: Obama’s Secret Wars and the Surprising Use of American Power." In that material, he gave details about the cyber operation called Operation Olympic Games, which I consider to be the first act, known to the public, of cyber warfare in the world.
Because the story was so new and so complicated, many of the technical details surrounding the attacks did not fully emerge until well after Sanger published his book. I have tried to keep up with the story myself over the years and even presented versions of it at DEFCON 19 and RSA 2014, but I do not have the journalistic chops to tell the complete story, and this is where Zetter’s book shines.
Whereas Sanger’s book focused on the US foreign policy implications of offensive cyber warfare using government insiders as the main source, Zetter’s book fills in the technical story behind the attacks by interviewing everybody in the public space who was involved in unraveling the Stuxnet mystery. Zetter writes clearly and succinctly about the timing of key researchers discovering new facts, describes how the researchers determined when the attackers first used key pieces of the attack code, and then feathered those technical events with what was happening in the political arena at the same time.
Because of Countdown to Zero, we now have a complete picture of how the attack code worked. Zetter goes into great detail about how the malware proliferated within the Iranian power plant at Natanz and after it escaped into the wild. She puts to bed the question of how may zero-day exploits the attackers used in the complete code set, what they were, and how effective they all were. She covers all of the versions of the malware from Stuxnet, to DuQu, to Flame, and to Wiper. She even covers some of the tools of the trade that the researchers used to decipher the code base.
Zetter also explains the significance of the critical and mostly unsecured supervisory control and data acquisition (SCADA) environments deployed in the United States today. These systems automatically control the flow of all power, water, and gas systems used within the United States and throughout most of the world. According to Zetter,
"There are 2,800 power plants in the United States and 300,000 sites producing oil and natural gas. Another 170,000 facilities form the public water system in the United States, which includes reservoirs, dams, wells, treatment facilities, pumping stations, and pipelines. But 85 percent of these and other critical infrastructure facilities are in the hands of the private sector, which means that aside from a few government-regulated industries—such as the nuclear power industry—the government can do little to force companies to secure their systems."
In my experience, the SCADA industry has always been at least 10 to 15 years behind the rest of the commercial sector in adopting modern defensive techniques, and Zetter provides a possible explanation for this delay:
“Why spend money on security, they argued, when none of their competitors were doing it and no one was attacking them?”
The significance of that statement becomes obvious when you realize that the same kinds of programmable logic controllers, or PLCs, that Israel and the United States exploited to attack Iran are deployed in droves to support the world’s own SCADA environments. The point is that if the United States can leverage the security weaknesses of these systems, then it is only a matter of time before other nation-states do the same thing and the rest of the world is no better defended against them than the Iranians were.
In a broader context, Countdown to Zero highlights some philosophical conundrums that the cyber security community is only now starting to wrestle with. We have known about these issues for years, but Zetter’s telling of the story makes us reconsider them. Operation Olympic Games proved to the world that cyber warfare is no longer just a theoretical construct. It is a living and breathing option in the utility belt for nation-states to use to exercise political power. With Operation Olympic Games, the United States proved to the world that it is possible to cause physical destruction of another nation-state’s critical infrastructure using nothing but a cyber weapon alone. With that comes a lot of baggage.
The first is the intelligence dilemma. At what point do network defenders stop watching adversaries misbehave within their networks before they act to stop them? By acting, we tip our hand that we know what they are doing and how they are doing it. This will most likely cause the adversary team to change its tactics. Intelligence organizations want to watch adversaries as long as possible. Network defenders only want to stop the pain. This is an example of classic information theory.
I first learned about information theory when I read about the code breakers at Bletchley Park during WWII. Because the allies had broken the Enigma cipher, the Bletchley Park code breakers collected German war plans before the German commanders in the field received them, but the Allies couldn’t act on all of the information because the Germans would suspect that the cipher had been broken. The Allies had to pick and choose what to act on. This is similar to what the Stuxnet researchers were wrestling with too. Many of them had discovered this amazing and dangerous new piece of malware. When do they tell the world about it?
