Operation Olympic Games: In-Depth Incident and Threat Actor Analysis (a.k.a Stuxnet)
On a cloudy Saturday in Belarus, about 400 kilometers from Minsk, Sergey Ulasen attended a friend’s wedding ceremony. If someone had told him that his name would be etched in the annals of history, he probably wouldn’t have believed it. Meanwhile, on a sunny workday in Iran, he was receiving a flood of messages. The news he would receive that day would change his and the world’s future entirely. During his tenure at VirusBlokAda, Sergey was involved in software development, threat analysis, technical consulting, and advanced malware analysis. The spark that ignited the chain of events that would alter the lives of people worldwide, either directly or indirectly, began with a technical support team notification about arbitrary BSODs and spontaneous reboots of company computers. This notification included preliminary screening reports aimed at detecting abnormal events. His first thought was that their software might conflict with the operating systems or that there was a misconfiguration.
Let’s pause here and take a look at what arbitrary BSOD, malware, and antivirus are.
- An ‘Arbitrary BSOD’ or Blue Screen of Death typically refers to an error state that occurs randomly and unexpectedly in a computer system. BSOD is associated with the blue screen displayed by Windows operating systems when a critical system error or failure occurs. This condition is often caused by hardware issues, driver conflicts, faulty software, or system security problems.
- Malware and antivirus: ‘Malware’ is a shorthand for ‘malicious software.’ This term refers to software designed to harm computers, steal users’ private information, misuse system resources, or perform other malicious actions. Types of malware include viruses, trojans, spyware, adware, ransomware, and worms.
- Antivirus software is specialized software designed to protect computers against malware. These programs aim to detect, stop, and eliminate any malicious software that could harm the computer or compromise the user’s privacy. They provide functions such as real-time protection, regular scans, quarantining suspicious files and programs, removing malicious software, and managing security updates. For more details, please refer to my Security+ cybersecurity certification training.
Returning to the story, Sergey thus recommended that the technical support personnel gather as much information as possible about the installed applications. However, his suspicions were aroused when he realized that many other computers on the customer’s network exhibited the same anomalies. These anomalies were even present on computers with freshly installed Windows systems. Therefore, he became certain that malicious software was involved. Additionally, since existing detection systems failed to identify this malware, he understood that it must be an advanced malware. It could even be a rootkit. A rootkit is a type of malicious software that allows unauthorized users or software to gain the highest level of control and access (root level) in a computer system. Rootkits are typically used by attackers to bypass normal security mechanisms of a system to exploit it for malicious purposes.
Fortunately, the technical employee who reported the incident was an experienced security expert and a close friend of Sergey. Since he couldn’t resolve the issue himself, he began persistently reaching out to Sergey. After a long exchange of messages during the wedding, they realized that they couldn’t solve the problem over the phone and decided to postpone the investigation until Monday.
On Monday afternoon, they managed to remotely access the infected computer with some difficulty. After considerable effort, they found the malware and began to uncover its hidden nature, strange payload, and propagation techniques. During this period, on July 12, 2010, Sergey shared a sample of the malware on Wilders Security Forums. And then, everything erupted…
Stuxnet is a highly complex and sophisticated type of cyber weapon discovered in 2010, specifically targeting industrial control systems. This malware was designed to target SCADA systems running on Siemens PLCs (Programmable Logic Controllers) used in Iran’s Natanz uranium enrichment facilities. Stuxnet infiltrates Windows operating systems and spreads through networks by exploiting four zero-day vulnerabilities. The software manipulates the centrifuges controlled by the PLCs, altering their speed to cause physical damage while presenting false data to the operators, indicating normal operating conditions.
Stuxnet is significant because it highlights the role of state-sponsored actors in targeted cyber attacks, increases awareness of the seriousness of cyber threats to critical infrastructure, and demonstrates the potential of cyber warfare as a tool. This incident is considered a turning point in cybersecurity and has led to significant changes in international security policies.
In this section, I aim to present what I believe to be the most comprehensive documentary video on Stuxnet, based on nearly all published reputable articles, documentaries, and interviews.
Let’s turn back the clock and go to the starting point of these events. In fact, let’s go even further back; Iran wasn’t always an enemy to the US, Israel, and Western states as it is today. During the reign of Shah Mohammad Reza Pahlavi, Iran was of great geopolitical and economic importance to the United States within the context of the Cold War. During this period, Iran stood out as a strategic ally for the US in the Middle East. The Shah pursued a pro-Western policy that supported US regional interests and acted as a buffer zone against Soviet influence. As an oil-rich country, Iran was also critically important to the US for energy security.
However, this relationship also increased discontent towards the US and opposition to the Shah’s regime among some segments in the region. The 1979 Iranian Islamic Revolution was seen as a result of these dynamics, marking the beginning of a profound transformation in US-Iran relations. Everything became chaotic, and friends turned into arch-enemies. But there was a part that was often overlooked — the Atoms for Peace program.
