Just a week ago, the Flame virus, suspected to be a weapon in a heretofore undeclared cyberwar, was discovered by computer security experts. Now, unnamed U.S. government officials have told a New York Times reporter that the Stuxnet worm, another sophisticated piece of malware that was discovered in 2010, was the brainchild of secretive U.S. and Israeli intelligence agencies. Stuxnet, designed to deal a significant blow to Iran’s uranium enrichment program, was clearly a cyberwarfare tool. But previous discussions of its authorship were, at best, a series of educated guesses and unverified allegations.
The NYT reporter, David Sanger, says his U.S. government sources told him that the program responsible for Stuxnet, code named “Olympic Games,” was initiated in 2006 at the behest of former president George W. Bush, but has since been championed by Barack Obama. These sources told Sanger that Obama “decided to step up cyber-attacks on Iran’s Natanz enrichment facility, even after the existence of the worm became public in 2010 after it leaked out onto the Internet.”
The highly-detailed Times article, excerpted from Sanger’s soon-to-be-released book, “Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power,” benefits from 18 months of interviews with current and former American, European and Israeli officials involved in the program, and several outside experts. In it, Sanger reveals what Stuxnet was intended to do, how it managed to conceal itself, why it remained effective even after a coding error allowed it to escape the Natanz enrichment plant’s computer system and eventually spread to the Internet, and even the decision making process that led Obama to order that the cyberespionage program be continued.
According to the Guardian, the U.S. National Security Agency and Israel’s Unit 8200 ended up as collaborators on the project because of U.S. fears that Israel would take it upon itself to end the threat of Iranian nuclear weapons capability by leveling the plant. The U.S. let Israel in on its plot in order to reassure its ally that Iran’s nuclear efforts would be greatly compromised without a single bomb being dropped. The article quotes Sanger, who notes that to talk them down from the ledge, “The Israelis would have to be convinced that the new line of attack was working…The only way to convince them, several officials said in interviews, was to have them deeply involved in every aspect of the program.” But Sanger’s New York Times article notes that Israel’s technical expertise and unrivaled intelligence about the Natanz facility’s operations helped to make it an attractive partner.
For a while, the plan went off without a hitch, the U.S. officials told Sanger. “The Iranians didn’t suspect foul play because no two attacks were exactly alike," they said; and even in the midst of a full-bore attack, the Stuxnet worm sent signals to the Natanz control room that made readouts being monitored by engineers there appear to be perfectly normal. "This may have been the most brilliant part of the code,” a U.S. official told the New York Times reporter.
How effective was it? Even after the malware’s existence became the subject of worldwide buzz, an updated version of the worm destroyed about a thousand of the 5000 centrifuges then in operation.
Now that the United States has acknowledged responsibility for Stuxnet, it naturally becomes the leading suspect in the case of the the Flame virus. According to an article in The Guardian, Kaspersky Labs, a Russian computer security firm that has studied both Stuxnet and Flame, confirms that the timing of the first Stuxnet attack on Iran in June 2009 and the worm being outed almost a year later gibe with the timeline proposed by the New York Times' sources.
Asked if there were any conclusions about Flame’s origin that could be drawn from the U.S. admission that it targeted Iran with Stuxnet, Kaspersky Labs said, “there are sufficient similarities between the two worms to suggest they have the same source.”
The U.S. government, which denies that the Flame virus was part of the Olympic Games program, maintains that it did not create that bit of malware. But then again, that was its official stance regarding Stuxnet until admitting it became politically expedient.
The Guardian article calls the disclosure of President Obama's role in Stuxnet a tactical political strike meant to bolster Obama’s hawkish bona fides. The Guardian paints a picture of an Obama taking advantage of every opportunity to counter assertions from the right that he is weak on military issues:
“The decision to reveal Obama's role in the cyberwar against Iran follows hard on the heels of the highly political disclosure in an election year that the president had taken a personal role in approving terrorist targets for US drone strikes. And the depiction of his key involvement in two major clandestine military operations follows photographs last year showing him, as commander-in-chief, awaiting news of the death of Osama bin Laden.”
According to Sanger’s sources, who say they participated in many briefings on the progress of Olympic Games, Obama “was acutely aware that with every attack he was pushing the United States into new territory…He repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons—even under the most careful and limited circumstances—could enable other countries, terrorists or hackers to justify their own attacks.” These aides revealed Obama’s concern that because the United States’ infrastructure is so dependent on computer systems, no country is more vulnerable to a similar type of attack.
It stands to reason that engaging in cyberwarfare would have a sobering effect: It was almost exactly a year ago that the United States drew a line in the sand, declaring that certain types of cyberattacks can constitute an act of war. As one military official in a Wall Street Journal article stated it: "If you shut down our power grid, maybe we will put a missile down one of your smokestacks."
Will Iran retaliate? Experts say they’ve seen no evidence of a return volley on the malware front. But there’s no guarantee that the country and its allies aren’t plotting something that, while less sophisticated, may be just as destructive.
Image: Caitlin Watson
Willie Jones is an associate editor at IEEE Spectrum. In addition to editing and planning daily coverage, he manages several of Spectrum's newsletters and contributes regularly to the monthly Big Picture section that appears in the print edition.