Stuxnet: The Cyber Weapon That Destroyed Iran's Nuclear Programme

The year was 2007. Dutch engineer Erik Van Sabben entered an empty and quiet factory room at Iran’s Natanz nuclear enrichment facility. He set his tools down and got to work.

Van Sabben was a brave and focused man, willing to take risks, but even he could not comprehend how great a risk he was taking in that very moment. Once he finished, he wiped the sweat from his brow and exited the room to go about his day. Although nobody suspected him, Erik Van Sabben was not just the industrial engineer he claimed to be, but also an international spy.

He knew his orders. What he did not know was that he had just changed the rules of warfare forever. Not only that, but he would be dead less than two years later.

What Van Sabben had just done was upload a computer virus to the Natanz nuclear enrichment facility in Iran. Soon, this digital worm would be considered one of the most incredible pieces of malware to ever exist. A plot to slow down Iran’s nuclear enrichment programme was unearthed, and a US-government-backed hacking organisation that went unnoticed for at least 15 years was exposed.

The Discovery of Natanz and Washington’s Growing Alarm

In August 2002, the National Council of Resistance of Iran, a revolutionary organisation seeking to overthrow the Iranian government, exposed the existence of the Natanz facility. With this announcement came the realisation that Iran was further along their long-awaited nuclear journey than most had thought. In 2003, the Iranian government formally announced the facility’s existence, with then President Ahmadinejad citing a need for 50,000 centrifuges to be installed at the uranium enrichment plant.

They, of course, did not call it a uranium enrichment plant, stating that the use of the plant was to generate nuclear power for their country, that they had peaceful intentions, and that the uranium there was only enriched to less than 5%, in line with civilian nuclear power stations. The IAEA, or International Atomic Energy Organisation, were not convinced. Neither was Washington.

Natanz is 100,000 square metres of facility, buried eight metres underground, with two-and-a-half-metre-thick concrete walls. It would go on to have its roof hardened, and 22 metres of extra earth dumped on top of it. The Iranians wanted to make sure that this was not simply a facility that could be bombed from the air or attacked with kinetic means.

Washington’s worries were heightened by Iran’s failure to fully cooperate with the IAEA, by not allowing their inspectors access to the control room, obscuring what equipment they used. The CIA had been on a campaign to sabotage Iran’s nuclear systems for years. They introduced faulty parts, flawed designs, and even modified power supplies to explode when operated.

In reality, these efforts did little to slow Iran’s path to nuclear armament. If Washington failed to stop Iran before it was too late, they would have enough enriched uranium to construct nuclear warheads. Worse still, Israel could start an armed conflict with Iran, as Israel sees a nuclear-armed Tehran as an existential threat to its existence.

This would destabilise the Middle East even more than it already was in 2003. The United States had just invaded Iraq; they did not have a leg to stand on demanding Iran’s nuclear non-proliferation while failing to find WMDs in Baghdad. There had to be a way to get inside Iran’s facilities and disrupt them without a shot being fired.

That is when General James E. Cartwright, the then leader of a small cyber operation inside of US Strategic Command, had an idea. That idea would go on to eventually become Stuxnet.

Targeting the P-1 Centrifuges and the Birth of Operation Olympic Games

In 2004, the governments of Israel and the United States began trying to understand what the weak link would be in the Iranian facility that they could target with a cyber-attack. There was only one real answer: the centrifuges. Due to their function — to spin at extremely high speeds — the destructive capability of the centrifuges could be catastrophic to the Iranian nuclear programme.

Centrifuges are complicated technology and expensive to replace; it would slow the Iranians down drastically if they could somehow use a digital weapon to take them offline en masse. To do this, Israel and the US needed centrifuges, the same ones Iran used at the time: the P-1. The P-1 was a nuclear centrifuge design that Abdul Qadeer Khan, the father of the Pakistani nuclear programme and perennial nuclear proliferator, leaked to the Iranian government in the late 1980s.