The ‘Atoms for Peace’ program was an initiative launched by US President Dwight D. Eisenhower in 1953 to promote the peaceful use of nuclear energy. Under this program, the US provided nuclear technology and training assistance to countries like Iran. The assistance to Iran was formalized with an agreement signed between Iran and the US in 1957, which marked the beginning of Iran’s nuclear energy endeavors. As part of the program, Iran received nuclear reactors, uranium enrichment technology, and support for education and research in nuclear sciences.
A key component of this program was the establishment of a research reactor at the University of Tehran, the training of Iranian scientists in the US, and the development of nuclear infrastructure. This assistance significantly enhanced Iran’s nuclear knowledge and capacity, laying the foundation for the country to become self-reliant in the field of nuclear energy. The ‘Atoms for Peace’ program aimed to reinforce US global nuclear leadership and control the spread of nuclear technology during the Cold War. It also served as a tool to establish strategic relationships with countries like Iran and integrate them into the Western bloc.
This program symbolized the beginning of Iran’s nuclear history and prepared the groundwork for future nuclear developments.
Thus, when the government in Iran changed hands, nuclear power was handed to them on a silver platter. However, the 1979 Iranian Revolution profoundly impacted the ‘Atoms for Peace’ program and the country’s nuclear development. This revolution resulted in the overthrow of the Shah and the establishment of the Islamic Republic, fundamentally altering Iran’s relations with the US and other Western countries.
Before the revolution, Iran had taken significant steps in nuclear energy with US support and had plans to construct several nuclear reactors. After the revolution, these projects were largely halted, Western experts left the country, and nuclear cooperation with the US ended. The political and ideological changes brought by the revolution also shifted the direction of Iran’s nuclear program. During the early years of the Islamic Republic, the nuclear program was largely neglected, and many projects were halted.
However, by the late 1980s, particularly after the Iran-Iraq War, Iran began to revive its nuclear program. During this period, Iran sought to acquire nuclear technology and knowledge through new international partners like Russia and China. By the early 1990s, under the presidency of Akbar Hashemi Rafsanjani, Iran’s nuclear program became more pronounced, and uranium enrichment activities began. These efforts continued under the presidency of Mohammad Khatami in the early 2000s and gained significant momentum during Mahmoud Ahmadinejad’s presidency, especially after 2005.
During this period, Iran constructed uranium enrichment facilities in Natanz and Fordow and developed heavy water reactor projects in Arak. Iran’s nuclear activities during this time raised significant concerns in the international community and increased suspicions that the country was covertly developing nuclear weapons. These suspicions led to a series of sanctions by the UN Security Council and extensive international negotiations. Although Iran consistently denied allegations of developing nuclear weapons, there were serious questions about the military dimensions of its program.
Therefore, opposing states needed to develop a solution. The first voices started rising from Israel. In 2005, advancements in Iran’s nuclear program triggered sharp reactions from Israel. Israel perceived Iran’s nuclear program as a direct threat and continuously warned that Iran’s potential acquisition of nuclear weapons capability would endanger regional and global security balances. The Israeli government frequently raised concerns about Iran’s nuclear activities to the international community, particularly to its Western allies, and pressured the limitation and monitoring of these activities.
Israel’s concerns ranged from stern and threatening statements to discussing potential military intervention scenarios targeting Iran’s nuclear facilities. Israel played a significant role in convincing its allies, such as the US and the European Union, to adopt a tougher stance against Iran and implement more effective sanctions. During this period, Israeli intelligence services gathered critical information about Iran’s nuclear program and shared this information with the international community to amplify their influence. Meanwhile, Iran was trying to conceal its program.
Iran employed various tactics to conceal critical aspects of its program. These included keeping the locations of nuclear facilities secret, constructing underground facilities (such as the Fordow uranium enrichment facility), and providing limited access to inspections by the International Atomic Energy Agency (IAEA). Iran often delayed providing information during inspections, offered vague or misleading details, and restricted access to certain sites. Additionally, Iran tried to allay suspicions by portraying its nuclear activities as part of a civilian nuclear energy program rather than for military purposes.
Suspicions regarding the military dimensions of Iran’s nuclear program were particularly focused on activities at the Natanz and Arak facilities. During Ahmadinejad’s presidency, Iran also engaged in diplomatic maneuvers to reduce international pressure on its nuclear program.
Tensions between the two sides escalated, as has often been the case throughout history, with the activities of intelligence agencies. A series of assassinations and covert operations associated with Iran’s nuclear program were frequently reported to be linked to Israel’s Mossad intelligence agency, although the Israeli government did not officially accept responsibility or confirm these allegations.
During this period, several assassinations targeted prominent Iranian nuclear scientists. For example, in 2010, Masoud Ali Mohammadi was killed in a bomb attack in Tehran. Following this, other significant nuclear scientists like Majid Shahriari and Darioush Rezaeinejad were similarly targeted in 2010 and 2011. These assassinations were often carried out using car bombs and motorcycle-riding assailants. The Iranian government accused Israel, and in some cases the United States, of being behind these assassinations.
However, these assassinations were not sufficient to disrupt the program. Consequently, a different approach was sought, reportedly initiated as early as 2005. This approach involved developing a malicious software that laid the foundation for cyber warfare.
So far, we’ve covered many points. Let’s first clarify some questions and terms that might come to mind. First, consider this: with the inventory and experts left over from the Shah’s era and the support of Russia and China, a new structure began to take shape. But how was such a massive facility constructed from the start? The answer involves a series of cunning covert operations
While constructing nuclear facilities, Iran claimed they were building irrigation systems, and the above-ground structures resembled this. However, the military equipment and anti-aircraft installations around the site gave it away, attracting attention and being tracked by various satellite observations. Once the facility was completed, they made another significant mistake: propaganda. Videos filmed at the site and media coverage proudly showcased all the critical details, which were then analyzed meticulously by Israeli and American intelligence agencies. The level of scrutiny was so intense that Iran practically handed over all the vital information about its nuclear program on a silver platter, leading to significant setbacks for their efforts.
Returning to our questions, another aspect to consider is whether Iran has ever been inspected. First, we need to understand this: when a country begins a nuclear program, the monitoring and inspection of this program are typically conducted by the International Atomic Energy Agency (IAEA). The IAEA’s mission, within the framework of the Nuclear Non-Proliferation Treaty (NPT) and other international agreements, is to promote the peaceful use of nuclear energy and prevent the proliferation of nuclear weapons.
When a country starts its nuclear program, it must sign a Safeguards Agreement with the IAEA, under which it opens its nuclear facilities and materials to IAEA inspections. The IAEA conducts regular inspections at these facilities, checks nuclear material inventories, and prepares reports on nuclear activities. These inspections are conducted to ensure that nuclear materials are not used for purposes other than peaceful ones. The agency uses advanced surveillance technologies, satellite imagery, and various analytical techniques to monitor nuclear activities. Additionally, countries have obligations to provide information about their nuclear activities, which the IAEA reviews.
If suspicious activities are detected in a country’s nuclear program, the IAEA reports this to member states and the international community. This process is crucial for ensuring the peaceful use of nuclear technology and preventing the proliferation of nuclear weapons. The IAEA’s roles are vital for global nuclear security and stability, aiming to ensure the responsible use of nuclear energy and the prevention of nuclear weapons proliferation.
So, how was it that nuclear material used in nuclear weapons was not detected in a facility monitored 24/7 with reports being reviewed?
There are significant differences between the nuclear materials used in nuclear weapons and those used in nuclear energy production, particularly in terms of the enrichment levels of uranium and plutonium. Uranium used in nuclear energy production is typically known as low-enriched uranium (LEU), with a uranium-235 isotope percentage of around 3–5%. This enrichment level is sufficient for generating energy in nuclear reactors. In contrast, the uranium used in nuclear weapons is called highly enriched uranium (HEU), with a uranium-235 isotope percentage exceeding 90%, which is necessary to reach critical mass and sustain a chain nuclear reaction.
Similarly, there is a distinction in the use of plutonium; the plutonium used for nuclear energy comes from reactors and has a different mixture of isotopes, whereas weapon-grade plutonium is of higher purity with specific isotope ratios. Despite the continuous monitoring and review, detecting such materials can be challenging due to the technical sophistication and the measures taken to conceal the true nature of the enrichment processes.
In terms of production processes, uranium enrichment for nuclear energy is typically done using centrifuges and is limited to a specific enrichment level. For nuclear weapons production, however, a much higher enrichment level is required, and this process is more complex and technically challenging.
So, how did Iran acquire and establish this advanced structure for fuel production?
While they claimed to have obtained it from the black market, the design of the centrifuges in the photos and the support from Pakistan’s nuclear scientist Dr. Abdul Qadeer Khan, who advanced Pakistan’s nuclear program, were identified. Delving into the details:
Claims that Pakistan, and particularly the nuclear scientist Dr. Abdul Qadeer Khan, known as the “Father of Uranium” in Pakistan, helped Iran with its nuclear program have resonated widely in the international community. Dr. Khan, recognized as the architect of Pakistan’s own nuclear weapons program, was also accused of establishing a global nuclear proliferation network, through which he allegedly transferred nuclear technology and knowledge to countries like Iran, North Korea, and Libya. In the early 2000s, after the exposure of Dr. Khan’s network, it was revealed that certain elements of Iran’s nuclear program originated from this network. Specifically, the designs and components of the centrifuges used in Iran’s uranium enrichment technology were said to have been supplied by this network. The assistance provided by Dr. Khan’s network significantly boosted Iran’s uranium enrichment capacity and accelerated the progress of its nuclear program.
Now let’s return to our malware;
After the samples were shared, experts began analyzing the malware. During the time before Sergey shared the sample, this malware had already been detected by the detection labs of Symantec and Kaspersky. At Symantec, Eric Chien and Liam O’Murchu, and at Kaspersky, in the Woodpecker room, the malware was examined.
