Skip to main content

Bits before bombs: How Stuxnet crippled Iran’s nuclear dreams

Image used with permission by copyright holder

The future of warfare may have just begun, but rather than being heralded by an explosion, it began without a sound or a single casualty.

It is the first of its kind, and could be a signal of the ways all wars are fought from now on. It is a cyber weapon so precise that it can destroy a target more effectively than a conventional explosive, and then simply delete itself, leaving the victims left to blame themselves. It is a weapon that is so terrible that it could conceivably do more than just damage physical objects, it could kill ideas. It is the Stuxnet worm, dubbed by many as the world first real weapon of cyberwarfare, and its first target was Iran.

The dawn of cyberwarfare

Stuxnet is almost like something out of a Tom Clancy novel. Rather than sending in missiles to destroy a nuclear plant that threatens the entire region and the world, and is overseen by a president who has claimed that he would like to see an entire race of people “wiped off the map,” a simple computer virus can be introduced that will do the job far more effectively. To attack a structure with missiles can lead to war, and besides, buildings can be rebuilt. But to infect a system so completely that the people using it begin to doubt their faith in their own abilities will have far more devastating long-term effects.

In a rare moment of openness from Iran, the nation has confirmed that the Stuxnet malware (the name stems from keywords buried in the code) that was originally discovered in July, has damaged the country’s nuclear ambitions. Although Iran is downplaying the incident, some reports suggest that the worm was so effective, it may have set back the Iranian nuclear program by several years.

Rather than simply infect a system and destroy everything it touches, Stuxnet is far more sophisticated than that, and far more effective as well.

The worm is smart and adaptable. When it enters a new system, it remains dormant and learns the security system of the computer. Once it can operate without raising alarm, it then seeks out very specific targets and begins to attack certain systems. Rather than simply destroy its targets, it does something far more effective—it misleads them.

In a nuclear enrichment program, a centrifuge is a fundamental tool needed to refine the uranium. Each centrifuge built follows the same basic mechanics, but the German manufacturer Siemens offers what many consider to be the best in the industry. Stuxnet sought out the Siemens controllers and took command of the way the centrifuge spins. But rather than simply forcing the machines to spin until they destroyed themselves—which the worm was more than capable of doing—Stuxnet made subtle, and far more devious changes to the machines.

When a uranium sample was inserted into a Stuxnet-infected centrifuge for refinement, the virus would command the machine to spin faster than it was designed for, then suddenly stop. The results were thousands of machines that wore out years ahead of schedule, and more importantly, ruined samples. But the real trick of the virus was that while it was sabotaging the machinery, it would falsify the readings and make it appear as if everything was operating within the expected parameters.

After months of this, the centrifuges began to wear down and break, but as the readings still appeared to be within the norms, the scientists associated with the project began to second guess themselves. Iranian security agents began to investigate the failures, and the staff at the nuclear facilities lived under a cloud of fear and suspicion. This went on for over a year. If the virus had managed to completely avoid detection, it eventually would have deleted itself entirely and left the Iranians wondering what they were doing wrong.

For 17 months, the virus managed to quietly work its way into the Iranian systems, slowly destroying vital samples and damaging necessary equipment. Perhaps more than the damage to the machinery and the samples was the chaos the program was thrown into.

The Iranians grudgingly admit some of the damage

Iranian President Mahmoud Ahmadinejad has claimed that Stuxnet “managed to create problems for a limited number of our centrifuges,” which is a change from Iran’s earlier assertion that the worm had infected 30,000 computers, but had not affected the nuclear facilities. Some reports suggest at the Natanz facility, which houses the Iranian enrichment programs, 5,084 out of 8,856 centrifuges in use at the Iranian nuclear facilities were taken offline, possibly due to damage, and the plant has been forced to shut down at least twice due to the effects of the virus.

Image used with permission by copyright holder

Stuxnet also targeted the Russian-made steam turbine that powers the Bushehr facility, but it appears that the virus was discovered before any real damage could be done. If the virus had not been uncovered, it would eventually have run the RPMs of the turbines too high and caused irreparable damage to the entire power plant. Temperature and cooling systems have also been identified as targets, but the results of the worm on these systems isn’t clear.