Thankfully for the United States and Israel, they knew this due to the IAEA inspections. They also knew that the P-1 was poorly designed and prone to flaws. When Gaddafi gave up Libya’s nuclear ambitions in the late 1990s and early 2000s, they sent the P-1s they had to the USA.

From there, they made replicas for testing. Israel succeeded with much difficulty in mastering the technology also. Israel’s P-1s were studied at the Shimon Peres Nuclear Research Centre in the Negev desert, also known as Dimona, as it was already the epicentre for the worst kept secret in geopolitics — the Israelis’ own nuclear programme.

As early as 2005, there were hallmarks of code found in the final versions of Stuxnet, showing that may have been the year that development began on the virus. It was a joint venture by the Israeli and American governments set up under the George W. Bush administration, known under the monicker Operation Olympic Games.

The Israeli Defence Force’s Unit 8200, the specialised intelligence arm of the Israeli army, was the partner the US needed. Unit 8200 is an equivalent to something like the NSA in the US, with specialisms in cyberwarfare, counterintelligence, and surveillance. Many of their soldiers have gone on to found successful IT companies in Silicon Valley and are even known to rival NASA for technical expertise.

This, plus their partnership with the United States and their proximity to Iran, made them the perfect partner. Washington almost always has an ulterior motive. The US valued Israel as it gave them plausible deniability, and someone to blame, in case of discovery.

Another reason for bringing Israel along would be to prevent armed conflict between Israel and Iran. It was believed that Iran would have enough enriched uranium to manufacture a nuclear weapon by March 2011, and at the time, a third enrichment plant was being planned by the government in Tehran. Israel therefore needed to be involved in the project to be convinced to stave off bombing Iran and causing another conflict in the Middle East.

The virus began development, but Stuxnet was not its name yet. The US simply called it “the bug.” Together with international sanctions, Mossad’s assassinations, and the CIA’s acts of sabotage, a coordinated campaign of disruption was running parallel to the Iranian enrichment programme at every turn.

Stuxnet was simply a part of it.

Erik Van Sabben and the Infiltration of Natanz

In 2005, the Netherlands’ intelligence agency, the AIVD, recruited Erik Van Sabben to eventually infiltrate the Natanz enrichment facility. Van Sabben’s wife was Iranian, and the company he worked for regularly did business with Iran’s oil and gas industry, making him a perfect person to visit an Iranian nuclear facility. He had the credentials as a Westerner without suspicion.

Why ask the Dutch intelligence service for an American and Israeli operation? It was at the request of the Americans. Van Sabben would have been more likely to do clandestine work for his own country than for a foreign power, and whilst he was a good candidate to enter Iran, it may be that the Americans wanted more separation from the event for extra plausible deniability.

Iran’s nuclear infrastructure was separated from the internet entirely — in cybersecurity, this is called an “air gap” — making it impossible to breach from the outside. This is why the operation required someone to physically enter the facility to infect the systems. It does appear, thanks to journalists at de Volkskrant after a two-year investigation, that many of those who took part in the Stuxnet plan were not always given the full picture about what operation they were a part of.

It is not out of the question to assume that Van Sabben may not have understood the full extent of his actions until after the fact. The Dutch government were kept entirely in the dark by their intelligence service, and even the AIVD themselves were not fully aware of what they were helping with. One source admitted, “we should have asked more questions.”

In April 2006, Iran successfully enriched uranium for the first time from the Natanz plant, after telling the IAEA that it would no longer be complying with its protocols or inspections in February. This set off alarm bells to the US and its allies. A nuclear-armed Iran was and is one of the most potentially dangerous threats to Western nations.

Washington and Jerusalem pushed forward.

Stuxnet Unleashed: The Digital Weapon Inside Natanz

In 2007, the enrichment facility at Natanz was first attacked by Stuxnet after Erik Van Sabben had successfully planted the worm. There is some contention over how the virus was introduced to the Natanz plant. Some say it was done via an ordinary USB stick, because the earliest versions of the Stuxnet virus required a USB stick to infiltrate systems.

