Intelligence Estimate: Stuxnet Set Back Iran's Nuclear Program By Two Years

Experts guess the IDF did it, but in a second article I'll link in a second there's plenty of speculation it was the US, too.

The Stuxnet virus, which has attacked Iran’s nuclear facilities and which Israel is suspected of creating, has set back the Islamic Republic’s nuclear program by two years, a top German computer consultant who was one of the first experts to analyze the program’s code told The Jerusalem Post on Tuesday.

“It will take two years for Iran to get back on track,” Langer said in a telephone interview from his office in Hamburg, Germany. “This was nearly as effective as a military strike, but even better since there are no fatalities and no full-blown war. From a military perspective, this was a huge success.”

...

Last month, the International Atomic Energy Agency (IAEA), the United Nation’s nuclear watchdog, said that Iran had suspended work at its nuclear-field production facilities, likely a result of the Stuxnet virus.

This long piece from Newsweek (which I'll digest if you're boycotting) gives me some hope that someone, somewhere in the intelligence committee knows what the fuck they're doing.

In case you didn't know how Stuxnet worked (I didn't), here's the brief: The high-speed centrifuges spin so quickly they need very careful monitoring by a computer program to slow them or speed them up or balance them. Obviously, this happens far too quickly for any human being to be able to handle it; it's automated. If they spin wrong, it causes mechanical damage and break-downs.

The Stuxnet was introduced physically to the computers monitoring the centrifuges physically by a USB drive or the like (and possibly unknowingly; a technician might have had his thumb-drive secretly infected). It then waited for a while, spreading itself around. At an appointed time it began to deliberately cause the centrifuges to spin wrong and thus the break-downs; many centrifuges are broken or out of service.

One thing about the worm that didn't quite work is that it was supposed to disappear, invisibly, probably so that the Iranian scientists would never discover what the problem was; or to possibly prevent replication by enemy hackers; or perhaps to not leave a trail (for legal reasons, Newsweek guesses, but what? What, is Iran going to sue?); or perhaps to make sure the Stuxnet never somehow got out and started screwing up non-targeted machines by accident.

But the worm was discovered, and is now being analyzed by hackers and cyber-security expert, who call it a work of art.

The real damage to the Iranian nuclear program, however, was done by Stuxnet—the most sophisticated computer worm ever detected and analyzed, one targeting hardware as well as software, and a paradigm of covert cyberweapons to come. “Stuxnet is the start of a new era,” says Stewart Baker, former general counsel of the U.S. National Security Agency. “It’s the first time we’ve actually seen a weapon created by a state to achieve a goal that you would otherwise have used multiple cruise missiles to achieve.”

According to figures compiled by David Albright of the Institute for Science and International Security, a Washington think tank that follows the Iranian program closely, Tehran had major problems bringing new centrifuges online throughout 2009. The first 4,000 already installed at the Natanz facility continued to spin, but the next 5,000 were beset by delays. The worst problems came in an array of centrifuges known as A-26, which Iran began installing in late 2008—around the time Stuxnet was sent on its mission. In the late summer of 2009, half the functioning A-26 centrifuges had to be pulled out of service. At the turn of this year, Albright has learned, 1,000 more simply broke down. This may have been the “limited number” Ahmadinejad was talking about. [Reference is to a previous quote in which Ahmadinejad reversed the state's official line that the attack was ineffective and conceded that a "limited number" of centrifuges were temporarily taken off-line.]

This makes it seem dispositive that it was state action, and not, say, some White Hat hackers deciding to do some good on their own:

What’s clear, says Clarke, is that major resources went into Stuxnet’s development. Microsoft estimates that building the virus likely took 10,000 man-days of labor by top-rank software engineers. Unlike most of the worms and viruses that wreak havoc on computers, this one was not designed to spread far and wide, doing damage wherever it landed. It is structured to target a specific set of devices manufactured only in Finland and Iran that are used to determine the speed at which the centrifuges rotate. If that speed is not modulated perfectly, vibrations make the machines break down, as indeed they have. According to Eric Chien of the antivirus firm Symantec, who has pulled Stuxnet apart like a strand of DNA, all that incredibly complex information was built into it before it ever infected the Iranian system. Clarke suggests that whoever developed Stuxnet probably had the same types of software and centrifuges on which to run tests. “That’s expensive,” he says. “That’s millions of dollars.”

The article also discusses the assassinations of the Iranian scientists. Newsweek's guess is that Israel did the violent stuff, and America did the Stuxnet, but Israel also has a legendary cyber unit that could be responsible.

The last couple of paragraphs stress that the super-sophisticated, 10,000+ man-days worm, now having been discovered, can be modified and used as weapon by others.

posted by Ace at 03:07 PM

| Access Comments