The discovery of the worm

In June of this year, the Belarus-based antivirus specialists, VirusBlokAda found a previously unknown malware program on the computer of an Iranian customer. After researching it, the antivirus company discovered that it was specifically designed to target Siemens SCADA (supervisory control and data acquisition) management systems, which are devices used in large-scale manufacturing. The first clue that something was different about this worm was that once the alert had been raised, every company that tried to pass on the alert was subsequently attacked and forced to shut down for at least 24 hours. The methods and reasons for the attacks are still a mystery.

Once the virus had been discovered, companies like Symantec and Kaspersky, two of the largest antivirus companies in the world, as well as several intelligence agencies, began to research Stuxnet, and found results that quickly made it obvious that this was no ordinary malware.

By the end of September, Symantec had discovered that nearly 60-percent of all the machines infected in the world were located in Iran. Once that had been discovered, it became more and more apparent that the virus was not designed simply to cause problems, as many pieces of malware are, but it had a very specific purpose and a target. The level of sophistication was also well above anything seen before, prompting Ralph Langner, the computer security expert who first discovered the virus, to declare that it was “like the arrival of an F-35 into a World War I battlefield”.

How it worked

Stuxnet specifically targets Windows 7 operating systems, which is, not coincidentally, the same operating system used at the Iranian nuclear power plant. The worm uses four zero-day attacks and specifically targets Siemens’ WinCC/PCS 7 SCADA software. A zero-day threat is a vulnerability that is either unknown or unannounced by the manufacturer. These are generally system-critical vulnerabilities, and once they are discovered, immediately patched. In this case, the two of the zero-day elements had been discovered and were close to having a fixes released, but two others had never been discovered by anyone. Once the worm was in the system, it then began to exploit other systems in the local network it was targeting.

As Stuxnet worked its way through the Iranian systems, it was challenged by the system’s security to present a legitimate certificate. The malware then presented two authentic certificates, one from the circuit manufacturer JMicron, and the other from computer hardware manufacturer Realtek. Both companies are located in Taiwan just blocks away from each other, and both certificates were confirmed to have been stolen. These authentic certificates are one of the reasons that the worm was able to remain undetected for so long.

The malware also had the ability to communicate via peer-to-peer sharing when an Internet connection was present, which allowed it to upgrade as necessary and report back its progress. The servers that Stuxnet communicated with were located in Denmark and Malaysia, and both were shut down once the worm was confirmed to have entered the Natanz facility.

As Stuxnet began to spread throughout the Iranian systems, it began to target only the “frequency converters” responsible for centrifuges. Using variable-frequency drives as markers, the worm looked specifically for drives from two vendors: Vacon, which is based in Finland, and Fararo Paya, which is based in Iran. It then monitors the specified frequencies, and only attacks if a system is running between 807Hz and 1210Hz, a fairly rare frequency that explains how the worm could so specifically target Iranian nuclear plants despite spreading around the world. Stuxnet then sets about altering the output frequency, which affects the connected motors. Although at least 15 other Siemens’ systems have reported infection, none have sustained any damage from the worm.

To first reach the nuclear facility, the worm needed to be brought into the system, possibly on a USB drive. Iran uses an “air gap” security system, meaning the facility has no connection to the Internet. This might explain why the worm spread so far, as the only way for it to infect the system is was to target a wide area and act as a Trojan while waiting for an Iranian nuclear employee to receive an infected file away from the facility and physically bring it into the plant. Because of this, it will be almost impossible to know exactly where and when the infection began, as it may have been brought in by several unsuspecting employees.

But where did it come from, and who developed it?

Suspicions of where the worm originated are rampant, and the most likely single suspect is Israel. After thoroughly researching the virus, Kaspersky Labs announced that the level of attack, and the sophistication with which it was executed could only have been carried out “with nation-state support”, which rules out private hacker groups, or even larger groups that have been using hacking as a means to an end, such as the Russian Mafia, which is suspected of creating a Trojan worm responsible for stealing over $1 million from a British bank.

