Stuxnet may be the largest and costliest development effort in malware history. Developing its abilities would have required a team of capable programmers, in-depth knowledge of
industrial processes, and an interest in attacking industrial infrastructure.
The Guardian, the
BBC and
The New York Times all claimed that (unnamed) experts studying Stuxnet believe the complexity of the code indicates that only a nation-state would have the abilities to produce it. The self-destruct and other safeguards within the code implied that a Western government was responsible, or at least is responsible for its development. However, software security expert
Bruce Schneier initially condemned the 2010 news coverage of Stuxnet as hype, stating that it was almost entirely based on speculation. But after subsequent research, Schneier stated in 2012 that "we can now conclusively link Stuxnet to the centrifuge structure at the Natanz nuclear enrichment lab in Iran". In late December 2008, Dutch engineer
Erik van Sabben travelled to Iran, allegedly to infiltrate the Natanz nuclear facility on behalf of
Dutch intelligence and install equipment infected with Stuxnet. He died two weeks after the Stuxnet attack at age 36 in an apparent single-vehicle motorcycle accident in
Dubai.
Iran as a target Ralph Langner, the researcher who identified that Stuxnet infected PLCs, However Langner more recently, at a
TED conference, recorded in February 2011, stated that "My opinion is that the
Mossad is involved, but that the leading force is not Israel. The leading force behind Stuxnet is the cyber superpower there is only one; and that's the United States." Kevin Hogan, Senior Director of Security Response at Symantec, reported that most infected systems were in
Iran (about 60%), which has led to speculation that it may have been deliberately targeting "high-value infrastructure" in Iran including either the
Bushehr Nuclear Power Plant or the
Natanz nuclear facility. Langner called the malware "a one-shot weapon" and said that the intended target was probably hit, although he admitted this was speculation. On 23 November 2010 it was announced that uranium enrichment at Natanz had ceased several times because of a series of major technical problems. A "serious nuclear accident" (supposedly the shutdown of some of its centrifuges Statistics published by the
Federation of American Scientists (FAS) show that the number of enrichment centrifuges operational in Iran mysteriously declined from about 4,700 to about 3,900 beginning around the time the nuclear incident WikiLeaks mentioned would have occurred. The
Institute for Science and International Security (ISIS) suggests, in a report published in December 2010, that Stuxnet is a reasonable explanation for the apparent damage at Natanz, and may have destroyed up to 1,000 centrifuges (10 percent) sometime between November 2009 and late January 2010. The authors conclude: The
Institute for Science and International Security (ISIS) report further notes that Iranian authorities have attempted to conceal the breakdown by installing new centrifuges on a large scale. The worm worked by first causing an infected Iranian IR-1 centrifuge to increase from its normal operating speed of 1,064
hertz to 1,410 hertz for 15 minutes before returning to its normal frequency. Twenty-seven days later, the worm went back into action, slowing the infected centrifuges down to a few hundred hertz for a full 50 minutes. The stresses from the excessive, then slower, speeds caused the aluminium centrifugal tubes to expand, often forcing parts of the centrifuges into sufficient contact with each other to destroy the machine. According to
The Washington Post,
International Atomic Energy Agency (IAEA) cameras installed in the Natanz facility recorded the sudden dismantling and removal of approximately 900–1,000 centrifuges during the time the Stuxnet worm was reportedly active at the plant. Iranian technicians, however, were able to quickly replace the centrifuges and the report concluded that uranium enrichment was likely only briefly disrupted. On 15 February 2011, the
Institute for Science and International Security released a report concluding that:
Iranian reaction The
Associated Press reported that the semi-official
Iranian Students News Agency released a statement on 24 September 2010 stating that experts from the
Atomic Energy Organization of Iran met in the previous week to discuss how Stuxnet could be removed from their systems. The head of the
Bushehr Nuclear Power Plant told
Reuters that only the personal computers of staff at the plant had been infected by Stuxnet and the state-run newspaper
Iran Daily quoted
Reza Taghipour, Iran's telecommunications minister, as saying that it had not caused "serious damage to government systems". In response to the infection, Iran assembled a team to combat it. With more than 30,000 IP addresses affected in Iran, an official said that the infection was fast spreading in Iran and the problem had been compounded by the ability of Stuxnet to mutate. Iran had set up its own systems to clean up infections and had advised against using the Siemens SCADA antivirus since it is suspected that the antivirus contains embedded code which updates Stuxnet instead of removing it. According to Hamid Alipour, deputy head of Iran's government Information Technology Company, "The attack is still ongoing and new versions of this virus are spreading." He reported that his company had begun the cleanup process at Iran's "sensitive centres and organizations". On the same day two Iranian nuclear scientists were targeted in separate, but nearly simultaneous car bomb attacks near
Shahid Beheshti University in Tehran.