From the interviews with Eric Chien and Liam O’Murchu in the Zero Day documentary and their articles, we learn that when they first analyzed the malware, they noticed the code was very long and contained no bugs. Every part of the code was precisely crafted, neither lacking nor excessive. By the end of the first month of their analysis, they discovered that the malware contained four zero-day exploits. These exploits are incredibly valuable, with an estimated worth of at least $500,000 on the black market.
Malware is often named based on frequently occurring strings within its code. During their investigation, they found the strings ‘STUB’ and ‘xnet’ repeatedly. Therefore, they named it Stuxnet, and our story is just beginning.
When Stuxnet was first analyzed, it was evident that it had a complex structure and employed various tactics to evade security software that provided behavioral analysis. One of the most striking features was its use of digital signatures. The Stuxnet malware used stolen digital certificates to bypass firewalls and antivirus programs. These certificates were stolen from two reputable Taiwanese technology companies, Realtek and JMicron. The theft of these certificates allowed Stuxnet to appear as legitimate software, enabling it to infiltrate targeted systems.
The process of stealing these digital certificates likely involved a highly sophisticated and targeted cyber attack. The attackers would have needed to infiltrate the internal networks of these companies, bypass their security protocols, and breach the access controls of the Certificate Authorities (CAs). This could have been achieved through a combination of methods, including network infiltration, malware deployment, and phishing techniques.
Let’s pause here for a moment!
First, let’s take a look at how digital signatures are stored. Essentially, a digital certificate is an electronic document issued by a trusted third party, known as a Certificate Authority (CA), that verifies the identity of a user or device. Digital certificates operate using asymmetric encryption, which means each user has a pair of keys: a public key (open to everyone) and a private key (kept secret). While the public key is accessible to everyone, the private key is kept confidential.
During the process of digitally signing an application, the developer uses their private key to create a signature. This signature is used to verify the integrity and source of the application. When users download the application, they can use the developer’s public key to verify the signature. These certificates are usually stored in highly secure physical environments, especially in air-gapped systems. You might recall this from the digital certification process depicted in the show Mr. Robot.
Given the secure nature of these environments, the likelihood of such a breach occurring is quite small. The second clue is that the two companies whose certificates were stolen, Realtek and JMicron, were located in the same building within the Hsinchu Science and Industrial Park. This coincidence suggests the possibility of a physical operation. Considering physical operations, Israel’s MOSSAD, known for its expertise in such missions, is a likely suspect behind this operation.
As the experts continued to analyze the code, they noticed the presence of the word ‘Siemens.’ Finding malware that specifically targets or mentions Siemens is highly unusual, especially with such a sophisticated piece of malware. Further analysis revealed that the target was indeed Siemens-brand PLCs (Programmable Logic Controllers).
This discovery was significant because it indicated a highly targeted attack. PLCs are crucial components in industrial control systems, and the fact that Siemens PLCs were specifically targeted suggested that the malware was designed to disrupt or manipulate critical infrastructure. This level of specificity and sophistication pointed to a well-funded and highly skilled group of attackers with access to considerable resources and knowledge of industrial control systems.
So, what is a PLC?
In SCADA (Supervisory Control and Data Acquisition) systems, a PLC (Programmable Logic Controller) is a crucial component used in industrial control systems.
A PLC is a microcontroller designed to provide automatic control for various industrial processes such as factory automation, energy distribution, and water and wastewater management. A PLC receives electrical signals, processes these signals according to programmed logic operations, and generates output signals to control machinery and processes.
These devices are designed to offer flexibility, durability, and reliability, and they can operate in harsh industrial environments. Due to their customizable programming capabilities, PLCs can be easily configured and modified to meet the specific needs of an industrial process. When integrated with SCADA systems, PLCs perform functions such as remote monitoring and control, as well as data collection and analysis of process data. This integration allows industrial facilities and infrastructure to be managed more efficiently, safely, and automatically.
This led them to suspect that the actual target might be factories and SCADA systems. Additionally, Stuxnet exhibited highly selective behavior, performing a series of checks during its operation and refraining from attacking the system if these checks failed. During the malware analysis, they discovered that the infection was spreading almost worldwide, which caused further alarm among the analysts. What puzzled them most was that the infected machines showed no malicious activity, raising suspicions that it might be a logic bomb.
A logic bomb is a type of malicious software embedded in a computer program or system that triggers harmful activities when a specific condition is met, such as a particular date, event, or user action. This malware is usually hidden within seemingly normal software and activates when the predetermined condition occurs. The actions performed by a logic bomb upon activation can vary, including deleting data, disrupting systems, encrypting data, or downloading other malicious software.
As they continued to analyze the data collected from infected probes, they noticed that the highest concentration of infections was in Iran. They knew that such a significant attack had not been launched against Iran before. Looking at the current events, they observed explosions in oil pipelines entering and leaving Iran and assassinations of Iranian nuclear researchers. This made the analysts even more panicked. Despite their fears, they published all their findings throughout that summer.