The next conundrum involves the national government and vulnerability discovery. Zetter discusses the six zero-day exploits used by Operation Olympic Games in the attacks against Iran. That means that the US government knew about at least six high-impact vulnerabilities within common software that the entire nation depends upon and did nothing to warn the nation about them. If another attacker decided to leverage those vulnerabilities against the United States’ critical infrastructure in the same way that the United States leveraged them against Iran, the results could have been devastating. The nation’s ethical position here is murky at best and criminal at worst. Added to that is the well-known practice of the private sector selling zero-day exploits to the government. Should the government even be in the business of buying weapons-grade software from private parties? Zetter offers no solutions here, but she definitely gives us something to think about.
Zetter fills in a lot of holes in the Stuxnet story. In a way, it is a shame that it has taken five years to get to a point that the security community feels like it understands what actually happened. On the other hand, without Zetter putting the pieces together for us, we might never have gotten there. I have said for years that the Stuxnet story marked the beginning of a new era for the cyber security community. In the coming years, when it becomes common practice for nations-states to lob cyber attacks across borders with the intent to destroy another nation’s critical infrastructure, we will remember fondly how simple defending the Internet was before Stuxnet. Zetter’s book helps us understand that change. She takes a complicated subject and makes it easy to understand. Her book Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon is cyber-security-canon worthy, and you should have read it by now.
References
Chad Berndtson, Rick Howard, 2014. Meet Palo Alto Networks CSO Rick Howard at RSA! [RSA 2014 Preview: "Operation Olympic Games Is the Tom Clancy Spy Story that Changed Everything" and the CyberCanon]. Palo Alto Networks. URL https://www.paloaltonetworks.com/blog...
David E. Sanger, 2012. Obama Ordered Wave of Cyberattacks Against Iran [Analysis]. The New York Times. URL https://www.nytimes.com/2012/06/01/wo...
Rick Howard, 2011. An Insider’s Look at International Cyber Security Threats and Trends [Stuxnet Presentation]. DEFCON 19 - YouTube. URL https://www.youtube.com/watch?v=UPjh5...
Rick Howard, 2014. Confront and Conceal [Review]. CyberCanon. URL https://cybercanon.org/confront-and-c...
Rick Howard, 2014. Worm: The First Digital World War [CyberCanon Hall of Fame Review]. CyberCanon. URL https://cybercanon.org/worm-the-first...
Rick Howard, 2014. The Cuckoo’s Egg [CyberCanon Hall of Fame Review]. Cybersecurity Canon Project. URL https://cybercanon.org/the-cuckoos-egg/
When she wrote it, Kim Zetter had been at WIRED magazine since 2003. Since then, she has become one of the cyber security community’s go-to journalists to explain what is really happening within the space. When I heard that she was writing a book about the Stuxnet attacks, I was thrilled. I knew if anybody could take on this complicated subject, Zetter could.
One of the annoying truisms of keeping up with cyber security events in the news is that journalists rarely go back and attempt to tell a complete story. When cyber security events occur —like the Target breach, the Sony breach, and the Home Depot breach to name three — news organizations print the big headlines initially and then trickle out new information over the next days and weeks as it becomes available. For cyber security professionals trying to keep up to date on industry news, we rarely get the opportunity to see the big picture in one lump sum. We are not going to get that kind of story in a news article. You need a book to cover the detail, and there have been some good ones in the past.
Mark Bowden’s Worm, another CyberCanon Hall of Fame inductee about the Conficker worm and the cabal that tried to stop it, is one good example. Another is The Cuckoo’s Egg, a CyberCanon Hall of Fame inductee about the first publicly documented cyber espionage attack in the late 1980s. Zetter’s book is the latest in the line and it's really good.
In June 2012, David E. Sanger published an article in The New York Times proclaiming for the first time that the United States, in conjunction with Israel, was indeed behind the infamous Stuxnet malware attacks that targeted the Iranian nuclear enrichment plant at Natanz. Sanger followed that article, along with others, with his book "Confront and Conceal: Obama’s Secret Wars and the Surprising Use of American Power." In that material, he gave details about the cyber operation called Operation Olympic Games, which I consider to be the first act, known to the public, of cyber warfare in the world.
Because the story was so new and so complicated, many of the technical details surrounding the attacks did not fully emerge until well after Sanger published his book. I have tried to keep up with the story myself over the years and even presented versions of it at DEFCON 19 and RSA 2014, but I do not have the journalistic chops to tell the complete story, and this is where Zetter’s book shines.
