Stuxnet, the worm that targeted Iran's nuclear facilities, was created by US and Israel

Iranian President Mahmoud Ahmadinejad inspects centrifuges at a uranium enrichment plant.

Reporting for the New York Times, David Sanger confirms what internet security researchers suspected all along: Stuxnet, the worm that targeted computers in Iran's central nuclear enrichment facilities, was a US/Israeli project and part of an expanded effort at cyberweaponry by the Obama administration.

Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.

At a tense meeting in the White House Situation Room within days of the worm’s “escape,” Mr. Obama, Vice President Joseph R. Biden Jr. and the director of the Central Intelligence Agency at the time, Leon E. Panetta, considered whether America’s most ambitious attempt to slow the progress of Iran’s nuclear efforts had been fatally compromised.

“Should we shut this thing down?” Mr. Obama asked, according to members of the president’s national security team who were in the room.

Told it was unclear how much the Iranians knew about the code, and offered evidence that it was still causing havoc, Mr. Obama decided that the cyberattacks should proceed. In the following weeks, the Natanz plant was hit by a newer version of the computer worm, and then another after that. The last of that series of attacks, a few weeks after Stuxnet was detected around the world, temporarily took out nearly 1,000 of the 5,000 centrifuges Iran had spinning at the time to purify uranium.

Read the full story here. Don't miss the related infographic that explains, in simple steps, how the secret cyberwar process operated.

Related reading: Why did antivirus firms fail to detect phenomena like Stuxnet, and the more recent Duqu and Flame, for so long? Writing for Wired's Threat Level blog, Mikko Hypponen explains. "The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets."

The Washington Post reports on plans to further expand US cyberwarfare. And a response in Time: on this matter, the American public is being played by the Pentagon.



    1.  I came here to say “well, Duh!”, but you found a Much more interesting way of conveying the concept, kudos.

  1. I’m sure now that the program is public, the administration will move quickly to establish guidelines for how it will be used moving forward.  I’m sure they’ll want to arrange a process for congressional approval and justice department oversight.  What qualifies countries for being targeted?  Can the president decide to use it against China if they veto something in the U.N. security council?  Can he use it against domestic organizations?  Corporations?  The EFF? Facebook users who post certain keywords?  I’m glad all these questions will be promptly addressed.

    1. Don’t worry, the US Govt. hasn’t and most likely won’t publicly acknowledge Stuxnet. The NYT article’s alleged sources are not named. The US will not even have to pass a law to use “cyberweapons” against internal dissidents.

  2. “The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets anything that hasn’t already infected someone else for which they now have a signature.”

  3. I’m not a fan of Iran nor desirous of nuclear weapons spreading any more than they have.

    I don’t think government malware attacks was the way to go here. The US has said before that it would consider such an attack as an act of war if perpetrated upon us.

    So WTF? Which clown decided that it was okay to possibly cause a radioactive incident?

    Fucking governments are more trouble than they are worth.

    1. .. / …. .- …- . / … — …- . .-. . .. –. -. – -.– / .. -. / — -.– / … -.- ..- .-.. .-.. .-.-.- / -… ..- – / -.– — ..- / -.-. .- -. .—-. – / -.-. — — . / .. -. .-.-.-

      1.  I dunno, they can read brain waves and see decisions being made before a person knows they’ve made them. I reckon a brain is like a computer, once you’ve lost physical security, consider your data breached.

    2. Agreed. If Iran does develop nuclear weapons, we’ll never know whether it was already going to or because of these acts of war against it.

  4. Mr. Member Of The President’s National Security Team Who Was In The Room is always a reliable source. Not quite as reliable as that Beltway power couple, the Current And Former American European And Israeli Officials. And of course no one has the inside track like Burt A. Range Of Outside Experts or Franklin Participant In Many Situation Room Meetings.

  5. How about a class-action lawsuit from large companies that had to expend additional resources to ensure they are safe from a government-created virus? The industry I work in (lumber and pulp production) uses similar and identical PLCs as were targeted at the Iranian nuclear facility, and it was a real concern over our vulnerability.

  6. You know, it’s funny. For years now, we have been hearing outcry about “cybersecurity” and “the upcoming cyber-war”. It turns out the guilty dog barks loudest. The first weapons-grade cyber-attack was sent by us!

  7. For the tl;dr crowd, there’s one thing hilarious, and one thing manipulative you can take away.

    The Hilarious: The US government tested a bunch of code out on shitty centrifuges nearly identical to the Iranian ones. Where did the US government get them? Why obviously from AQ Khan by way of Qadaffi. When they gave up their WMD program, they gave the US the same centrifuges that all of the AQ Khan network were getting. How funny is that?

    The Manipulative: In the article it’s stressed repeatedly that Israel was so closely involved because they were seconds away from bombing Iran the whole time. “It totally made them feel really comfortable and in charge and stuff. Seriously, if we hadn’t made Stuxnet with them, they totally would have hauled off and dropped some serious ordinance. We swear. I mean, it must have worked, as you’ve yet to have had bombs dropped on strategic locations, right? Right?”

