The Stuxnet worm was part of a US cyberweapons programme called ‘Olympic Games’ sanctioned by President Obama to attack Iran’s nuclear facilities that unexpectedly escaped the country’s enrichment plants, a forthcoming book will claim.
If the account offered in The New York Times by David E. Sanger is accurate, we live in extraordinary times. Long nailed on the door of the US Government and possibly Israel, this is the first account of any factual provenance that says, yes, Stuxnet was what it always appeared to be; a way for the allies to disrupt the Iranian nuclear programme.
First, the less controversial part of the story; what happened.
According to Sanger's unnamed US, European and Israeli sources, Stuxnet hit the Iranians in waves up to 2010, nixing at least 1,000 out of 5,000 centrifuges in the Natanz nuclear enrichment plant.
The degree to which this caused the Iranians problems in their alleged nuclear weapon development remains a matter of speculation although Stuxnet clearly hit home against poorly-defended systems.
Now for the more startling part of the story – the plan had explicit Presidential approval.
The plan to develop such cyber-weapons targeting Iran and its programme dated back to the later years of the Bush administration in 2006. During that time, what later became known as Stuxnet was dubbed “the bug”.
Tested against nuclear centrifuges (given to the US by Libya) identical to those used by Iran, the bug did its job well and then some. As has been suspected for other alleged cyber-weapons, the attack vector was USB thumb drives, the simplest way to sneak malware into sensitive facilities.
By the time President Obama was in office, new variants of the attack had been devised and deployed, but something went badly wrong. An Iranian engineer took an infected USB drive drive with ‘Stuxnet’ on it to another machine and it started to spread beyond Iran. Eventually the world noticed and the rest of a matter of public record and mostly paranoid speculation.
US commanders blamed the Israelis (a partner on the programme) for creating a bug in the software that allowed Stuxnet to mis-recognise systems beyond Natanz as targets; eventually Obama and vice president Biden were told of the leak.
“Should we shut this thing down?” President Obama is reported to have said on discovering that the cat had poked its claws out of the bag. Eventually the decision was taken to keep going with Stuxnet on the basis that it might cause more trouble with the Iranians.
Two years later and at least two other pieces of possible cyber-weapon malware have been identified, Duqu (apparently closely related to Stuxnet and discovered in 2011) and Flame, publicised only this week.
Stuxnet’s targeting of industrial control systems has long been pinned on the US and Israel on the basis of motivation and the latter two pieces of malware are also seen as being as the handiwork of these countries. More cyber-weapon malware will surely be discovered in time.
The danger, of course, is that other countries will be emboldened by the US programme to release disruptive malware of their own. This is not to say that such malware doesn’t exist already, merely that the price for using it in terms of embarrassment has now come down. If Stuxnet is seen as making powerful cyber-weapons mainstream, it might soon be seen as legitimate and normal for countries to undermine each other using software.
Is the account offered plausible? Some will doubt it - or some of it - but at least some details are already known, including the use of thumb drives to attack Natanz. Either way, Sanger's book, Confront and Conceal is published next week.