Untold saga of Stuxnet

Niraj Srivastava
Former ambassador

Stuxnet is well known, at least in the strategic community, as the computer virus that caused damage to Iran’s nuclear programme. Its existence was announced to the world in 2010 by software engineers, when they found that it had spread to hundreds of thousands of computers using the Microsoft Windows operating system all over the world, including India. While Stuxnet’s structure, and how it damaged the nuclear programe, are by now known, what was not known till a few weeks ago was exactly how it was introduced into the software running Iran’s nuclear plant at Natanz.

That story was published by Yahoo News on September 2, and was quickly picked up by many news outlets, and retold, all over the world. Indian media seems to have missed it.

The story provides insights into the operations of the intelligence agencies of the five countries which collaborated to produce the virus and infect the software running the centrifuges at Natanz. Centrifuges are machines used to ‘enrich’ uranium, which can then be used for various purposes. The operation was primarily a US-Israel enterprise, which also involved the Netherlands, Germany and France. The operation’s codename was ‘Olympic Games’, after the five-ring symbol of the Olympics.

The Natanz plant was ‘air-gapped’, meaning it was not connected to the Internet. Its centrifuges were run by a software produced by German company Siemens. To infect the software, someone had to physically insert a USB flash drive containing the virus into the computers at Natanz. That was not an easy task, given that the facility was heavily guarded.

Sometime in 2004, the CIA and Mossad (US and Israeli intelligence agencies) requested their Dutch counterpart AVID to locate an Iranian who could be groomed for the job. AVID was able to find one from the expatriate Iranian community in Holland. He was an engineer and had previously been a contractor at Natanz. He was offered a substantial amount of money and resettlement in the West. 

The Iranian ‘mole’ returned home in 2006 and set up a front company providing maintenance services for computers. The company was able to obtain a contract for maintenance work at Natanz, enabling the mole to gain access to the facility in 2007. He paid several visits to the plant during which he gathered information about the centrifuges, which was used to fine-tune the virus in the US. Its use was authorised by President Bush in 2007.

In 2007, the mole took Stuxnet in a USB flash drive and inserted it into the computers. That was his last visit to the facility. The ‘air-gap’ had been closed.

In the meantime, the designers of Stuxnet had been working to make it more potent. They produced a modified version which was injected into the computers in early 2010, with authorisation by President Obama, who was assured that it would not affect computers outside Iran. This time, they did not need a mole; they could do their work online. This version of Stuxnet was indeed more potent: it blew up around 1,000 of Natanz’s 5,000 centrifuges. The Iranians were shocked.

Around the same time, three Iranian nuclear scientists were assassinated in separate incidents in Tehran. It was widely believed that Mossad was responsible for the killings.

But the Iranians were not the only ones to be shocked. This version of Stuxnet spread all over the world, including the US and India, though it did not cause much damage. It was then isolated and analysed by computer experts. In June 2010, they announced its existence to the world. It was the first cyber weapon of mass destruction. One former head of the CIA compared it to the atom bombs dropped on Hiroshima and Nagasaki in 1945. 

After Stuxnet was made public, Iran reportedly arrested and executed several workers at Natanz. It is not known if the Dutch mole was one of them.

There is also a geopolitical dimension to the story, involving the rogue activities of AQ Khan, the Pakistani national hero. Khan stole the blueprints of the centrifuges in the 1970s while working at URENCO, a company in Holland. Later, with the approval of the Pakistani establishment, he sold them to Iran and Libya. The Natanz centrifuges were based on the stolen blueprints. His activities came to light in 2004, when the US presented a dossier on him to General Musharraf, the then military dictator of Pakistan. Though Musharraf claimed Khan was acting on his own, very few believed him.

The launch of Stuxnet by the CIA and its partners had several unintended consequences. First, it galvanised Iran into setting up one of the largest cyber warfare units in the world. Second, the US established a Cyber Command for offensive and defensive operations. Third, it alerted all countries to the dangers of a cyber attack. Some of them, including India, took steps to set up their own cyber defence/warfare units. Fourth, it highlighted the need for a multilateral agreement to regulate the use of cyber weapons. That has not happened so far; cyber space is still a free-for-all. Finally, it demonstrated that isolating a computer network from the Internet is no guarantee that it could not be infected by malware. A mole can do the job.

The saga of Stuxnet shows the recklessness of the countries involved in the operation. But they might have unwittingly done a favour to the world by alerting it to the dangers of cyber warfare. For a country like India, Stuxnet was a wake-up call. 

There is something else India needs to note. Pakistan gave the centrifuge blueprints to Iran even though it is Shia, while Pakistan is Sunni. It means that Pakistan would not mind  Iran acquiring nuclear capability. That suggests their ties are close, despite occasional incidents.