The Mossad, Israel’s foreign intelligence agency, attacked the Iranian nuclear program with a highly sophisticated computer virus called Stuxnet. The first digital weapon of geopolitical importance, it could change the way wars are fought — and it will not be the last attack of its kind.
The complex on a hill near an interchange on the highway from Tel Aviv to Haifa is known in Israel simply as “The Hill.” The site, as big as several soccer fields, is sealed off from the outside world with high walls and barbed wire — a modern fortress that symbolizes Israel’s fight for survival in the Middle East. As the headquarters of Israel’s foreign intelligence agency, the Mossad, this fortress is strictly off-limits to politicians and journalists alike. Ordinarily, it is the Mossad that makes house calls, and not the other way around.
The agency’s strict no-visitors policy was temporarily relaxed on a Thursday in early January, when a minibus with darkened windows pulled into a parking lot in front of a nearby movie theater. The journalists inside were asked to hand over their mobile phones and audio recorders. Meïr Dagan, the powerful head of the Mossad, had invited them to the facility. It was his last day in a position he had held for seven years. On that January day, the journalists were there to document his legacy: the Mossad’s fight against the Iranian nuclear program.
He spoke passionately about the risks of a possible military strike against Iran, saying that he believed that such an attack would lead to a conflagration in the region that would include a war with Hezbollah and Hamas, and possibly with Syria. And anyone who believed that a military strike could stop Tehran’s nuclear program was wrong, said Dagan. It could slow down the program, he added, but only temporarily. For this reason, the outgoing Mossad chief was against bombs — but in favor of anything that could set back the Iranian nuclear program without starting a conventional war.
Delay was the new magic word. And to that end, the Mossad head had created a miracle weapon that everyone in the room on that January day knew about, but which Dagan did not mention by name: Stuxnet.
Stuxnet, a computer virus that can infiltrate highly secure computers not connected to the Internet, a feat previously believed to be virtually impossible, entered the global political arena more than a year ago, in June 2010. The virus had attacked computers at Iran’s Natanz nuclear facility, where scientists are enriching uranium, and manipulated the centrifuges to make them self-destruct. The attack penetrated into the heart of the Iranian nuclear program.
Stuxnet is the world’s first cyber-weapon of geopolitical significance. Frank Rieger of the legendary German hacker organization Chaos Computer Club calls it “a digital bunker buster.” The virus represents a fundamentally new addition to the arsenal of modern warfare. It enables a military attack using a computer program tailored to a specific target.
One year later, there is not an Internet security firm or government of a major country that is not addressing Stuxnet and its consequences, as well as taking action as a result. To learn more about Stuxnet and understand what is behind the virus, SPIEGEL traveled to Israel — the country where the cyber-weapon was invented.
Following the Trail
The Israeli branch of the US computer security firm Symantec is housed in a nondescript modern complex in Tel Aviv, a 15-minute drive from Ben Gurion International Airport. Sam Angel, the head of Symantec Israel, meets visitors in the underground garage and takes them to the conference room on the fourth floor. At the beginning of his PowerPoint presentation, Angel says: “Stuxnet is the most sophisticated attack we have ever seen. This sort of an attack, on a mature, isolated industrial system is completely unusual.” He projects a map onto the wall, showing the countries where such an attack has taken place: Iran, Indonesia, Malaysia and Belarus, where a man named Sergey Ulasen discovered Stuxnet.
Ulasen, who works in the research and development department at the VirusBlokAda security firm in Minsk, received what seemed to be a relatively mundane email on June 17, 2010. An Iranian firm was complaining that its computers were behaving strangely, shutting themselves down and then rebooting. Ulasen and a colleague spent a week examining the machines. Then they found Stuxnet. VirusBlokAda notified other companies in the industry, including Symantec.
When the engineers at Symantec got to work, they came across two computers that had directed the attacks. One of the servers was in Malaysia and the other was in Denmark, and they were reachable through the addresses www.todaysfutbol.com and www.mypremierfutbol.com. They had been registered, under a false name and with a forged credit card, through one of the world’s largest Internet registration companies, a firm based in the US state of Arizona. Symantec rerouted the incoming and outgoing communication at the two servers to its computer center in Dublin, which enabled it to monitor the activity of the virus. Whoever had launched Stuxnet had gotten away, but at least Symantec could follow the trail they had left behind.
The rerouting of communication made it possible to obtain an overview of the countries in which the virus was active. According to that analysis, Stuxnet had infected about 100,000 computers worldwide, including more than 60,000 in Iran, more than 10,000 in Indonesia and more than 5,000 in India. The inventors programmed Stuxnet so that the virus, as a first step, tells the two command-and-control servers if the infected computer is running Step 7, an industrial software program developed by the German engineering company Siemens. Step 7 is used to run the centrifuges at Iran’s Natanz facility.
