Israel tested Stuxnet worm, says report

New York Times cites strongest clues yet of Israel-U.S. involvement

The Stuxnet worm that disrupted Iran's ability to enrich uranium into bomb-grade nuclear fuel was jointly created by Israel and the U.S., the New York Times said Saturday.

Citing confidential sources, the U.S. newspaper claimed that Israel's covert nuclear facility at Dimona was used to test the worm's effectiveness on centrifuges like the ones Iran employs at its Natanz complex, which has been plagued by technical problems.

The Times also spelled out other clues it said "suggest[ed] that the virus was designed as an American-Israeli project to sabotage the Iranian program."

Stuxnet, which first came to light in June 2010 but may have been aimed at Iran as early as mid-2009, has been extensively analyzed by security researchers, most notably a three-man team at Symantec, and by Ralph Langner of the German firm Langner Communications GmbH.

According to both Symantec and Langner, Stuxnet was most likely designed to infiltrate Iran's nuclear enrichment program, hide in the Iranian SCADA (supervisory control and data acquisition) control systems that operate its facilities, then force gas centrifuge motors to spin at unsafe speeds. Gas centrifuges, which are used to enrich uranium, can fly apart if spun too fast.

Symantec's analysis gained credence last November after the International Atomic Energy Agency (IAEA), the United Nations' nuclear watchdog, reported that Iran had stopped feeding uranium hexafluoride gas to its centrifuges at Natanz for about a week. Speculation quickly focused on Stuxnet as the reason for the shutdown.

On Nov. 29, Iran President Mahmoud Ahmadinejad admitted that a "limited" number of centrifuges had been affected by software he claimed had been installed by the country's enemies. It was the first time that an Iranian official had acknowledged the worm had struck its enrichment machinery.

Ahmadinejad has frequently blamed Israel and the U.S. for trying to destabilize his regime.

The New York Times' story amassed other circumstantial evidence that Stuxnet was a joint Israeli-U.S. creation.

According to the newspaper, Siemens -- the German maker of the SCADA systems purportedly used by Iran -- cooperated in 2008 with the Idaho National Laboratory (INL) to help experts there identify vulnerabilities in the control systems. The lab -- located about 30 miles east of Idaho Falls, Idaho -- is the U.S. Department of Energy's lead nuclear research facility.

Also in 2008, Siemens asked the Department of Homeland Security to conduct a security assessment on its popular PCS 7 control systems, a fact highlighted in a conference hosted by the IHL and Siemens that year in Chicago.

Stuxnet targeted Siemens' PCS 7 control systems and its Step 7 software.

Israel, meanwhile, set up an unknown number of gas centrifuges at its top-secret Dimona complex, then tested Stuxnet on the machines and their control systems, according to the New York Times. The centrifuges were virtually identical to the ones used by Iran.

Dubbed "P-1" centrifuges because they were Pakistan's first-generation design, the machines are notoriously unpredictable, and often fail at rates much higher than more sophisticated designs. Iran's centrifuges are knock-offs of the P-1, and are usually identified as "IR-1" models.

But the Israelis, and perhaps the Americans at their own Oak Ridge National Laboratory in Tennessee, succeeded in getting several P-1 centrifuges up and running, the New York Times said. The publication cited an anonymous American expert in nuclear intelligence, who told the paper that the Israelis had used the P-1 centrifuges at Dimona to test Stuxnet's effectiveness.

An Israeli link to Stuxnet has been long suspected, both because Israel has been vocal about the danger posed by a nuclear-armed Iran and because of several obscure clues buried in the worm's code. Rather than launch a military strike, as it did against an unfinished Iraqi nuclear reactor in 1981, the scenario goes, the country decided to wage cyber warfare.

Other hints came from security researchers, who unanimously agreed that Stuxnet's complexity pointed to a state-sponsored project, probably one that involved a large team of programmers, SCADA experts and intelligence analysts.

Langner, who has spent months pulling the worm apart, said earlier this week that Stuxnet was a natural weapon for opponents of Iran's nuclear program to unsheathe.

"If any target would justify a full-blown cyberwar strike for the first time in history, those centrifuges certainly would," Langner said Jan. 10 on his blog, where he has spelled out his findings and speculations. Langner believes that Stuxnet's creators had access to what he called a "mockup test system" to try out their worm on actual centrifuges.

Although Stuxnet has apparently not crippled Iran's nuclear program, it seems to have seriously hindered it, perhaps more than some have thought. Just last week, for example, the outgoing head of Israel's Mossad intelligence service said setbacks meant Iran wouldn't be able to create a bomb before 2015.

Langner was more skeptical about Iran's chances of solving the problems created by Stuxnet.

"In the moment when they will have cleaned up all systems, a new dropper exploiting new Windows zero-day vulnerabilities will likely be underway already," Langner asserted last week, echoing research last September that said systems scrubbed of Stuxnet could be easily re-infected.

"The cyberwar nightmare for Tehran may have only just begun," said Langner.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingsymantecNetworkingsecurityinfrastructure managementMalware and VulnerabilitiesgovernmentGovernment/Industriesmanagement

More about Oak Ridge National LaboratorySiemensSymantecUnited Nations

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts