Introduction:
In regards to cybersecurity, most imagine anti-virus software, phishing emails, and passwords. The depth of cybersecurity in daily life is often overlooked by untrained eyes, such as the general public. However, the offensive cybersecurity capabilities of a well-funded and capable intelligence agency were brought to light during Operation Olympic Games. Stuxnet is the most notorious example of how physical consequences can arise from a digital landscape, and those consequences are staggering. The existence of this “operation” was unintentionally revealed in 2010, yet wouldn’t be confirmed by U.S. officials until 2012. The covert operation was first developed under the Bush Administration but would continue under the Obama Administration despite software security companies taking notice in 2010 of the existence of said worm (Stuxnet). But what did Stuxnet do, and why was it kept so secret?
A computer worm is a type of malware whose primary function is to self-replicate and infect other computers while remaining active on infected systems.
The Stuxnet Chronicles:
Stuxnet was allegedly backed by both the U.S. and Israel in an attempt to cause setbacks toward Iran’s ability to enrich uranium which provides the capability to manufacture atomic weapons. To enrich uranium, one must have facilities in place that utilize centrifuges, and these centrifuges are an integral part of how uranium can be converted into a resource used for nuclear weapons. A nuclear Iran has been, and certainly was at the time of this operation on both the radar of U.S. and Israeli Intelligence. This situation is also relevant to the current situation unfolding in the Middle East, as it helps to illustrate the historical tensions between Iran, the U.S., and its close ally, Israel.
In the case of Stuxnet, the Supervisory Control and Data Acquisition (SCADA) systems targeted by the worm were controlling the centrifuges used at Iran’s Natanz Nuclear facility, which focused on uranium enrichment. While not officially confirmed, it is alleged that a physical “infected device” (e.g. a USB stick) was connected to one of the systems within the Iranian facility.
SCADA systems are used to monitor and control industrial processes in various critical infrastructure sectors, including energy, water, transportation, and manufacturing.
The simplest way to describe how this worm physically disturbed the facility is to imagine a balloon, and as this balloon is pumped with air it slowly expands until it reaches its breaking point, popping. Similar to this analogy, Stuxnet was able to manipulate the speed and operation of the Iranian centrifuges, and according to the Washington Post, ~1,000 out of ~6,000 centrifuges were destroyed. The intricate process of how Stuxnet succeeded is mentioned in a study focused on Stuxnet which was undertaken by a researcher at Kaspersky Lab:
“First, it targeted Microsoft Windows machines and networks, repeatedly replicating itself. Then it sought out Siemens Step7 software, which is also Windows-based and used to program industrial control systems that operate equipment, such as centrifuges. Finally, it compromised the programmable logic controllers. Below is a diagram of the step-by-step process illustrating how Stuxnet managed to not only breach the Iranian SCADA systems but attack it leaving physical consequences.”
The diagram below illustrates this sophisticated process undertaken by Stuxnet, which may enable those to understand if they were failing to follow along with the information provided above.
From Secrecy to Disclosure:
While the assertion that the Stuxnet worm was developed and executed by U.S. and Israeli Intelligence, there still lacks any official confirmation by either the U.S. or Israel. The closest we have to any confirmation of who is responsible is that from investigative journalism, leaked documents, and cybersecurity research. It is still very much a classified operation, and any claims about a certain country’s involvement are merely speculation, although some of that speculation has very thorough research to support it. Despite this, the reader needs to take this information with a grain of salt, as just because it is likely true does not make it innately true. Until Stuxnet is formally declassified by an intelligence agency, one must think critically about the situation and form a conclusion based on the various studies produced on the topic of Stuxnet.
Key Revelations:
As of February 8, 2024, Stuxnet remains classified, and confirmation concerning who was involved remains a mystery. Or is it? According to a 2011 report from The Telegraph, during a retirement celebration for the former head of the Israeli Defense Forces (IDF) General Gabi Ashkenazi an alleged video was played listing Stuxnet as one of General Gabi Ashkenazi’s successes. This combined with the research from Kaspersky Lab is the closest evidence we have pointing toward Israeli Intelligence, so where do the claims of U.S. involvement stem from? After further research, it appears the lack of a concrete answer from Former United States Deputy Secretary of Defense William Lynn when directly confronted with whether the U.S. was involved with Stuxnet during an interview with CNBC. Additional suspicions were raised when Obama’s chief strategist for combating weapons of mass destruction Gary Samore was asked about Stuxnet, and in response said with a smile:
“I’m glad to hear they [Iran] are having troubles with their centrifuge machines, and the U.S. and its allies are doing everything we can to make it more complicated.”
This certainly raised eyebrows, as at no point has a U.S. official denied U.S. involvement with Stuxnet, but rather skips past the question. This is a common practice for individuals with access to sensitive information, and the expression, “I cannot confirm nor deny” is certainly the trend concerning the topic of Stuxnet. The only concrete revelation from this situation is the gravity of cyber in an ever-evolving technological landscape, and the true capabilities of cyberattacks have now been made clear to the whole world.
Implications and Controversies:
The implications Stuxnet has on the international system are highly prevalent in national security. The most recent cyberattack that had severe repercussions for Americans was the Colonial Pipeline ransomware attack, leading a pipeline that controls 55% of all fuel consumed on the East Coast to shut and eventually being forced to pay 75 bitcoin, which was equal to roughly $4.4 million to the hacker group in exchange for an IT tool used to restore the Colonial system. This highlighted not only the vulnerabilities within what is considered the hegemonic power, but the importance of investing in the security against these attacks. Understanding the dilemma concerning cybersecurity from a domestic perspective provides the consumer of this information with a much more nuanced understanding of the dangers associated with these threats, and can paint a similar picture respective of how Iran felt as the victim of such an attack. Of course, one should also acknowledge the difference between targeting a nuclear facility tasked with enriching uranium and a pipeline tasked with providing fuel to a majority of citizens on the East Coast.
Conclusion:
From a civilian perspective, a question is raised, if a country, such as Iran, or even one as powerful as the United States is vulnerable to cyberattacks, what does that mean for a normal individual? It seems evident that the reality of digital security is merely a means of comfort, as opposed to actual fortification. For those with businesses, or those that work with sensitive information, this should serve as a warning to ensure you do all in your power to maximize the protection of information you deem valuable. Additionally, be aware of the realities of the digital landscape, and understand that there can be significant consequences when it comes to a breach. It is unlikely that Stuxnet will ever become declassified. If it does, it will require Stuxnet to no longer be operable in our current international landscape, as providing the public with that information can have egregious consequences. For those curious to read more about Stuxnet, several articles will be provided towards the end of this newsletter.
[Stuxnet Primary Document: https://nsarchive2.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-040.pdf]
Additional Sources:
https://www.wired.com/2011/05/defense-department-stuxnet/
https://www.csoonline.com/article/562691/stuxnet-explained-the-first-known-cyberweapon.html