In November, a Dutch SCADA expert who read the articles pointed out that the PLC models and brands mentioned indicated specific usage patterns. Upon re-examination, they identified the signatures 7050h and 9500h. They discovered that 9500h referred to frequency converter devices manufactured by Vacon and Fararo Paya, two companies in Iran. This realization led them to understand that the target was indeed an Iranian facility. Further research revealed that these components were subject to control by the Nuclear Regulatory Commission, confirming that they were dealing with equipment used in sensitive nuclear operations.
Let’s return to the facility and take a closer look at the PLC devices and centrifuge structure. Centrifuge machines used in the production of highly enriched uranium, which serves as the fuel for nuclear weapons, are extremely precise devices that separate uranium isotopes using rotational motion. In Iran’s nuclear program, these machines separate uranium-235 (U-235) isotopes, which are about 0.7% of natural uranium, from the heavier uranium-238 (U-238) isotopes.
This process involves spinning uranium hexafluoride gas (UF6) at high speeds within a centrifuge. As the centrifuge spins, the heavier U-238 isotopes are pushed towards the outer edge of the centrifuge, while the lighter U-235 isotopes accumulate closer to the center. This separation process is repeated in a cascade arrangement, where multiple centrifuges are interconnected. With each pass, the proportion of U-235 increases slightly. For nuclear power plants, low-enriched uranium (LEU) containing about 3–5% U-235 is sufficient, whereas highly enriched uranium (HEU) used for nuclear weapons requires U-235 concentrations of 90% or higher.
The precise and efficient operation of centrifuge machines necessitates advanced materials and technology. The production and operation of centrifuges involve technical challenges and high costs. Additionally, the use and manufacture of these devices are strictly regulated by international agreements and organizations, such as the Nuclear Non-Proliferation Treaty (NPT) and the International Atomic Energy Agency (IAEA). These regulations are designed to ensure that such sensitive technology is not misused for the production of nuclear weapons.
The centrifuge machines are managed by Programmable Logic Controllers (PLCs) for automated and precise control. PLCs are industrial computer systems that oversee every stage of this complex process. They continuously monitor and control critical parameters such as the rotation speed of the centrifuges, gas flow, temperature, and pressure. These devices make the necessary adjustments to ensure the effective and safe operation of the centrifuges.
The working principle of a PLC involves collecting data from sensors and other input devices, processing this data according to a predefined program or algorithm, and producing output signals based on this processing. The output signals activate the centrifuges’ motors, valves, and other control mechanisms. In this way, the PLC ensures optimal performance and safety throughout all stages of the process.
The programmability of PLCs provides flexibility for different centrifuge models and enrichment requirements. Additionally, these devices continuously provide feedback on the overall status of the centrifuge facility, allowing for the rapid detection and intervention of any potential faults or abnormalities. With advanced network connectivity, facility operators can monitor the entire process from a central control room and intervene when necessary. The use of this technology significantly enhances the efficiency and safety of the nuclear fuel enrichment process while also ensuring automation and precise control.
Looking at the characteristics of the centrifuge machines used, they reflect their highly precise and complex nature. These centrifuges are used to separate uranium isotopes, particularly uranium-235 (U-235) and uranium-238 (U-238). Initially, uranium hexafluoride (UF6) is fed into the centrifuge in gas form. The centrifuges spin this gas at extremely high speeds, separating the lighter U-235 isotope from the heavier U-238 isotope. The rotation speeds of these centrifuges can reach hundreds of thousands of revolutions per minute, enhancing the efficiency of the separation process.
Centrifuges are typically long, thin cylinders made from advanced materials such as carbon fiber composites or maraging steel. These materials are chosen for their ability to withstand the extreme centrifugal forces generated at high speeds. Additionally, these devices are precisely designed to minimize vibrations and external influences. The internal structure of the centrifuges is optimized to facilitate effective circulation of the gas and separation of the isotopes.”
Centrifuges typically operate in a connected cascade arrangement. This setup allows the separation achieved in one centrifuge to be passed on to the next, progressively increasing the enrichment level of the uranium at each stage. For the production of highly enriched uranium (HEU), this process is repeated many times. The cascade arrangement of the centrifuges enhances the efficiency of the separation process and the purity of the product while reducing the energy consumption of the process.
Upon learning the make and model of the PLC devices, the team procured the relevant devices and conducted small-scale programming tests. When they introduced Stuxnet, the devices began to behave erratically, demonstrating the malware’s impact.
The question then arises: who could have orchestrated such a terrifyingly sophisticated plan?
In our story, we previously mentioned that Iran’s nuclear program, strengthened by Dr. Khan’s support, was not deterred by assassinations or threats. As a result, Israel made a decisive move to bomb the facility. The USA, on the other hand, found itself in a difficult position. Having already invaded Iraq under the pretext of stopping weapons of mass destruction, which ultimately were never found, the US public was highly critical of the Bush administration. Therefore, the US was reluctant to take similar action against Iran.
Israel, meanwhile, increased its rhetoric against Iran, finally revealing its bombing plan to the US, causing significant tension. The Americans saw Israel’s tactic as a maneuver to drag the US into another war, and they firmly refused to support it. The situation left Israel in a precarious position, seeking alternatives to a direct military strike while the US sought to avoid another conflict in the Middle East.
