It's June, 2009. The streets of Tehran have erupted in protests over the results of a presidential election. The incumbent Mahmoud Ahmadinejad has emerged victorious with an overwhelming majority against Mir-Hossein Mousavi. Protesters alleged a fraudulent victory. Among them is a woman named Neda Agha-Soltan, who on her way to join the main protests, parked her car at some distance from the gathering and stepped out as the vehicle's air conditioner was not working. As she breathed in the fresh air, a sniper belonging to a government-funded militia took aim and shot her square in the chest. She was dead.
While this was unfolding in Tehran, around 300 kilometres to the south at the Natanz nuclear facility, the heart of Iran's nuclear program - 'strange' things were happening. Just days after Neda's death, the CIA reportedly received approval to initiate a cyber operation against this facility. The operation involved uploading a sophisticated piece of malware, known as Stuxnet, directly onto Iranian hardware. This malware had been in development for years, a collaborative effort between the United States and Israel, and represented the world's first digital weapon.
Stuxnet was not a new presence in Iran's nuclear infrastructure; it had been causing disruptions for years. However, this new version was designed to deliver a decisive blow.
The story of Stuxnet's development and deployment began years earlier. The inception of Stuxnet can be traced back to the early 2000s, during a period of heightened tension between Iran and Western nations over Iran's nuclear ambitions. The Bush administration, concerned about Iran's potential to develop nuclear weapons, sought unconventional methods to impede Tehran's progress. Thus, the covert operation codenamed 'Olympic Games' was born. This initiative, involving close collaboration between the CIA, the NSA, and Israel's Mossad, aimed to create a digital weapon capable of physically disrupting Iran's nuclear enrichment capabilities.
Stuxnet was not an ordinary piece of malware. Its design reflected a level of sophistication unprecedented in the realm of cyber weapons. The malware targeted Siemens Step7 software, used to control industrial equipment, specifically focusing on the centrifuges at Iran's Natanz uranium enrichment facility. These centrifuges, essential for enriching uranium, operated at high speeds and required precise control to function correctly.
The US built a replica of Iran's nuclear facility in its Oak Ridge facility in the state of Tennessee, where they meticulously studied the centrifuges to understand how to sabotage them without detection. In 2007, the first version of Stuxnet was released, targeting these centrifuges by preventing the release of pressure through the valves, causing the uranium gas to solidify and the centrifuges to spin out of control and ultimately self-destruct.
Iran's nuclear facility was air-gapped, meaning its network was offline, so Stuxnet had to be introduced via an inside agent using a USB drive. The malware operated undetected, using a rootkit to hide its presence and stolen digital certificates to appear as legitimate commands. Despite its effectiveness, initial versions of Stuxnet only slowed Iran's progress, and did not sabotage it entirely.
In response, US researchers developed a more aggressive version of Stuxnet, using four zero-day exploits and stolen private keys to sign its commands. This version could spread rapidly, even across air-gapped networks, and reprogram the centrifuges to destroy themselves while masking the sabotage as hardware malfunctions.
An insider at Natanz introduced this new version of Stuxnet, and it quickly spread throughout the facility's network. However, its aggressive nature led to unintended consequences: the malware spread beyond Natanz, infecting computers across Iran and eventually the globe. The CIA, realising the uncontrollable spread of Stuxnet, decided to continue with the operation, hoping it would remain undetected within Natanz.