This is corroborated by an unnamed architect of the virus who was alleged to have said, “It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand.” However, there is reason to believe that the virus was introduced to the computers of water pumps that were then installed by Van Sabben. Even today, there is still no definitive answer about how exactly Stuxnet entered the Iranian systems at Natanz.

At first, absolutely nothing happened. But that is exactly what the US and Israelis wanted. Quietly in the background, without being noticed, the lesser-known initial Stuxnet attack was beginning.

The virus used what was called a “beacon” to secretly draw an electrical blueprint of the plant, hoping to map the operations and understand how the computers controlled the centrifuges. It would send this map back to the programmers in the US, establishing a link for the virus to be updated remotely. In 2008, PLCs, or Programmable Logic Controllers, were discovered to be used by the Iranians.

The Iranians’ computers used the Windows operating system, alongside software and hardware made by the German computer and software giant Siemens. They also make PLCs, which are essentially computers made for industrial automation, like factory assembly lines. They are used all over the world, from oil pipelines and electrical power grids to nuclear plants.

The US power grid runs off them, and so did the centrifuges at Natanz. In early 2008, Siemens cooperated with the US national laboratory in Idaho to identify the vulnerabilities of their PLCs. Siemens could never have expected what their secrets would be used for.

Now the US had a blueprint of the facility, the ability to update Stuxnet from within, and the vulnerabilities of the computers that ran Iran’s centrifuges. Stuxnet is one of the most complex pieces of malware ever constructed. The worm used what are called “zero-day” exploits — exploits in systems that were not previously known to their developers.

To find one zero-day exploit is remarkable. Stuxnet used four. Once updated, the virus got to work.

It searched throughout the Iranian computer systems, scanning each computer for the specific Siemens software it was looking for and other criteria. When the criteria were met, it would immediately drop its payload, taking control of the PLC and the centrifuge it spun by modifying the code. It would then duplicate itself and search for up to three other computers to infect.

Meanwhile, it would record normal monitoring levels, which would be sent back to the Iranians on a loop, and all malicious files would be hidden. A small number of centrifuges would start to spin at a much higher rate than they usually would, then slow down and speed up again, damaging the motors, eventually causing them to fail.

Escalation Under Obama and the Death of Van Sabben

The US and Israel had successfully attacked Iran’s nuclear enrichment facility from the inside. They had slowed Iran down, but only a fraction. There was no centrifuge explosion or huge catastrophe just yet, but the power and destructive potential of Stuxnet was clear.

In late 2008 and early 2009, George W. Bush, the presidential architect of Stuxnet, left office, urging incumbent president Barack Obama to continue Operation Olympic Games at all costs. President Obama not only continued the programme — he accelerated it.

New versions of Stuxnet came as each attack helped them hone the next. On January 16th, 2009, two weeks after Van Sabben visited his family in Iran but left early in an unexplainable panic, he was riding his motorcycle in Dubai when it left the road and overturned, breaking his neck and killing him. No foul play was suspected by those at the scene, seemingly ruling out a revenge attack.

Van Sabben’s death appears to be an unfortunate accident, but nobody can know for certain. Meanwhile, Stuxnet was wreaking havoc secretly within Natanz. At first, the Iranians did not suspect a thing, except their centrifuges continuously breaking.

No two attacks were exactly alike in how they affected the systems, or what part would be forced to fail, further helping mask the virus. The Iranians did not trust their equipment, and given the shoddy design of their centrifuges, they were right not to. Eventually, the Iranians did suspect sabotage.

They began to look everywhere but found no evidence of tampering within the systems. Employees were fired, investigations launched, and precautions taken, and yet the attacks continued on and off until at least 2010. During this time, one fifth of Iran’s nuclear enrichment capability tore itself apart.

Almost 1,000 centrifuges were damaged and had to be replaced as part of the Stuxnet attacks.