Therefore, based on the propaganda Iran released and the data obtained from Iran’s nuclear agenda, they decided to deploy an incredible piece of malware for that period.
Returning to the analysis of the malware: During their examination, researchers noticed that the malware kept a log file at each stage of infection. One of the strangest aspects was that the movements of the malware from one machine to another were recorded in these logs. The researchers collected all these samples and tried to trace them back to the source. They managed to track it down to the first five infected machines, all of which were located within Iran. Furthermore, these machines belonged to industrial companies that produced components for the Natanz facility, indicating that they were contractors working for Natanz.
This revelation showed that the malware was not only sophisticated but also precisely targeted. The careful logging and spread patterns suggested that the attackers had a deep understanding of the target infrastructure and its supply chain. This level of detail pointed to a highly coordinated effort to sabotage Iran’s nuclear program by attacking its most critical and sensitive components indirectly through its contractors.
This leads us to understand that Stuxnet was not randomly released onto global internet networks; it was a targeted attack. However, something went wrong, and it spread worldwide. The question arises: why was the worm functionality of such an advanced piece of malware, with sophisticated payloads and zero-day exploits, written incorrectly?
More importantly, why did this software cause errors that shut down or restarted ordinary machines?
This is where the revelations from Alex Gibney’s 2016 documentary ‘Zero Days’ and information from David Sanger’s book come into play.
According to the obtained information, the development of the software and the discovery of the zero-day exploits were actually carried out by the NSA’s TAO team. The NSA (National Security Agency) is a U.S. government organization responsible for signal intelligence (SIGINT) and information security activities. The NSA’s primary tasks include collecting, analyzing, and producing intelligence from foreign communications and signals, as well as protecting the U.S. government’s communications and information systems. TAO (Tailored Access Operations) is a specialized unit within the NSA focused on cyber intelligence and is often described as the NSA’s ‘cyber warfare’ arm. TAO’s mission involves conducting advanced cyber intelligence collection and computer network exploitation operations, particularly targeting high-value entities.”
In the realm of cybersecurity, these intricate operations and intelligence strategies are akin to developing a sophisticated AI-driven military drone. Just as you meticulously design and equip drones to adapt and excel in diverse environments, the NSA’s TAO team employs advanced techniques and tools to penetrate and gather intelligence from high-value targets. Both endeavors require a deep understanding of the target environment, precision, and the ability to adapt to unforeseen challenges.
This unit develops and utilizes customized tools and techniques to gain access to various computer networks and systems worldwide. TAO’s activities are often kept secret and involve cyber espionage, advanced cyber attacks, and network defense. TAO’s capabilities are typically high-tech, encompassing the development of specialized software, tools, and techniques necessary for complex cyber operations.
Within TAO, the group known as ‘The Roc’ is considered the brain behind this operation. ‘The Roc’ is part of the NSA’s Tailored Access Operations (TAO) team and specializes in advanced cyber intelligence and cyber operations. However, due to the secretive nature of the NSA and TAO, specific and detailed information about ‘The Roc’ is generally not disclosed to the public. As part of TAO, ‘The Roc’ is likely involved in sophisticated cyber espionage operations targeting high-value entities, infiltrating computer networks, and collecting data, as well as developing the specialized tools, software, and techniques required for such operations.
In her article ‘The NSA has its own team of elite hackers’ published on August 29, 2013, in The Washington Post, Andrea Peterson sheds light on this team. According to the leaks by Edward Snowden and descriptions by author Matthew M. Aid, this group is part of a highly secretive yet incredibly important NSA program that infiltrates foreign targets’ computers, steals data, and monitors communications to gather intelligence. Aid claims that TAO is also responsible for developing programs that can destroy or damage foreign computers and networks through cyber attacks, under the president’s directive.
As you might recall, we discussed the tools and devices developed by TAO in the Shadow Brokers episode of our series. According to Aid, TAO’s main base is at the NSA headquarters in Fort Meade. There, about 600 members of the unit work in shifts around the clock in an ‘ultra-modern’ area known as the Remote Operations Center (ROC) at the heart of the base.
Returning to our main topic, the former TAO ROC employee revealed that the malware was actually produced in multiple versions and continuously updated. The initial development phase was undertaken and taken over by TAO’s The Roc team and the GCHQ (Government Communications Headquarters).
GCHQ (Government Communications Headquarters) is an intelligence agency of the United Kingdom government responsible for signal intelligence (SIGINT) and information security. Established during World War II, GCHQ is one of the UK’s three main intelligence agencies, alongside MI5 (domestic intelligence) and MI6 (foreign intelligence). GCHQ’s primary tasks include monitoring global communications, assessing cyber threats, gathering intelligence critical to national security, and protecting the government’s communication and information systems.