Israel fully admits that it considers cyberwarfare to be a pillar of its defense doctrine, and the group known as Unit 8200, an Israeli defense force considered to be the rough equivalent of the United States’ NSA, would be the most likely group responsible.

Unit 8200 is the largest division in the Israeli Defense Force, and yet the majority of its operations are unknown- even the identity of the Brigadier General in charge of the unit is classified. Among its many exploits, one report claims that during an Israeli airstrike on a suspected Syrian nuclear facility in 2007, Unit 8200 activated a secret cyber kill switch that deactivated large sections of the Syrian radar.

To further lend credence to this theory, in 2009, Israel pushed back the date of when it expects Iran to have rudimentary nuclear weaponry to 2014. This may have been a result of hearing of problems, or it could suggest that Israel knew something no one else did.

The U.S. is also a prime suspect, and in May of this year, Iran claimed to have arrested 30 people it claims were involved in helping the U.S. wage a “cyber war” against Iran. Iran has also claimed that the Bush administration funded a $400 million plan to destabilize Iran by using cyber attacks. Iran has claimed that the Obama administration has continued that same plan, and even sped up some of the projects. Critics have stated that Iran’s claims are simply an excuse to stamp out “undesirables”, and the arrests are one of many points of contentions between Iran and the U.S.

But as the virus continues to be studied and more answers emerged regarding its function, more mysteries are being raised about its origins.

According to Microsoft, the virus would have taken at least 10,000 hours of coding, and taken a team of five people or more, at least six months of dedicated work. Many are now speculating that it would require the combined efforts of several nations’ intelligence communities all working together to create the worm. While the Israelis might have the determination and the technicians, some are claiming that it would require the United States’ level of technology to code the malware. To know the exact nature of the Siemens machinery to the extent that Stuxnet did might suggest German involvement, and the Russians may have been involved in detailing the specs of the Russian machinery used. The worm was tailored to operate on frequencies that involved Finnish components, which suggests that Finland, and perhaps NATO is involved as well. But there are still more mysteries.

The worm was not detected because of its actions at the Iranian nuclear facilities, but rather as a result of the widespread infection of Stuxnet. The central processing core of the Iranian nuclear processing plant is located deep underground, and is totally cut off from the Internet. For the worm to infect the system, it must have been brought in on the computer or a flash drive of a member of the staff. All it would take is a single employee to take work home with them, then return and insert something as innocuous as a flash drive into the computer, and Stuxnet would begin its silent march to the specific machinery it wanted.

But the question then becomes: Why did the people responsible for the virus develop such an incredibly sophisticated cyberweapon, and then release it in what is arguably such a sloppy method? If the goal was to remain undetected, the release of a virus that has the ability to replicate at the speed that it has shown is sloppy. It was a matter of when, not if, the virus would be discovered.

The most likely reason is that the developers simply didn’t care. To plant the malware more carefully would have taken far more time, and the transmission of the worm into the specific systems might take much longer. If a country is looking for immediate results to halt what it might see as an impending attack, then speed might trump caution. The Iranian nuclear plant is the only infected system to report any real damage from Stuxnet, so the risk to other systems seems to be minimal.

So what next?

Siemens has released a detection and removal tool for Stuxnet, but Iran is still struggling to remove the malware completely. As recently as November 23, the Iranian facility of Natanz was forced to shut down, and further delays are expected. Eventually, the nuclear program should be back up and running.

In a separate, but possibly related story, earlier this week two Iranian scientists were killed by separate but identical bomb attacks in Tehran, Iran. At a press conference the following day, President Ahmadinejad told reporters that “Undoubtedly, the hand of the Zionist regime and Western governments is involved in the assassination.”

Earlier today, Iranian officials claimed to have made several arrests in the bombings, and although the suspects identities have not been released, Iran’s Intelligence Minister has said “The three spy agencies of Mossad, CIA and MI6 had a role in the (attacks) and, with the arrest of these people, we will find new clues to arrest other elements,”

The combination of the bombings and the damage caused by the Stuxnet virus should weigh heavily over the upcoming talks between Iran and a six-nation confederation of China, Russia, France, Great Britain, Germany, and the U.S. on December 6 and 7. The talks are meant to continue the dialogue regarding Iran’s possible nuclear ambitions.