Majid Shahriari, a
quantum physicist, was killed.
Fereydoon Abbasi, a high-ranking official at the
Ministry of Defense was seriously wounded.
Wired speculated that the assassinations could indicate that whoever was behind Stuxnet felt that it was not sufficient to stop the nuclear program. On 11 January 2012, a director of the Natanz nuclear enrichment facility,
Mostafa Ahmadi Roshan, was killed in an attack quite similar to the one that killed Shahriari. An analysis by the FAS demonstrates that Iran's enrichment capacity grew during 2010. The study indicated that Iran's centrifuges appeared to be performing 60% better than in the previous year, which would significantly reduce Tehran's time to produce bomb-grade uranium. The FAS report was reviewed by an official with the IAEA who affirmed the study. European and US officials, along with private experts, told Reuters that Iranian engineers were successful in neutralizing and purging Stuxnet from their country's nuclear machinery. Given the growth in Iranian enrichment ability in 2010, the country may have intentionally put out misinformation to cause Stuxnet's creators to believe that the worm was more successful in disabling the Iranian nuclear program than it actually was.
Israel Israel, through
Unit 8200, has been speculated to be the country behind Stuxnet in multiple media reports and by experts such as
Richard A. Falkenrath, former Senior Director for Policy and Plans within the US
Office of Homeland Security. Yossi Melman, who covers intelligence for Israeli newspaper
Haaretz and wrote a book about Israeli intelligence, also suspected that Israel was involved, noting that
Meir Dagan, the former (up until 2011) head of the national intelligence agency
Mossad, had his term extended in 2009 because he was said to be involved in important projects. Additionally, in 2010 Israel grew to expect that Iran would have a nuclear weapon in 2014 or 2015 at least three years later than earlier estimates without the need for an Israeli military attack on Iranian nuclear facilities; "They seem to know something, that they have more time than originally thought", he added. When questioned whether Israel was behind the virus in the fall of 2010, some Israeli officials broke into "wide smiles", fueling speculation that the government of Israel was involved with its genesis. American presidential advisor Gary Samore also smiled when Stuxnet was mentioned, although American officials have suggested that the virus originated abroad. In 2009, a year before Stuxnet was discovered, Scott Borg of the United States Cyber-Consequences Unit (US-CCU) suggested that Israel may prefer to mount a cyberattack rather than a military strike on Iran's nuclear facilities. Iran uses
P-1 centrifuges at Natanz, the design for which
A. Q. Khan stole in 1976 and took to Pakistan. His
black market nuclear-proliferation network sold P-1s to, among other customers, Iran. Experts believe that Israel also somehow acquired P-1s and tested Stuxnet on the centrifuges, installed at the
Dimona facility that is part of
its own nuclear program. The equipment may be from the United States, which received P-1s from
Libya's former nuclear program. Some have also cited several clues in the code such as a concealed reference to the word
MYRTUS, believed to refer to the
Latin name
myrtus of the
Myrtle tree, which in Hebrew is called
hadassah. Hadassah was the birth name of the former Jewish queen of Persia, Queen
Esther. However, it may be that the "MYRTUS" reference is simply a misinterpreted reference to
SCADA components known as
RTUs (Remote Terminal Units) and that this reference is actually "My RTUs"–a management feature of SCADA. Also, the number 19790509 appears once in the code and may refer to the date
1979 May 09, the day
Habib Elghanian, a Persian Jew, was executed in
Tehran. Another date that appears in the code is "24 September 2007", the day that Iran's president
Mahmoud Ahmadinejad spoke at
Columbia University and made comments questioning the validity of the
Holocaust. Such data is not conclusive, since, as noted by Symantec, "attackers would have the natural desire to implicate another party". with one report stating that "there is vanishingly little doubt that [it] played a role in creating the worm". It has been reported that the United States, under one of its most secret programs, initiated by the Bush administration and accelerated by the
Obama administration, has sought to destroy Iran's nuclear program by novel methods such as undermining Iranian computer systems. A
leaked diplomatic cable showed how the United States was advised to target Iran's nuclear abilities through 'covert sabotage'. An article in
The New York Times in January 2009 credited a then-unspecified program with preventing an Israeli military attack on Iran where some of the efforts focused on ways to destabilize the centrifuges. A