Whereas Sanger’s book focused on the US foreign policy implications of offensive cyber warfare using government insiders as the main source, Zetter’s book fills in the technical story behind the attacks by interviewing everybody in the public space who was involved in unraveling the Stuxnet mystery. Zetter writes clearly and succinctly about the timing of key researchers discovering new facts, describes how the researchers determined when the attackers first used key pieces of the attack code, and then feathered those technical events with what was happening in the political arena at the same time.
Because of Countdown to Zero, we now have a complete picture of how the attack code worked. Zetter goes into great detail about how the malware proliferated within the Iranian power plant at Natanz and after it escaped into the wild. She puts to bed the question of how may zero-day exploits the attackers used in the complete code set, what they were, and how effective they all were. She covers all of the versions of the malware from Stuxnet, to DuQu, to Flame, and to Wiper. She even covers some of the tools of the trade that the researchers used to decipher the code base.
Zetter also explains the significance of the critical and mostly unsecured supervisory control and data acquisition (SCADA) environments deployed in the United States today. These systems automatically control the flow of all power, water, and gas systems used within the United States and throughout most of the world. According to Zetter,
"There are 2,800 power plants in the United States and 300,000 sites producing oil and natural gas. Another 170,000 facilities form the public water system in the United States, which includes reservoirs, dams, wells, treatment facilities, pumping stations, and pipelines. But 85 percent of these and other critical infrastructure facilities are in the hands of the private sector, which means that aside from a few government-regulated industries—such as the nuclear power industry—the government can do little to force companies to secure their systems."
In my experience, the SCADA industry has always been at least 10 to 15 years behind the rest of the commercial sector in adopting modern defensive techniques, and Zetter provides a possible explanation for this delay:
“Why spend money on security, they argued, when none of their competitors were doing it and no one was attacking them?”
The significance of that statement becomes obvious when you realize that the same kinds of programmable logic controllers, or PLCs, that Israel and the United States exploited to attack Iran are deployed in droves to support the world’s own SCADA environments. The point is that if the United States can leverage the security weaknesses of these systems, then it is only a matter of time before other nation-states do the same thing and the rest of the world is no better defended against them than the Iranians were.
In a broader context, Countdown to Zero highlights some philosophical conundrums that the cyber security community is only now starting to wrestle with. We have known about these issues for years, but Zetter’s telling of the story makes us reconsider them. Operation Olympic Games proved to the world that cyber warfare is no longer just a theoretical construct. It is a living and breathing option in the utility belt for nation-states to use to exercise political power. With Operation Olympic Games, the United States proved to the world that it is possible to cause physical destruction of another nation-state’s critical infrastructure using nothing but a cyber weapon alone. With that comes a lot of baggage.
The first is the intelligence dilemma. At what point do network defenders stop watching adversaries misbehave within their networks before they act to stop them? By acting, we tip our hand that we know what they are doing and how they are doing it. This will most likely cause the adversary team to change its tactics. Intelligence organizations want to watch adversaries as long as possible. Network defenders only want to stop the pain. This is an example of classic information theory.
I first learned about information theory when I read about the code breakers at Bletchley Park during WWII. Because the allies had broken the Enigma cipher, the Bletchley Park code breakers collected German war plans before the German commanders in the field received them, but the Allies couldn’t act on all of the information because the Germans would suspect that the cipher had been broken. The Allies had to pick and choose what to act on. This is similar to what the Stuxnet researchers were wrestling with too. Many of them had discovered this amazing and dangerous new piece of malware. When do they tell the world about it?
The next conundrum involves the national government and vulnerability discovery. Zetter discusses the six zero-day exploits used by Operation Olympic Games in the attacks against Iran. That means that the US government knew about at least six high-impact vulnerabilities within common software that the entire nation depends upon and did nothing to warn the nation about them. If another attacker decided to leverage those vulnerabilities against the United States’ critical infrastructure in the same way that the United States leveraged them against Iran, the results could have been devastating. The nation’s ethical position here is murky at best and criminal at worst. Added to that is the well-known practice of the private sector selling zero-day exploits to the government. Should the government even be in the business of buying weapons-grade software from private parties? Zetter offers no solutions here, but she definitely gives us something to think about.