The plant near Natanz, located in the desert 250 kilometers (156 miles) south of Tehran, is protected with military-level security. The aluminum centrifuges, which are housed in bunkers, are 1.8 meters (5 foot 10 inches) tall and 10 centimeters (four inches) in diameter. Their purpose is to gradually increase the proportion of uranium-235, the fissile isotope of uranium. There is a rotor inside the centrifuges that rotates at a speed of 1,000 times per second. In the process, uranium hexafluoride gas is centrifuged, so that uranium-235 accumulates in the center. The process is controlled by a Siemens system that runs on the Microsoft Windows operating system.
Part 2: Security Holes and Red Herrings
The ruse that makes the attack possible is as simple as it is ingenious. Stuxnet takes advantage of a security hole in Windows that makes it possible to manipulate the system. As a result of this programming error, the virus can be introduced into the system through a USB flash drive, for example. As soon as the drive is connected to a computer in the system, the installation begins unnoticed.
Stuxnet initially searches for anti-virus programs. The code is designed to circumvent them or, if this is not possible, to de-install itself. For a long time, one of the priorities was to leave no traces.
In a second step, Stuxnet lodges itself into the part of the operating system that manages USB flash drives, where it establishes a checksum, the exact purpose of which is unclear. The infection stops when this sum reaches the value 19790509. Symantec speculates that this is some sort of code. When read backward, the number could represent May 9, 1979, the day Habib Elghanian, a Jewish businessman, was executed in Tehran. Is this a coincidence? A provocation? Or a deliberately placed red herring?
It is still unclear how exactly the Israelis were able to get the virus into Natanz. In the jargon of computer experts, previously unknown security gaps like the hole in the Windows operating system are called zero-day exploits. Searching for these vulnerabilities is a combination of hacker challenge and business model. Knowledge is valuable, and there is a black market in which a previously unknown vulnerability can be worth $100,000 (€70,000) or more. Stuxnet exploits no fewer than four of these digital jewels.
’A Blue-and-White Operation’
Symantec manager Sam Angel believes that it is impossible to write a code like Stuxnet without having intimate knowledge of the Siemens system. “There is no black market for exploits involving Siemens software,” he says. “It’s not used widely enough.” How, then, did the Mossad acquire the information about the technology in use at Natanz?
It has been openly speculated that the Americans may have helped the Mossad. There is a US government research institution in Idaho where scientists study the Siemens control technology used in Iran; the basic research for Stuxnet could have taken place there. After that, the virus could have been tested at Israel’s nuclear research center near Dimona in the Negev Desert.
Israeli sources familiar with the background to the attack insist, however, that Stuxnet was a “blue-and-white operation,” a reference to Israel’s national colors — in other words, a purely Israeli operation. They believe that a secret elite unit of the military intelligence agency programmed a portion of the code, leaving the Mossad to do the rest. The Mossad was also apparently responsible for smuggling the virus into Natanz. The same sources claim that the Mossad tried to buy a cascade of centrifuges on the black market, without success. In the end, an Israeli arms manufacturer, with the help of foreign intelligence agencies, supposedly managed to build a model of Natanz where Stuxnet was tested.
The operation was ready to begin in the summer of 2009. The attackers unleashed Stuxnet at 4:31 p.m. on June 22, 2009. The attack targeted five Iranian organizations and was launched in three waves. After the first wave, a second strike took place in March 2010, dealing a heavy blow to the Iranians. The third wave followed in April. According to Symantec, the targets were not directly related to Iran’s nuclear program, but some of the target organizations were on United Nations sanctions lists. Some 12,000 computers were infected in the five organizations alone.
Stuxnet is programmed to delete itself from the USB flash drive after the third infection, presumably to prevent it from spreading explosively, which would have been noticed immediately. The goal of the cyber-weapon is to sabotage its targets in a sustainable, rather than spectacular, manner.
Another trick, which gives the virus the semblance of legality, shows how complex the design is. It involves digital certificates, which are issued on the Internet by companies that test the activity of a server or a program and certify that it is not malicious. If a program can show that it has such a certificate, then it is allowed access to a system. The Taiwanese firms Realtek Semiconductor and JMicron Technology are among the firms that issue such certificates.
In January 2010, a version of Stuxnet turned up that had been signed with a digital certificate from Realtek. This was followed, in July 2010, by a version signed with a JMicron certificate. Both certificates had been stolen. This theft alone is an operation that requires either a physical burglary at the headquarters of both companies, or the kind of hacker attack that very few programmers worldwide are capable of performing, because these certificates are additionally secured and encoded.