Stuxnet Escapes: The Worm Spreads Across the Globe

During 2010, a bug in the code of a new Stuxnet update caused it to gain access to the internet. One of Stuxnet’s main priorities is to spread to other computers, and it used the internet to spread exactly how it did in the Natanz plant, unknowingly infecting computers all over the world. Stuxnet infected 200,000 computers across the globe and caused 1,000 machines to physically degrade, although it is generally believed the number is higher, as there was no way of knowing how many other systems not connected to the internet had been infected.

From Russia to India, Iraq, Indonesia, and many more, the weapon once described as a “marksman shot” turned out to have the impact and spread of the very nuclear bombs Washington was trying to stop being constructed. The US blamed the Israelis for the bug that caused the breach. Then Vice President Joe Biden was furious, saying the Israelis had gone too far.

The US were concerned that it was just a matter of time before Stuxnet was discovered, and that this would embolden enemies of the US to retaliate with cyber weapons of their own. But the cat was already out of the bag, and the US had no other way to directly slow down Iran’s enrichment ambitions, so President Obama chose for the attacks to continue. In July 2010, a Belarussian cybersecurity company was helping an Iranian client whose computer would not stop rebooting.

The company delved into the code of the machine to discover the bug causing it to misfire. They could not believe what they discovered — the most sophisticated malware ever made, and the code within it, was there for all to see. This discovery is where the name Stuxnet was first coined, based on lines within the code.

From there, Symantec and the Kaspersky group, among others, delved into Stuxnet’s code to solve the mystery of where it came from. In late 2010, Iran’s President Mahmoud Ahmadinejad broke the Iranian regime’s silence about the worm’s impact on its enrichment program, saying a cyberattack had caused “minor problems with some of our centrifuges.” “Fortunately, our experts discovered it,” he added.

Up until this point, the Iranians had claimed no serious damage had been done to their centrifuges.

Evidence of US and Israeli Involvement

Since Stuxnet’s discovery, there have been several clues and outright statements which indicate why a joint US-Israeli operation was the most likely origin of the malware. In 2011, an American expert on nuclear intelligence told the New York Times, “The reason the worm has been effective is that the Israelis tried it out,” all but confirming a collaboration on the programme. Among other clues in the code referencing Israel, the size and complexity of the code meant that only a nation-state actor could bear the estimated $1-billion cost of developing the malware, and a rich one at that.

It was 50 times larger than a standard computer worm; nobody had ever seen anything like this before. Gary Samore, the White House Coordinator for Arms Control and Weapons of Mass Destruction during the Obama administration, commented at the time of discovery, “We’re glad they [the Iranians] are having trouble with their centrifuge machine and that we — the U.S. and its allies — are doing everything we can to make sure that we complicate matters for them,” offering a subtle acknowledgement of the United States’ involvement in Stuxnet. Since the Stuxnet attack on the Iranian enrichment facility at Natanz was revealed to the world, Washington’s push against Iran’s nuclear ambitions has been constant.

In the years since Stuxnet initially hit, other cyber-attacks, assassinations, sabotage, and kinetic force have all been used to slow their progress. The on-again-off-again Iran nuclear deal set in place by Washington has also not done enough to quell Tehran’s atomic ambitions. In 2021, there was an attack on the plant that caused a blackout, coming a week after President Biden attempted to revive the nuclear deal that President Trump ended.

Iran was even able to launch a counterattack against the US’s banking network in 2012 using what is known as a denial-of-service attack, though it was deemed unsuccessful. Iran denies the attack, but the timing, target, and the size made it likely a nation-state was involved.

The Equation Group: Stuxnet’s Deeper Origins

The significance of the Stuxnet attacks was unprecedented. This was the first time a nation-state had been able to remotely destroy the infrastructure of another nation-state through digital means. The genie was out of the bottle.