  8. Now how could a plan like that possibly backfire?   We’ve got nothing to worry about!

  9. so open criminal behaviour by the US once again…and americans still wonder why everyone hates them? your government is made up of charalatans and criminals.

    1. Judging a whole nation based on the actions of a few?  I would NEVER do that to you.  I couldn’t bring myself to find examples of the worst citizens of your country and apply that to a whole, diverse nation.

      Unless you’re French, or Canadian.  In that case, you’re a real jerk, you know that? A complete knee-biter.

      :gets back into spaceship and leaves Dent at his cave:

      1. In general, that’s a fair point.

        However, an even fairer point is that The Govt of Country X = Country X. When the Govt of Country X behaves like international asshats, it’s fair to call Country X asshats. /Especially/ when the reason for calling Country X asshats is explicitly linked to the govts actions.

        The vast majority of my interaction with the US is related to your govts efforts to fuck things – companies, countries, people, institutions – over on the international stage.  You voted for those fuckers. If you don’t like being called an asshat, then stop fucking voting for them and their continued fuckwittery.

        1. You voted for those fuckers.

          Your assumption has a >45% chance of being inaccurate.

          1. ‘you’ = USA
            There may or may not be an overlap with the personal ‘you’

            If you need a more detailed explanation, see the second paragraph of my previous post.

    2. Since when is action by your government against what it considers a hostile government criminal? Which police force are you going to call? Exactly which law was broken, and under what jurisdiction?

      Additionally, while I’m sure there are some small-minded bigots in the world who hate “americans” in general, most of the people I’ve met internationally feel nothing of the sort.

      Additionally-additionally, please point me to a government that isn’t made up of charlatans and criminals. No, really. Please point me to one so I can take my family there.

      1.  There’s breaking the law, and there’s breaching ethical mores. Every nation engages in some kind of clandestine spy program, but something on this scale is going to hurt America’s image, a Lot.

        1. I understand the distinction, and agree that the wrong moves can hurt your reputation internationally. I was specifically responding to peterblue11’s comment that this was criminal, and that it was why “everyone” hates Americans. I think it probably had the desired primary effect on the governments of hostile nations: i.e. “oh shit”. Of course, it has probably begun an arms-race mentality far and wide, which would be a negative secondary effect.

    3. Uh huh, I’m sure the politicians in your country are the picture of propriety.

      ‘Cause corruption is an American art form like jazz and corn-based food substitutes.

  10. Assumed that when news first posted. Who else would a) be concerned b) have the means, c) have the nerve?

  11. It’s all fun and games until you’re the one reporting to the disintegration room.

  12. Only four countries had the technical know-how to develop the Flame virus: “Israel, the U.S., China and Russia.”
    Since the virus was obviously intended for Iran, we can eliminate its friends China and Russia.
    This leaves only Israel and us.
    Having thoroughly demonized Iran, anything we do to it has become fair game.
    But there is nothing fair or right about taking another country’s data. Certainly we would not want China or Russia taking our data and spreading it to 80 separate servers.
    As a leader of the world community aspiring for governance through universal fairness, we can no longer afford to follow the beaten path of expediency chosen by Israel.  Doing so will not only deprive us of our moral authority, but will also squander our unique opportunity to fashion a more just and fair world.

  13. No one has ever died from a cyber virus. I like this alternative better than a troop invasion. 

    I can’t wait for major government agencies to start handing each other secret notes on paper again. Soon, it may be against protocol to email, cyber chat,  text, twit, leave voice mails and the such. It’s all going old school baby!

  14. Hey everybody, I’d just like to point out that you are reading an electronic newspaper with a headline about governments using a computer virus to shut down a nuclear programs.  Congratulations, we’re officially all cyberpunks.

  15. Comparing this situation to another country infecting the U.S. government’s own computer system is extremely disingenuous. Iran has been sanctioned by the U.N. five times since 2006, yet continues refusing to allow weapons inspectors into its facilities and continuing its uranium enrichment program. If the U.S. repeatedly violated international sanctions and standards, then yes, other countries would be completely justified in crippling its government’s computer systems to prevent or slow further violation. 

    1. Comparing this situation to another country infecting the U.S. government’s own computer system is extremely disingenuous. Iran has been sanctioned by the U.N. five times since 2006

      When you refer to the UN, do mean that same UN that allows the US to veto things even if every other country on the planet votes for them?

      1. I’m not going to defend the U.N.’s effectiveness; their veto rules are insanely counterproductive. But it should be pointed out that even Russia and China, which also hold veto power, have agreed to the sanctions on Iran despite their countries’ cozy relationships with it. If anything, the fact that the U.N. managed to pass sanctions at all shows just how united the international community is on the matter of Iran’s uranium enrichment program.

      2. When the Brazilian ambassador  Sérgio Vieira de Mello suggest an inspection for Iran, Israel and US, people kicked him like a dog to Iraq, where he lost his life…

  16. Follow up:

    I would like to clarify that my above comment does mean that I would have been completely OK with another country, say…France, sending a virus to the U.S.’s network too, if it could have prevented or slowed the U.S.’s illegal invasion of Iraq. So it cuts both ways.

Comments are closed.