Ryan Fleming
Former Digital Trends Contributor
Ryan Fleming is the Gaming and Cinema Editor for Digital Trends. He joined the DT staff in 2009 after spending time covering…
HP Envy deals: HP’s most popular laptop starts at $630
An HP Envy 17-inch laptop sits on an office desk.

A great computer brand to shop if you’re in the market for a new laptop is HP, which is consistently among the best laptop brands. It has several different model lineups to choose from, with the HP Envy laptop lineup offering a good balance of hardware options and pricing. The HP Envy lineup is also a good one to shop because it regularly turns out some impressive laptop deals. That’s certainly the case right now, as there are a lot of HP Envy deals to shop. We’ve rounded up what we feel are the best HP Envy deals currently taking place, so read onward for more information on how to land some savings.
HP Envy x360 2-in-1 laptop 15Z-FH000 — $630, was $900

The HP Envy x360 convertible laptop is a great option for just about anyone, particularly anyone who enjoys the touchscreen functionality of a tablet. It’s well designed and super slim, making it a truly go-anywhere device. Despite its portability, it still has an immersive 15.6-inch touchscreen that’s great for creators, note-takers, and binge watchers. Top notch build quality and durability, fast charging technology, a fingerprint reader, and great battery life round out the top features of the HP Envy x360 convertible touchscreen laptop. It competes well with the best 2-in-1 laptops. Its versatility and all-around capability make it a worthy companion on any desk, and on any lap.

Read more
Best Surface Laptop and Surface Pro deals: From $450
Microsoft Surface Go 3 sitting on table.

If you want a thin and light laptop that's similar to the MacBook Air but not in the Apple ecosystem, then the Microsoft Surface lineup of laptops is absolutely the way to go. In fact, if you've seen the recent unwrapping of the business version of the Surface Pro 10 and Surface Laptop 6, you might be fired up and ready to grab your own surface. Unfortunately, the Surface lineup can be quite expensive, which is why we've gone out and scoured the retailers for the best deals we could find and collected them below. So, be sure to check out everything, as well as some of these other great laptop deals if you aren't fully committed to the Microsoft Surface lineup.
Microsoft Surface Go 3 -- $450, was $550

Functioning as a 2-in-1 laptop that can switch between tablet mode and laptop mode, the Microsoft Surface Go 3 won't have trouble dealing with basic tasks as it's equipped with the Intel Pentium Gold 6500Y processor and 8GB of RAM. The 10.5-inch touchscreen with 1920 x 1080 resolution is bright and colorful, and its 128GB SSD is more than enough for your documents. The Microsoft Surface Go 3 ships with Windows 11 Home in Mode, so you can start using it as soon as you unbox it. The device also promises up to 11 hours of battery life before requiring a recharge.

Read more
Best GPU deals: MSI, XFX, EVGA
An AMD graphics card in an external GPU enclosure.

If you're building a new PC from scratch, or upgrading an old one, then a new GPU is probably one of the biggest upgrades you can make, at least if you're looking for great gaming performance. Unfortunately, the last generation of RTX 40-series cards really amped the prices up, and even if you're going for AMD, you're going to be paying a pretty penny to get your hands on a good GPU. That said, there are some good deals to be had; whether you want something budget-friendly or high-end, you can always put that extra money you save into more RAM or a better CPU. Also, be sure to check out some of these gaming PC deals if you'd rather just grab something already pre-built.
MSI AMD Radeon RX 6500 XT Mech 2X 4GB GDDR6 -- $175, was $190

If you're looking for something that is ultra-budget, then this RX 6500 XT is a good option in the lower range and should let you handle at least some of the main free-to-play games like CS:GO and Rocket League, although you will have to play with graphical compromises. It should also handle indie and casual games, especially older ones like the ones you might find on emulators, so it's also a good option for that sort of budget build. the 4GB of VRAM is not a lot, but again, if you're not planning to play any modern AAA or AA games, then this isn't a bad option.

Read more