But Stuxnet was not simply the first cyber weapon created by world powers — it was the most successful by far that is publicly known, but not the first. Five years after its discovery in 2010, it was found that there were links in Stuxnet’s code that relate to a mysterious hacker organisation known as The Equation Group. It was unearthed by the Kaspersky Lab, one of the foremost global organisations on cybersecurity, noticing several distinct similarities between the code in various other viruses — such as Fanny, Flame, and Flowershop — and Stuxnet.

Prior to Stuxnet, two of the four zero-day exploits that it used were discovered in other malware that predates Stuxnet’s existence. Meaning, at the very least, those who created Stuxnet and The Equation Group collaborated on their work, or there was overlap in personnel. The Equation Group’s oldest code goes back to 2001, but according to the Kaspersky Lab, they could have been in operation as early as 1996.

The Equation Group have targeted geopolitical-level infrastructure all over the world, from governments and diplomatic institutions, to aerospace and energy institutions, to nuclear research and nanotechnology. The Kaspersky Lab described them as the most advanced hackers they had ever seen. Due to having “self-destruct” features in their code — another similarity to Stuxnet — it is difficult to ascertain the real numbers affected by the group.

While only 500 malware infections could be found, the real number could be in the tens of thousands. Nobody had any idea they existed for at least a decade and a half. Due to all of these similarities to Stuxnet, The Equation Group is assumed to be heavily linked to the Tailored Access Operations unit of the NSA.

The NSA codewords “STRAITACID” and “STRAITSHOOTER” have been found in The Equation Group’s code. A former NSA employee told Reuters that Kaspersky’s analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. It would be confirmed by Edward Snowden’s whistleblowing in 2013 that the NSA did have domestic and international spying operations ongoing.

In 2017, a group of hackers called The Shadow Brokers stole data belonging to The Equation Group, the most recent of which was from 2013 — aligning with the NSA’s information lockdown since Snowden’s leaks.

Did Stuxnet Actually Work? Assessing the Legacy of Cyber Warfare’s First Weapon

Stuxnet was not one of a kind. Whilst arguably the most effective in its mission, it is by no means the only shot fired across the bow of the digital domain. Stuxnet was being developed in the mid-2000s; the other Equation Group code goes back to 2001.

If a cyber weapon deployed in 2007 was sophisticated enough to do the damage it did, what could similar people with similar resources do almost two decades later? With AI technology, writing code is easier than ever, and the tools used by non-nation-state actors are getting increasingly complex. Meanwhile, there are still vulnerabilities all over the globe in state infrastructure.

Undoubtedly, Stuxnet proved that it could be possible for cyber weaponry to inflict real damage to the infrastructure of other states and changed the way in which warfare is assessed forever. But, in a practical sense, did it really work? Stuxnet managed to damage 1,000 of Iran’s centrifuges and reduced their capability to enrich uranium by a fifth.

It was deemed to have set back Iran’s nuclear due date until 2014. For a billion-dollar programme, a three-year delay is not all that cost-effective. It is why the US and Israel had to return to other options, such as kinetic strikes, assassinations, and the Iran nuclear deal, as part of the strategy alongside more cyber-attacks.

At the end of all of it, Iran today has enough uranium that it could be possible for them to enrich enough for up to five warheads in a relatively short time. Arguably, Operation Olympic Games has already failed. As expensive as it was to make and as impressive as it was to accomplish, Stuxnet did not move the needle.

The answer is that there are still a select number of circumstances where cyber weaponry will be the best option, and as it becomes increasingly cheaper to develop malware and with more technology in the world than ever before, that trend only stands to continue. Therefore, the key element of a cyber weapon like Stuxnet is in its potential. The world is only just beginning to explore the ocean of cyber warfare.

Frequently Asked Questions

How was Stuxnet physically introduced into the air-gapped Natanz facility?

Iran’s nuclear infrastructure was completely separated from the internet—a security practice called an “air gap”—making remote infection impossible. Dutch engineer Erik Van Sabben, recruited by the AIVD at American request, physically entered the facility in 2007 and planted the worm, likely via infected computers on water pumps he installed. Some accounts also cite a USB stick as the delivery method, with one unnamed architect of the virus noting “there is always an idiot around who doesn’t think much about the thumb drive in their hand.”