GCHQ conducts extensive surveillance and analysis of electronic communications, internet traffic, and cyber activities. The agency plays a critical role in protecting the UK against terrorism, cyber attacks, organized crime, and other national security threats. GCHQ employs advanced cyber intelligence collection techniques, cryptanalysis (code-breaking), data analysis, and sophisticated computer algorithms. It also collaborates with international partners and other intelligence agencies to share information.
GCHQ’s operations are typically highly classified, and very little information is released to the public. The agency has been at the center of debates over global surveillance and privacy violations. Documents leaked by Edward Snowden in 2013 revealed GCHQ’s extensive surveillance activities and its close collaboration with the US National Security Agency (NSA).
GCHQ and the NSA named this operation ‘Olympic Games.’ As you know, Stuxnet is the name given to the malware by Symantec researchers. While GCHQ and the NSA handled the cybersecurity aspects of Olympic Games, the field operations were carried out by Mossad. Due to some operational issues at the NSA at that time, the US Cyber Command also participated in these operations under its department.
The development of the malware began with the analysis of videos published by Iran as part of their propaganda and during their Nuclear Energy Day. These videos, which included images of then-President Ahmadinejad with SCADA system screens in the background, provided critical information. For example, detailed examination of the images revealed six groups of centrifuges, each containing 164 tubes. The attack code reflected these exact numbers, indicating that it was designed to target six different arrays, each with 164 elements. This precise match between the images and the attack code underscores the targeted nature of the operation.
During the developments, the analysis was conducted at the facilities located in The ROC Fort Maide and Sandie New Mexico. Initially, they required centrifuges. They obtained the centrifuge devices, known as P1s, from the Negev Nuclear Research Center in Dimona, Israel, and conducted tests. For these tests, the centrifuges used were originally supplied by A.Q. Khan to Libya, which were later retrieved from Libya by the Bush administration. Let’s examine this situation.
During the Bush administration, a significant development occurred regarding Libya’s nuclear program. In 2003, Libyan leader Muammar Gaddafi revealed his country’s clandestine nuclear weapons program and decided to terminate it. This decision was the result of secret negotiations with the United States and the United Kingdom. The Bush administration supported the process of dismantling Libya’s nuclear program and the surrender of its nuclear materials, particularly the centrifuges. According to reports, uranium enrichment centrifuges and other related equipment that could be used to develop nuclear weapons were removed from Libya under the supervision of U.S. and international inspectors and were destroyed. However, it is evident that they were not completely destroyed.
However, in the videos and photos Iran has released, it is seen that these centrifuges have been replaced. Upon further investigation, it was confirmed that new centrifuges had been put into use. Here, Mossad came into play and acquired the plans for the new centrifuges, known as IR-2s, from Iranian informants. Initially, they searched for target points, but after considerable effort, they decided to focus on delays. And the result was precisely what they aimed for.
So, what does Stuxnet do to these centrifuges?
When Stuxnet first infects a system, it waits 13 days before launching the attack. During this period, it collects necessary data by performing network sniffing and OSINT. Interestingly, as intended, it acknowledges the presence of an air gap in the SCADA system and does not communicate with the Command and Control (C2) server. C2 refers to the command and control center of malware. This center is typically a server or a network of servers remotely managed by hackers, directing the behavior and activities of the malware on target systems and collecting stolen data. C&C servers are critical for the distribution, updating, and transmission of information obtained by the malware. C&C structures are often complex and multi-layered, allowing malicious actors to hide their tracks and evade cyber defense mechanisms.
An air gap describes the condition where a computer or network is physically isolated from the outside world. Air-gapped systems are not directly connected to any external network or the internet, theoretically making them more secure against cyber attacks. Air gaps are commonly used to protect networks involving critical infrastructure, military systems, and sensitive data. However, advanced cyber threats like Stuxnet have demonstrated that even physically isolated systems can be compromised. Breaching an air-gapped system typically involves insider intervention or physical media (such as USB drives). Attacks on air-gapped systems require a high level of expertise and target-specific strategies, and are usually carried out by state-sponsored actors or groups with significant resources. It’s quite remarkable how everything falls into place, just like in the case of stolen digital certificates, isn’t it?
Continuing on, the 13-day waiting period also coincides with the time it takes for a series of centrifuges to be filled with uranium. This means that when Stuxnet infects the system, it does not activate if the centrifuge is empty or contains unenriched uranium. Isn’t that terrifying? The goal, besides damaging the centrifuges, was to harm the operators working with the devices. Perhaps the ultimate aim was even to blow up the entire facility. Since they couldn’t achieve this, they adjusted the malware to inflict maximum damage.
These centrifuges spin at 1000 hertz, or 63,000 RPM, which is an incredibly high speed, generating a noise similar to that of a jet engine. After 13 days, Stuxnet increases the speed to 1400 hertz, or 84,000 RPM, which is fast enough to cause the centrifuges to shatter and release uranium gas. It then reduces the speed to 2 hertz, causing the centrifuge to be torn apart due to centrifugal force. While this happens, Stuxnet sends the recorded healthy data from the previous 13 days to the control room. Imagine the operators’ stress, seeing normal data while knowing something is wrong.