Wired article claimed that Stuxnet "is believed to have been created by the United States". Dutch historian Peter Koop speculated that the
Tailored Access Operations could have developed Stuxnet, possibly in collaboration with Israel. The fact that John Bumgarner, a former intelligence officer and member of the United States Cyber-Consequences Unit (US-CCU), published an article prior to Stuxnet being discovered or deciphered, that outlined a strategic cyber strike on centrifuges and suggests that cyber attacks are permissible against nation states which are operating uranium enrichment programs that violate international treaties gives some credibility to these claims. Bumgarner pointed out that the centrifuges used to process fuel for nuclear weapons are a key target for
cybertage operations and that they can be made to destroy themselves by manipulating their rotational speeds. In a March 2012 interview with
60 Minutes, retired
US Air Force General
Michael Hayden who served as director of both the
Central Intelligence Agency and
National Security Agency while denying knowledge of who created Stuxnet said that he believed it had been "a good idea" but that it carried a downside in that it had legitimized the use of sophisticated cyber weapons designed to cause physical damage. Hayden said: "There are those out there who can take a look at this ... and maybe even attempt to turn it to their own purposes". In the same report, Sean McGurk, a former cybersecurity official at the
Department of Homeland Security noted that the Stuxnet source code could now be downloaded online and modified to be directed at new target systems. Speaking of the Stuxnet creators, he said: "They opened the box. They demonstrated the capability ... It's not something that can be put back."
Joint effort and other states and targets In April 2011, Iranian government official Gholam Reza Jalali stated that an investigation had concluded that the United States and Israel were behind the Stuxnet attack. Frank Rieger stated that three European countries' intelligence agencies agreed that Stuxnet was a joint United States-Israel effort. The code for the Windows injector and the PLC payload differ in style, likely implying collaboration. Other experts believe that a US-Israel cooperation is unlikely because "the level of trust between the two countries' intelligence and military establishments is not high". A
Wired magazine article about US General
Keith B. Alexander stated: "And he and his cyber warriors have already launched their first attack. The cyber weapon that came to be known as Stuxnet was created and built by the NSA in partnership with the CIA and Israeli intelligence in the mid-2000s."
China,
Jordan, and
France are other possibilities, and Siemens may have also participated. Langner speculated that the infection may have spread from USB drives belonging to Russian contractors since the Iranian targets were not accessible via the Internet. In 2019, it was reported that an Iranian mole working for Dutch intelligence at the behest of Israel and the CIA inserted the Stuxnet virus with a USB flash drive or convinced another person working at the Natanz facility to do so. Sandro Gaycken from the
Free University Berlin argued that the attack on Iran was a ruse to distract from Stuxnet's real purpose. According to him, its broad dissemination in more than 100,000 industrial plants worldwide suggests a field test of a cyber weapon in different security cultures, testing their preparedness, resilience, and reactions, all highly valuable information for a cyberwar unit. The
United Kingdom has denied involvement in the worm's creation. In July 2013,
Edward Snowden claimed that Stuxnet was cooperatively developed by the United States and Israel.
Deployment in North Korea According to a report by Reuters, the NSA also tried to sabotage
North Korea's
nuclear program using a version of Stuxnet. The operation was reportedly launched in tandem with the attack that targeted Iranian centrifuges in 2009–10. The North Korean nuclear program shares a number of similarities with the Iranian, both having been developed with technology transferred by Pakistani nuclear scientist
A.Q. Khan. The effort failed, however, because North Korea's extreme secrecy and isolation made it impossible to introduce Stuxnet into the nuclear facility.
Stuxnet 2.0 cyberattack In 2018,
Gholamreza Jalali, Iran's chief of the
National Organization for Passive Defense, claimed that his country fended off a Stuxnet-like attack targeting the country's telecom infrastructure. Iran's
Telecommunications minister,
Mohammad-Javad Azari Jahromi has since accused Israel of orchestrating the attack. Iran plans to sue Israel through the
International Court of Justice (ICJ) and is also willing to launch a retaliation attack if Israel does not desist. == Related malware ==