What made Stuxnet technically unprecedented as a piece of malware?

Stuxnet used four zero-day exploits simultaneously—vulnerabilities in systems unknown to their developers. Finding even one zero-day is considered remarkable. The worm was 50 times larger than a standard computer worm, with an estimated development cost of one billion dollars. It searched specifically for Siemens PLC software controlling the Natanz centrifuges, recorded normal monitoring data to loop back to Iranian engineers, hid all malicious files, and caused centrifuges to spin at destructive speeds while appearing to operate normally.

What actual damage did Stuxnet inflict on Iran’s nuclear program?

Stuxnet destroyed approximately 1,000 centrifuges and reduced Iran’s uranium enrichment capability by one fifth. It was assessed to have set back Iran’s nuclear timeline to an estimated 2014—a roughly three-year delay. Despite costing an estimated one billion dollars to develop and successfully executing the world’s first nation-state cyber attack on physical infrastructure, the program’s architects ultimately judged the delay insufficient, requiring a return to kinetic strikes, assassinations, and diplomatic deals.

How did Stuxnet escape and what were the consequences?

In 2010, a bug in a new Stuxnet update caused the worm to breach the Natanz air gap and spread via the internet. It infected 200,000 computers across Russia, India, Iraq, Indonesia, and other countries, and caused 1,000 machines to physically degrade. The US blamed Israel for the bug. Then-Vice President Joe Biden was furious.

The escape led to Stuxnet’s discovery in July 2010 by a Belarussian cybersecurity company, eventually revealing the malware’s existence to the world and prompting Iran’s Ahmadinejad to publicly acknowledge “minor problems with some of our centrifuges.”

What is the Equation Group and how is it connected to Stuxnet?

The Kaspersky Lab discovered in 2015 that two of Stuxnet’s four zero-day exploits had previously appeared in malware linked to a mysterious organization called The Equation Group, whose oldest code dates to 2001. The Group targeted governments, aerospace, energy, and nuclear institutions worldwide, used self-destruct features similar to Stuxnet’s, and remained undetected for at least fifteen years. NSA codewords were found in its code, and a former NSA employee confirmed Kaspersky’s analysis was correct. The Equation Group is widely assumed to be the NSA’s Tailored Access Operations unit.

Sources

1. https://arstechnica.com/tech-policy/2012/06/confirmed-us-israel-created-stuxnet-lost-control-of-it/
2. https://www.zdnet.com/article/google-just-launched-a-faster-more-efficient-chrome-browser-for-windows-but-theres-a-catch/
3. https://www.businessinsider.com/stuxnet-was-far-more-dangerous-than-previous-thought-2013-11
4. https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?pagewanted=all
5. https://www.nytimes.com/2010/01/13/world/middleeast/13iran.html
6. https://www.vanityfair.com/news/2011/03/stuxnet-201104
7. https://www.cbsnews.com/news/iran-confirms-stuxnet-worm-halted-centrifuges/
8. https://www.nytimes.com/2010/09/30/world/middleeast/30worm.html?_r=2&pagewanted=2&hpw
9. https://web.archive.org/web/20210505195313/https://archive.f-secure.com/weblog/archives/00002040.html
10. https://ghostarchive.org/archive/kDjup
11. https://web.archive.org/web/20170225103053/https://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html
12. https://web.archive.org/web/20150217023145/https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf
13. https://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/
14. https://threatpost.com/stuxnet-apts-gossip-girl/143595/
15. https://www.reuters.com/article/us-iran-cyberattacks-denial-idUSBRE88M06O20120923/
16. https://www.volkskrant.nl/kijkverder/v/2024/sabotage-in-iran-een-missie-in-duisternis~v989743/?referrer=https%3A%2F%2Fen.wikipedia.org%2F