The Malworm Attack on Iran’s Nuclear Program Was Planted by Hand
An Israeli general’s unprecedented loquacity was responsible for the release this week of unpublished details about the Stuxnet worm that ravaged Iran’s nuclear program the 2009-2010. His disclosures raised an uproar in US and Israeli intelligence and cyber warfare circles.
Maj. Gen. (res.) Professor Yitzhak Ben-Yisrael, a retired senior developer of combat measures for the Israeli defense establishment, and the head of its civil cyber defense body, who was responsible for breaking the consensus of silence over that episode in an address on June 9 before a Tel Aviv panel on cyber warfare and Israel’s innovations in the field.
The US and Israel have consistently treated their joint virus attack on Iran’s nuclear program computers as a taboo topic. All of a sudden, Prof. Ben-Israel’s audience were startled to hear him describing in detail how that operation was carried out:
“Since the Stuxnet attack on the centrifuges of the Iranian nuclear program, there have been three misapprehensions about how it was carried out.,” he said.
“First, that cyber threats only affect data – In fact, Stuxnet damaged physical machinery and centrifuges in the nuclear reactor.
“Second, computers don’t just sit on the desk at the office or at home, but also [operate] cellular communications, traffic lights, power outages and more. Today, just about every mechanism is vulnerable. Also, the pipeline to an attack is not limited to the Internet – the control plant for the centrifuges in Iran was not connected to the net at all, neither internally and certainly not to the World Wide Web, yet it was still attacked.
That was possible by means of purchased hardware, updating software or planting a virus via a disc-on-key [known also as an “external flash drive”].
Prof. Ben-Yisrael broke a long-held US and Israeli taboo
Ben-Yisrael was the first military man to offer a precise description of the targets chosen for the Stuxnet attack and how it was accomplished, a process that until then had been shrouded in deep secrecy.
He made a number of revelations about its targets, the optional routes available for reaching them and the various methods of planting the virus.
DEBKA Weekly's cyber warfare expert reports that the object of the Stuxnet operation was clearly to slow down nuclear activity. To this end, a careful study was made of the production stages in the process of uranium enrichment, in order to single out the critical element in the process, namely the PLCs (Programmable Logic Controllers), which manage the industrial mechanical components, such as pumps and compressors, as well as the motors.
It was calculated that a “smart” strike at these PLCs could disrupt the targeted production process while leaving hardly any trace to its source.
Since Iran carefully protects its data and vulnerable security installations by refraining from linking them to the Internet, it became necessary to install the selected malware directly by a human agent.
The decision on how to plant Stuxnet in Iran’s nuclear production was predicated on two fundamental premises:
Two methods of planting malware were considered
One, that each stage of the nuclear process is closely supervised and carefully filmed and recorded.
Two, the small group of engineers with physical access to the PLC are loyal government servants and would be highly resistant to aiding in a sabotage operation.
Like in any other Signals Intelligence (SIGINT) operation, the decision-making process is like “a tree” with many branches, the most important of which are the goal of the attack – the slowdown/crippling of Iran’s nuclear capacity; and the method – air strike, assassination of program personnel, covert sabotage of a link in the production chain, remote attacks, or the planting of malware by means of an external flash drive.
Ben-Yisrael disclosed two ways of sabotaging hardware without an Internet connection: a) through updating the software or b) by inserting a virus via an external flash drive:
a) Iran’s PLCs are manufactured by Siemens Germany and could be implanted with malware before they reach their destination. This operation would have required intimate knowledge of the German manufacturing plant and the logistics of its route of transportation to the Iranian nuclear reactor in Natanz.
This method had the advantage of the work for infecting the system with a malwork being carried out in a friendly environment outside Iran, reducing the potential danger to the agents involved.
On the other hand, the window of opportunity was small and, furthermore, without knowing exactly which PLC would eventually control the Iranian reactor, the virus would have to be distributed among several points of the program, thereby increasing the chances of exposure.
Stuxnet was planted by means of an external flash drive
b) Planting the virus physically by means of an external flash drive after the PLCs are installed in the Iranian nuclear program.
This would necessitate putting an agent on the ground to insert the drive. Finding the right Iranian to perform this task would be difficult and take time. Most Iranian nuclear engineers are not allowed to leave the country, so recruiting and handling any of their number as an agent of sabotage would be too delicate and dangerous to be practical.
Nevertheless, Ben-Israel’s disclosures made it obvious to his audience, says DEBKA Weekly’s cyber expert, that US or Israeli intelligence, acting separately or together, opted for the recruitment of an agent for physically planting Stuxnet in Iran’s nuclear program.
An agent of this kind must be powerfully motivated by personal, religious, patriotic, ethnic or financial considerations to undertake this high risk. Or else he acts under duress or fear of some sort of personal exposure.
The right agent must have been qualified for the task he performed not just by motivation, but by his skills and familiarity with the targeted nuclear facilities. His mission was a success, but the risks entailed in the lone agent method are enormous. He may be caught, for one, or if he is a double agent, he may give the game away to the enemy and so betray his mission and its instigators.