Zetter fills in a lot of holes in the Stuxnet story. In a way, it is a shame that it has taken five years to get to a point that the security community feels like it understands what actually happened. On the other hand, without Zetter putting the pieces together for us, we might never have gotten there. I have said for years that the Stuxnet story marked the beginning of a new era for the cyber security community. In the coming years, when it becomes common practice for nations-states to lob cyber attacks across borders with the intent to destroy another nation’s critical infrastructure, we will remember fondly how simple defending the Internet was before Stuxnet. Zetter’s book helps us understand that change. She takes a complicated subject and makes it easy to understand. Her book Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon is cyber-security-canon worthy, and you should have read it by now.
References
Chad Berndtson, Rick Howard, 2014. Meet Palo Alto Networks CSO Rick Howard at RSA! [RSA 2014 Preview: "Operation Olympic Games Is the Tom Clancy Spy Story that Changed Everything" and the CyberCanon]. Palo Alto Networks. URL https://www.paloaltonetworks.com/blog...
David E. Sanger, 2012. Obama Ordered Wave of Cyberattacks Against Iran [Analysis]. The New York Times. URL https://www.nytimes.com/2012/06/01/wo...
Rick Howard, 2011. An Insider’s Look at International Cyber Security Threats and Trends [Stuxnet Presentation]. DEFCON 19 - YouTube. URL https://www.youtube.com/watch?v=UPjh5...
Rick Howard, 2014. Confront and Conceal [Review]. CyberCanon. URL https://cybercanon.org/confront-and-c...
Rick Howard, 2014. Worm: The First Digital World War [CyberCanon Hall of Fame Review]. CyberCanon. URL https://cybercanon.org/worm-the-first...
Rick Howard, 2014. The Cuckoo’s Egg [CyberCanon Hall of Fame Review]. Cybersecurity Canon Project. URL https://cybercanon.org/the-cuckoos-egg/
November 1, 2019
A thoroughly-researched book that examines the both Stuxnet virus and cyberwarfare policy individually, as well as their crossroads as it relates to the modern era.
Zetter's descriptions and explanations of all things technical is phenomenal. From the uranium-enriching centrifuges to zero-day computer exploits to SCADA, they are simplified enough for the layperson to understand without sacrificing information. Little to no technical background is required to understand the technology discussed, although it certainly doesn't hurt.
The book details the investigation (and obsession) of Stuxnet by a select number of security researchers and firms spread across the world. Zetter describes the researchers' process into dissecting the incredibly complex Stuxnet code (I suggest reading through this link, as Symantec was one of those "select number of security researchers and firms") and how they were finally able to understand its final payload.
U.S. cybersecurity and cyberwarfare policy, general cyber "philosophy" (for lack of a better term), and the legality of cyber operations are also discussed. Should zero-day exploits be able to be sold to the highest bidder, whether that be a nation-state or terror group? Do zero-day researchers have an obligation to disclose said exploit to the respective software? How should we respond to zero-day offensives aimed at the U.S? (Hint: depending on the severity of the attack, it may be considered an act of war, and you don't want to be on the wrong side of America when that happens.) Zetter describes what the U.S.' current policy is towards these questions and what discussions are taking place, albeit behind closed doors.
Even if you don't care about the Stuxnet virus or its impact, the cyber aspect of the book is extremely important to understand in this day and age. Our lives are becoming evermore electronically interconnected (phones connect to computers to cars to refrigerators (wait, what?) to watches), and with it comes vulnerabilities. While those are small-scale connections, compromising large-scale systems has the potential to kill individuals and ravage society: economic markets, power grids, transportation networks, healthcare systems, and computing centers. While there is little ordinary citizens can do to help prevent this, it helps to be informed on issues like this.
Zetter's descriptions and explanations of all things technical is phenomenal. From the uranium-enriching centrifuges to zero-day computer exploits to SCADA, they are simplified enough for the layperson to understand without sacrificing information. Little to no technical background is required to understand the technology discussed, although it certainly doesn't hurt.
The book details the investigation (and obsession) of Stuxnet by a select number of security researchers and firms spread across the world. Zetter describes the researchers' process into dissecting the incredibly complex Stuxnet code (I suggest reading through this link, as Symantec was one of those "select number of security researchers and firms") and how they were finally able to understand its final payload.
