The Iran Stuxnet Affair

Philippe Rivière

The Russian ambassador to NATO, Dmitry Rogozin, has claimed that the Stuxnet computer virus that attacked Iran’s nuclear installations could have led to a Chernobyl-style meltdown. He demanded an enquiry into the malware, which he said could have caused a thermonuclear explosion at the Bushehr power plant in southern Iran. This idea was dismissed as unfounded by the German cybersecurity expert Ralph Langner, who made the first complete study of the virus: “First, Stuxnet does not target Bushehr.” (It affected the uranium enrichment plant at Natanz, which has 7,000 centrifuges.) “Second, even if it did, it could not mess with the systems in the primary circuit [in contact with radioactivity]. The funny thing is, the Russians know that very well.” Russia is Iran’s partner in its nuclear program. The Stuxnet affair is a game of mirrors, of computer code sabotage and diplomacy.
Some facts have been established: The authors of the virus had time (it is estimated that it would have taken 10 man-years to write the 15,000 lines of code) and specialist knowledge (the worm spread through four unpatched holes in the Microsoft Windows system). “Code analysis makes it clear that Stuxnet is not about sending a message or proving a concept,” Langer wrote. “It is about destroying its targets with utmost determination in military style.”
But were Iran’s nuclear installations the target? An article in The New York Times in January said the virus was tested and developed on a lifesize model of the centrifuge system at Natanz, and that the large-scale operation was carried out in Israel’s military nuclear complex at Dimona in the Negev desert. The article was based on the accounts of several US and Israeli computer scientists, nuclear enrichment experts and former officials, all unnamed. Its conclusion was that “the covert race to create Stuxnet was a joint project between the Americans and the Israelis, with some help, knowing or unknowing, from the Germans and the British.”
The Germans in question are the Siemens company, which makes the supervisory control and data acquisition system (SCADA) used to monitor industrial processes at Natanz. The Stuxnet worm first appeared in 2009 when it infected tens of thousands of computers around the world. According to a report by the Moscow-based antivirus manufacturer Kaspersky Labs, it spread to several countries, and infected 8,565 computers in India in September 2010, and Indonesia (5,148 victims), before arriving in Iran, where 3,062 cases were detected. Some believe that Stuxnet penetrated Natanz through an infected USB memory stick from a Russian supplier. Then, recognizing the distinctive traits of its target (the make of certain frequency controllers) the virus set off a sequence of attacks out of a Hollywood movie. It made sure the control computers continued to show that everything was operating normally, while it increased the speed of rotation of the centrifuges, pushing the rotors to breaking point, and causing an abnormally high number of failures.
Israel hasn’t said it is behind the worm, but it hasn’t denied it either, and some army officers hint at it. The Stuxnet malware is only one element of various attacks on Iran’s nuclear program. The former head of Mossad (Israeli intelligence), Meir Dagan, said recently he was pleased that the program had been put back several years: “Iran won’t have nuclear capability before 2015.”
According to a report by the US Institute of Peace, Iran’s nuclear program has “mounting setbacks, which in turn will provide more time for diplomacy and reduce the imminence of military strikes.” Iran’s problems are “increased difficulty of obtaining essential parts on the international market; trouble operating large numbers of centrifuges; and apparent covert actions by foreign intelligence agencies.” These include “cyber attacks, sabotaging key equipment Iran seeks abroad; infiltration and disruption of Iran’s smuggling networks, and the assassination of nuclear experts.” (The most recent on 29 November 2010, when the scientist Majid Shahriari was blown up in his car.) The report’s authors, David Albright and Andrea Stricker believe “the biggest problems appear to have been caused by the Stuxnet malware, which started to impact the gas centrifuges at the Natanz fuel enrichment plant in 2009.” President Mahmoud Ahmadinejad originally dismissed the affair as fantasy, but last year he had to admit that the virus had caused some problems, which, he said, had since been resolved.
Scott Ritter, the UN chief weapons inspector in Iraq from 1991 to 1998, wrote on Nuclear Intelligence Weekly: “Public statements by both American and Israeli officials [hint] that Stuxnet has stymied, for the time being, Iran’s enrichment program.” But Ritter goes on to say that “a recent assessment conducted by the Federation of American Scientists, drawing on data from the UN nuclear inspection teams [about Natanz], suggests that in 2010 Iran actually increased the scope and efficiency of its enrichment activities, despite the Stuxnet attack.”
The reason for this difference in evaluation, says Ritter, is the tension caused by the “race” between Tehran and the P5 + 1 group. “Fact-based assessments have in the past been ignored in favor of speculation about potential ‘break-out’ scenarios concerning Iran’s ability to produce a hypothetical nuclear weapon...” Diplomats, who for the last 20 years have been saying that Iran is about to get the bomb, have been “limiting policy options to those which addressed these exaggerated hypotheses.” So they have narrowed the areas for discussion. The setback attributed to the sabotage provides an opportunity to continue negotiations without losing face.
Should Stuxnet be welcomed for reducing the risk of a preventative strike against Iran? Apart from the imbalance between the neighbors (Israel’s nuclear bomb is the world’s “worst kept secret” while Iran still seems far from completing its nuclear program), sabotage operations in peacetime risk reprisals and escalation. It would be ironic if the world’s most computerised countries, which have the most to lose, justified such actions. But computer piracy is combat: To defend yourself well, you need to be a master of attack. In Washington, where the memory is still fresh of the hacking of Google’s messaging service, probably by the Chinese, President Obama wants the power to shut down the internet, a last line of defense against foreign cyber attacks. Estonia, which suffered a cyber attack in 2007 (probably by Russia), is now home to NATO’s center of excellence for cyber defense. -- translated by Stephanie Irvine
Philippe Rivière is a member of the editorial team of Le Monde diplomatique.
Copyright © 2011 Le Monde diplomatique -- distributed by Agence Global