Only a State Could Produce Stuxnet
An analysis by a European intelligence agency classified as “secret,” which SPIEGEL has seen, states that it would have taken a programmer at least three years to develop Stuxnet, at a cost in the double-digit millions. Symantec, for its part, estimates that the tests in the model facility alone would have occupied five to 10 programmers for half a year. According to the intelligence analysis, “non-governmental actors” can be “virtually ruled out” as the inventors of Stuxnet. Members of Germany’s Federal Security Council, a government committee for defense issues whose meetings are secret, felt the same way when the council met in Berlin on Nov. 25, 2010.
Stuxnet shows what can happen when potent attackers are at work, said then Interior Minister Thomas de Maizière, who is now German defense minister. Anyone who is willing to invest that much money and resources, Maizière added, knows what he is doing. The council members agreed that a sovereign state had to be behind the virus.
De Maizière’s staff noted that 15 vulnerabilities are found in standard computer programs every day, and that tens of thousands of websites are infected worldwide on a daily basis. At the end of the meeting, the council decided to establish a national cyber defense center. “The experiences with the Stuxnet virus show that even key areas of industrial infrastructure are no longer safe against targeted IT attacks,” a government cabinet paper later stated.
The virus has fundamentally changed the way we look at digital attacks. The US government recently issued a new cyber war doctrine that defines a cyber-attack as a conventional act of war. The Stuxnet code, which is now accessible to the public, could inspire copycats, Roberta Stempfley of the US Department of Homeland Security warned last week.
Last year the British government adopted a new security strategy, for which it approved funding of 650 million pounds (€565 million or $1,070 million). The cyber world will become “more important in the conflict between nations,” Israeli Deputy Prime Minister Dan Meridor said in a speech in Jerusalem in February. “It is a new battleground, if you like, not with guns but with something else.”
Part 3: Success Comparable to Cracking Enigma
The Mossad views Stuxnet as a great success, comparable to the cracking of Germany’s Enigma cipher machine by the Poles and Britons in World War II. The Israeli military isn’t as euphoric. It argues that the fact that Stuxnet was discovered was a high price to pay, despite the setback it dealt to Iran’s mullah-led regime.
And it was a painful setback indeed. An Iranian IR-1 centrifuge normally spins at 1,064 hertz, or cycles per second. When the rotors began going haywire, they increased their frequency to 1,410 hertz for 15 minutes and then returned to their normal frequency. The virus took over control again 27 days later, but this time it slowed down the rotors to a frequency of a few hundred hertz for a full 50 minutes. The resulting excessive centrifugal force caused the aluminum tubes to expand, increasing the risk of parts coming into contact with one another and thereby destroying the centrifuges.
Six cascades containing 164 centrifuges each were reportedly destroyed in this manner. Authorities on the Iranian nuclear program, like David Albright of the Washington-based Institute for Science and International Security (ISIS), believe that Stuxnet destroyed about 1,000 centrifuges. Iran has admitted that its nuclear program was set back. According to Gholamreza Jalali, the head of Iran’s civil defense organization, the program suffered “potentially major damage.”
Former Mossad chief Dagan achieved his goal of sabotaging the nuclear program without triggering a new war in the Middle East. But Iran still has 8,000 other centrifuges, and the more modern, second-generation IR-2 centrifuges, which are equipped with carbon fiber rotors, can operate smoothly even at 1,400 hertz. They are not affected by the existing version of the sabotage software. The Mossad could be in need of a new virus soon. Using it would constitute the next round in a clandestine cyber war.
’People Had Never Seen Anything Like Stuxnet Before’
Two young Israelis who work indirectly for the government are sitting in one of Tel Aviv’s modern cafés. The men run a company that handles jobs for the Mossad and Shin Bet, the domestic intelligence agency. They smile and say that digital attack, not defense, is their discipline. They are part of a global hacker elite. According to rumors circulating in Jerusalem and Tel Aviv, the men did some of the groundwork for the Mossad in the development of Stuxnet.
“People had never seen anything like Stuxnet before, except in movies,” says one of the hackers. “Now they can see that it’s real.” His voice is filled with pride when he says: “In the small community of attackers, none of this was really new.” Almost all of the vulnerabilities had already been used in a past attack, the hacker says, but they had never been used at the same time. He explains that the real challenge in staging an attack with a virus like Stuxnet is to penetrate into a system that is not connected to the Internet.
What are the consequences of Stuxnet?
The two men are silent for a moment; they see things from the attacker’s perspective. “The discovery of Stuxnet was a serious blow to us,” one of them says. “We find it particularly upsetting, because a successful method was disclosed.”
The inventors of Stuxnet apparently had many more plans for their product. Symantec has since discovered another version of the Stuxnet virus, which contains even more complex code and is designed to target modern Siemens control technology, but which had not been activated yet. Stuxnet, say the people at Symantec, “is the type of threat we hope to never see again.”
That wish is unlikely to come true.