U.S. cybersecurity and cyberwarfare policy, general cyber "philosophy" (for lack of a better term), and the legality of cyber operations are also discussed. Should zero-day exploits be able to be sold to the highest bidder, whether that be a nation-state or terror group? Do zero-day researchers have an obligation to disclose said exploit to the respective software? How should we respond to zero-day offensives aimed at the U.S? (Hint: depending on the severity of the attack, it may be considered an act of war, and you don't want to be on the wrong side of America when that happens.) Zetter describes what the U.S.' current policy is towards these questions and what discussions are taking place, albeit behind closed doors.
Even if you don't care about the Stuxnet virus or its impact, the cyber aspect of the book is extremely important to understand in this day and age. Our lives are becoming evermore electronically interconnected (phones connect to computers to cars to refrigerators (wait, what?) to watches), and with it comes vulnerabilities. While those are small-scale connections, compromising large-scale systems has the potential to kill individuals and ravage society: economic markets, power grids, transportation networks, healthcare systems, and computing centers. While there is little ordinary citizens can do to help prevent this, it helps to be informed on issues like this.
March 29, 2019
This is the story of the first and so far only digital weapon to be used. Stuxnet played havoc with centrifuges used by Iran to refine uranium for its nuclear program, a program many feared was intended to produce nuclear weapons. The story is far more complex and convoluted than you may have read in the news, and it raises profound questions about government policy and the future of warfare. Kim Zetter, Wired's award-winning journalism, takes us down the rabbit hole to explore what is known--and what is not--about the development, use, and future of cyberweaponry.
I'm tempted to give this book five stars, but some parts of it may be too heavy for some readers. I don't fault Zetter for this. It's the subject matter. She does a great job of explaining without dumbing down the material, but for all that my wife wasn't able to get past the first couple chapters. So be forewarned, some of it may overtax you. But if you can persist through to the end, you'll be astonished by the revelations and receive a great deal to think about.
I'm tempted to give this book five stars, but some parts of it may be too heavy for some readers. I don't fault Zetter for this. It's the subject matter. She does a great job of explaining without dumbing down the material, but for all that my wife wasn't able to get past the first couple chapters. So be forewarned, some of it may overtax you. But if you can persist through to the end, you'll be astonished by the revelations and receive a great deal to think about.
November 26, 2024
My end thoughts bring to mind three clichés about this fascinating tale:
1: “the art of the slow reveal“
To ensure that I did not work during lunch, I read this book in 20 minute segments since the beginning of the school year. There were many times I wanted to bring the book home and finish it, but I persevered in using it as my lunch reading.
Now, I need a new book.
2: “I told you so”
While no longer part of the intelligence community, I had an inkling of what might be going on when this all came out in the news. And per chance, even had known some of the engineers.
3: “it’s not paranoia if they’re really out to get you”
COMSEC has always been big with me. As a result, I have been very reluctant to spread an electronic footprint. Unfortunately, some jobs forced me to have a footprint bigger than I like. It’s not being a Luddite, it’s being secure.
I recommend the book to anyone interested in a fascinating recap of history
1: “the art of the slow reveal“
To ensure that I did not work during lunch, I read this book in 20 minute segments since the beginning of the school year. There were many times I wanted to bring the book home and finish it, but I persevered in using it as my lunch reading.
Now, I need a new book.
2: “I told you so”
While no longer part of the intelligence community, I had an inkling of what might be going on when this all came out in the news. And per chance, even had known some of the engineers.
3: “it’s not paranoia if they’re really out to get you”
COMSEC has always been big with me. As a result, I have been very reluctant to spread an electronic footprint. Unfortunately, some jobs forced me to have a footprint bigger than I like. It’s not being a Luddite, it’s being secure.
I recommend the book to anyone interested in a fascinating recap of history
August 24, 2018
Thankfully I have found a little non-fiction gem in this book. Recently I have been trying to revitalise my interest for non-fiction books which started out quite badly with another book I dnf'ed. This book, however, read like a crime novel, based on journalistic expertise. At times, I struggled with the abbreviations the author used (one of which is "ISIS" standing for Institute for Science and International Safety, a quite unfortunate choice of abbreviation in hindsight). However, as a whole, the book and its elaborations on the connections between cybercriminiality and warfare is thrilling and immensely relevant.
Displaying 1 - 30 of 749 reviews