Just a few months ago, U.S. and Israeli officials were warning that Iran was a year away from having the capability to rapidly build a nuclear weapon. Speculation was intensifying that Israel would launch airstrikes to prevent that from happening.
But as the new year dawned, Western officials, with little fanfare, significantly revamped their estimates of Iran’s nuclear progress.
Israel’s strategic affairs minister, Moshe Yaalon, said Dec. 29 that the Islamic Republic was at least three years away from a bomb. This month, the retiring head of Israel’s intelligence service, Meir Dagan, went further, saying Iran wouldn’t be able to develop a nuclear warhead before 2015 at the earliest.
A few days later, Secretary of State Hillary Rodham Clinton also downplayed Tehran’s progress, saying, “Their program, from our best estimate, has been slowed down” because of “technological problems.”
People who study computer warfare for a living have no doubt about what’s behind these reappraisals: Stuxnet, a game-changing computer worm that may herald a new era of shadowy digital combat.
Identified in June, Stuxnet is being called the most sophisticated cyber weapon ever unleashed, because of the insidious way in which it is believed to have secretly targeted specific equipment used in Iran’s nuclear program.
Computer experts have examined the worm for months, and many believe Stuxnet was created by Israel or the United States as part of a covert effort to hamper Iran’s alleged drive for an atomic weapon. But the extent to which the operation succeeded had remained unclear.
In recent weeks, however, a rough consensus has emerged that Stuxnet has had a measurable effect. In addition to the remarks from U.S. and Israeli officials, the Institute for Science and International Security, an independent think tank, judged in late December that Stuxnet appears to have “set back Iran’s progress.”
Stuxnet “will undoubtedly reshape international security and foreign policy forever,” said John Bumgarner, chief technology officer of the U.S. Cyber Consequences Unit, a nonprofit research organization that studies cyber conflict. “It’s a tipping point that will usher in a cyber-defense revolution in military affairs.”
By wreaking havoc on gas centrifuges — spinning machines that separate isotopes to produce enriched uranium, which at higher levels can be used for nuclear bombs — the Stuxnet worm seems to have inflicted significant damage on Iran’s nuclear program, cyber experts say, with none of the dangerous repercussions of a U.S. or Israeli airstrike, at least so far.
“This is a really good example of what cyber war looks like,” said former White House terrorism advisor Richard Clarke, author of “Cyber War: The Next Threat to National Security and What to Do About It.” “It’s a precision-guided munition.”
The worm’s slow-motion trajectory, its ability to secretly seize control of machinery and the fact that its authors remain unknown offer lessons for the future of high-tech warfare.
Stuxnet is not the first apparent state-sponsored cyber attack: Other examples include a massive disruption of websites in Estonia in 2007 after a dispute with Russia, and the use of digital trickery to fool Syria’s air defenses when Israel bombed an alleged nuclear facility there in 2007.
But in those cases, it became fairly clear who was responsible. Stuxnet is the most significant development yet in the realm of cyber conflict, Bumgarner said, because of the lack of attribution. Although Iran would have been expected to respond ferociously to an Israeli or U.S. airstrike, no response has been forthcoming to Stuxnet, perhaps because Tehran can’t be sure of the culprit.
“Stuxnet takes it to a different level because … Iran doesn’t know who to retaliate against,” he said.
Stuxnet also proves it is possible to use malware to seize control of equipment that runs all sorts of features of a modern economy, from power grids to chemical plants. The U.S. and its allies have that capability, but so do Russia and China, experts say.
And Stuxnet may remain a persistent thorn in Iran’s side, said German expert Ralph Langner, who first disclosed that Stuxnet had targeted Siemens equipment used in Iran’s nuclear program.
In an e-mail, Langner said the Iranians would have to replace all the computer systems in their nuclear program to be sure they were rid of the worm, a tall order for a country under trade sanctions.
The full extent of the damage to Iran’s nuclear equipment wrought by Stuxnet is a matter of speculation. Other than limited international inspections, the outside world has almost no access to information about Iran’s nuclear program. Iran, which says its nuclear program is intended for peaceful purposes, has refused to comply with a U.N. Security Council order that it stop its uranium enrichment program.
Iranian officials acknowledge that the complex malware snaked its way into industrial software used to operate centrifuges in the Natanz nuclear facility and went undetected for a year. As of Sept. 29, after which Iran took action that made further assessment impossible, Stuxnet had infected 100,000 hosts worldwide, 60,000 of which were in Iran, according to a detailed report on the worm by Symantec, a computer security company.
According to the Institute for Science and International Security, 1,000 of about 8,000 centrifuges at Natanz had to be replaced in late 2009 and early 2010. In mid-November, Iran temporarily halted enrichment at Natanz because of technical problems with its centrifuges, according to the International Atomic Energy Agency, the U.N.'s nuclear watchdog.
Experts aren’t sure why the malware seems to have caused damage to some, but not all, of the centrifuges at Natanz, allowing Iran to continue to enrich uranium, albeit at a slower pace. Some experts have speculated that the worm’s creators intentionally limited its effect to avoid detection. Other theorize that it was designed to send a message as much as to destroy centrifuges.
Iranian leaders downplay the worm’s damage. President Mahmoud Ahmadinejad said Nov. 29 that outside powers had “succeeded in creating problems for a limited number of our centrifuges with the software they had installed in electronic parts.”
Israeli and U.S. media reports since 2009 have quoted intelligence officials alluding to covert sabotage programs by both countries against Iran’s nuclear program. But neither country acknowledges creating Stuxnet, and not every expert believes either of them did.
One prominent cyber war authority, Jeffrey Carr, has written a white paper suggesting China may have been behind it. Nor can Russia be ruled out, said Joel Brenner, a former senior counsel at the National Security Agency, which is deeply involved in offensive and defensive U.S. cyber operations.
One thing is clear, experts say: The worm is far too sophisticated to have been cooked up by basement hackers.
Stuxnet made use of four “zero day” vulnerabilities, openings in Microsoft Windows operating systems that were not previously known. Criminal hackers, the usual suspects when it comes to malware, could have used such vulnerabilities to generate millions of dollars in illicit revenue by stealing banking and credit card information, which is one reason experts believe Stuxnet was the work of an intelligence service. Instead of making money, as some malware does, it cost money.
“This was written for one purpose,” Bumgarner said. “Sabotage of national critical infrastructure.”
Now that Stuxnet is in the public domain, experts are deeply concerned that hackers, criminals or terrorist groups could use some of the vulnerabilities it reveals to attack systems that control power grids, chemical plants and air traffic control.
“The attackers created a weapon that they used in a very specific way, but you can copy the attack technology and use it in a very generic way,” said Sebastian Linko, spokesman for Finland’s Vacon, whose power control units, which are used in Iran’s nuclear program, are sought out by the worm. “This is the most scary part about Stuxnet.”