The ruse that makes the attack possible is as simple as it is ingenious. Stuxnet takes advantage of a security hole in Windows that makes it possible to manipulate the system. As a result of this programming error, the virus can be introduced into the system through a USB flash drive, for example. As soon as the drive is connected to a computer in the system, the installation begins unnoticed.
Stuxnet initially searches for anti-virus programs. The code is designed to circumvent them or, if this is not possible, to de-install itself. For a long time, one of the priorities was to leave no traces.
In a second step, Stuxnet lodges itself into the part of the operating system that manages USB flash drives, where it establishes a checksum, the exact purpose of which is unclear. The infection stops when this sum reaches the value 19790509. Symantec speculates that this is some sort of code. When read backward, the number could represent May 9, 1979, the day Habib Elghanian, a Jewish businessman, was executed in Tehran. Is this a coincidence? A provocation? Or a deliberately placed red herring?
It is still unclear how exactly the Israelis were able to get the virus into Natanz. In the jargon of computer experts, previously unknown security gaps like the hole in the Windows operating system are called zero-day exploits. Searching for these vulnerabilities is a combination of hacker challenge and business model. Knowledge is valuable, and there is a black market in which a previously unknown vulnerability can be worth $100,000 (70,000) or more. Stuxnet exploits no fewer than four of these digital jewels.
'A Blue-and-White Operation'
Symantec manager Sam Angel believes that it is impossible to write a code like Stuxnet without having intimate knowledge of the Siemens system. "There is no black market for exploits involving Siemens software," he says. "It's not used widely enough." How, then, did the Mossad acquire the information about the technology in use at Natanz?
It has been openly speculated that the Americans may have helped the Mossad. There is a US government research institution in Idaho where scientists study the Siemens control technology used in Iran; the basic research for Stuxnet could have taken place there. After that, the virus could have been tested at Israel's nuclear research center near Dimona in the Negev Desert.
Israeli sources familiar with the background to the attack insist, however, that Stuxnet was a "blue-and-white operation," a reference to Israel's national colors -- in other words, a purely Israeli operation. They believe that a secret elite unit of the military intelligence agency programmed a portion of the code, leaving the Mossad to do the rest. The Mossad was also apparently responsible for smuggling the virus into Natanz. The same sources claim that the Mossad tried to buy a cascade of centrifuges on the black market, without success. In the end, an Israeli arms manufacturer, with the help of foreign intelligence agencies, supposedly managed to build a model of Natanz where Stuxnet was tested.
The operation was ready to begin in the summer of 2009. The attackers unleashed Stuxnet at 4:31 p.m. on June 22, 2009. The attack targeted five Iranian organizations and was launched in three waves. After the first wave, a second strike took place in March 2010, dealing a heavy blow to the Iranians. The third wave followed in April. According to Symantec, the targets were not directly related to Iran's nuclear program, but some of the target organizations were on United Nations sanctions lists. Some 12,000 computers were infected in the five organizations alone.
Stuxnet is programmed to delete itself from the USB flash drive after the third infection, presumably to prevent it from spreading explosively, which would have been noticed immediately. The goal of the cyber-weapon is to sabotage its targets in a sustainable, rather than spectacular, manner.
Another trick, which gives the virus the semblance of legality, shows how complex the design is. It involves digital certificates, which are issued on the Internet by companies that test the activity of a server or a program and certify that it is not malicious. If a program can show that it has such a certificate, then it is allowed access to a system. The Taiwanese firms Realtek Semiconductor and JMicron Technology are among the firms that issue such certificates.
In January 2010, a version of Stuxnet turned up that had been signed with a digital certificate from Realtek. This was followed, in July 2010, by a version signed with a JMicron certificate. Both certificates had been stolen. This theft alone is an operation that requires either a physical burglary at the headquarters of both companies, or the kind of hacker attack that very few programmers worldwide are capable of performing, because these certificates are additionally secured and encoded.
Only a State Could Produce Stuxnet
An analysis by a European intelligence agency classified as "secret," which SPIEGEL has seen, states that it would have taken a programmer at least three years to develop Stuxnet, at a cost in the double-digit millions. Symantec, for its part, estimates that the tests in the model facility alone would have occupied five to 10 programmers for half a year. According to the intelligence analysis, "non-governmental actors" can be "virtually ruled out" as the inventors of Stuxnet. Members of Germany's Federal Security Council, a government committee for defense issues whose meetings are secret, felt the same way when the council met in Berlin on Nov. 25, 2010.
Stuxnet shows what can happen when potent attackers are at work, said then Interior Minister Thomas de Maizière, who is now German defense minister. Anyone who is willing to invest that much money and resources, Maizière added, knows what he is doing. The council members agreed that a sovereign state had to be behind the virus.
De Maizière's staff noted that 15 vulnerabilities are found in standard computer programs every day, and that tens of thousands of websites are infected worldwide on a daily basis. At the end of the meeting, the council decided to establish a national cyber defense center. "The experiences with the Stuxnet virus show that even key areas of industrial infrastructure are no longer safe against targeted IT attacks," a government cabinet paper later stated.
The virus has fundamentally changed the way we look at digital attacks. The US government recently issued a new cyber war doctrine that defines a cyber-attack as a conventional act of war. The Stuxnet code, which is now accessible to the public, could inspire copycats, Roberta Stempfley of the US Department of Homeland Security warned last week.
Last year the British government adopted a new security strategy, for which it approved funding of 650 million pounds (565 million or $1,070 million). The cyber world will become "more important in the conflict between nations," Israeli Deputy Prime Minister Dan Meridor said in a speech in Jerusalem in February. "It is a new battleground, if you like, not with guns but with something else."