At 1400 hertz, the sound becomes incredibly loud. When the operator hears this, they panic and hit the red button designed for controlled shutdown. However, Stuxnet prevents this action. The analysts become increasingly frantic in the face of these issues, and over time, they continuously witness the centrifuges being destroyed.
Moreover, when officials from the National Nuclear Inspection Agency visited the facility for routine checks, they saw that the centrifuges had been removed. They also noticed that some engineers were held responsible for the incident and were fired.
This demonstrates the destructive power and stealth of Stuxnet. During tests at Fort Maide, when the ROC team presented the evidence of the shattered centrifuges to the high command and even Bush, everyone approved, and the operation was green-lit.
Now, let’s return to the Symantec researchers. As Eric and the team continued their analysis, they found a ‘kill date’ in the reverse-engineered data. It appears that this date was January 11, 2009, at 3:25 PM. Interestingly, this date was just 1–2 days before Obama took office.
Isn’t that incredible?
However, documents from the Snowden leaks revealed that the Democrats, contrary to Bush’s expectations, did not act very democratically. When Obama took office, he immediately re-approved the operation. According to reports, Obama was highly focused on cybersecurity. From the Snowden documents, it is clear that his administration engaged in extensive data surveillance and scandalous practices. During Obama’s term, a significant portion of the budget allocated for cyber defense was actually directed towards cyber attacks and offensive tools. The publicly released documents showed a line item of $52.6 billion under titles like Title 10 CNO and TAO.
Upon examination, Stuxnet infiltrated the control systems that normally regulate the centrifuges to operate at approximately 1,200 RPM, increasing this speed to about 1,410 RPM and maintaining it for 2 minutes, then reducing the speed to around 2 RPM for 27 minutes. These abnormal speed fluctuations caused extreme mechanical stress on the centrifuges, ultimately leading to their failure. Stuxnet’s targeted attack significantly shortened the lifespan of the centrifuges and substantially reduced Iran’s enrichment capacity. According to the report, approximately 1,000 centrifuges at the Natanz facility were damaged due to Stuxnet.
Let’s go back a bit further. After infecting five factories in Iran, Stuxnet initially could not reach Natanz, which dissatisfied Israel. They wanted the process to be more destructive and faster. As a result, Unit 8200 under Mossad was activated. Alongside the Olympic Games project, they began modifying the Stuxnet source code, making the worm section more aggressive. Mossad’s Unit 8200 is a military intelligence unit within the Israel Defense Forces, often described as Israel’s national signals intelligence (SIGINT) unit. This unit specializes in electronic intelligence gathering, data analysis, codebreaking, and infiltrating foreign communication systems. Unit 8200 plays a critical role in global cyber espionage and cyber warfare operations and is considered one of the leading signals intelligence organizations in the world.
Behind these aggressive developments was Meir Dagan. Meir, who was the defense minister at the time, was under significant pressure from Netanyahu to ensure the mission’s success. As a result, he began pushing Unit 8200 harder, leading to this point.
These aggressive modifications caused the infected computers to shut down and restart, leading to the detection of the operation. This brought the incident to the attention of Sergey and his team, as mentioned earlier, and as the information spread globally, it caught the attention of security researchers. The competition among analysts to reverse-engineer the malware began, and as they delved deeper into the analysis, the details of the operation gradually started to emerge.
Final
Stuxnet demonstrated the destructive potential of cyber threats crossing into the physical realm, distinguishing it from other malware and securing its place in history. When the incident was exposed, the US media got involved, and with confessions and secret witnesses, the full extent of the operation began to come to light. However, to this day, no one has taken responsibility.
The exact number of centrifuges damaged by the Stuxnet attack is unknown, but estimates suggest that around 1,000 centrifuges at the Natanz facility were affected. The emergence of Stuxnet highlighted the reality that cyber attacks could cause significant damage to physical infrastructure and target critical facilities of national security importance. In response to the attack, Iran increased its cybersecurity measures and focused on developing its own cyber defense capabilities. The Stuxnet attack severely impacted Iran’s nuclear program and temporarily delayed its enrichment activities. However, Iran overcame these obstacles, continuing its program and increasing its capacity through technological advancements.
Since the revelation of Stuxnet’s effects, Iran’s nuclear program has undergone numerous phases, shaped by international negotiations, disputes, and sanctions. The Joint Comprehensive Plan of Action (JCPOA) signed in 2015 between Iran and the P5+1 countries aimed to limit Iran’s nuclear program in exchange for the lifting of some economic sanctions. However, the US withdrawal from the agreement in 2018 and the reinstatement of sanctions led Iran to gradually reduce its commitments under the deal. Currently, Iran’s nuclear program and uranium enrichment activities continue to raise international concerns and are the subject of intense diplomatic efforts. Iran has announced that it has enriched uranium beyond the limits set in the agreement and advanced its nuclear technology, although this remains a matter of ongoing international inspections and negotiations.
You can watch my video where I explain it in Turkish below.
Thank you for reading. See you.
