Was Stuxnet a joint US-Israeli project?
It has long been clear that a lot of grey matter was exercised in creating Stuxnet. It is equally clear that the highly expert team behind the worm was not simply showing off Windows exploits on Siemens manufacturing control systems, but intended to destroy centrifuges used for uranium enrichment.
A New York Times report has now collected together a range of evidence which suggests that experts from the US and Israel worked together to develop Stuxnet over a two year period. Siemens is also reported to have unwittingly assisted them, in that the company collaborated with a US Department of Energy research institute on a programme for protecting against cyber-attacks. The security vulnerabilities uncovered during this programme were then utilised in developing the worm.
The fastidiousness with which the developers tailored Stuxnet to the Iranian enrichment facility in Natanz is also interesting. The New York Times quotes German security specialist Ralph Langner, whose analysis of the code showed that Stuxnet was targeted at a network of exactly 984 machines – precisely the number, according to nuclear experts – disabled in summer 2009.
Langner credits Stuxnet with two mechanisms of action: firstly it deregulates the centrifuges so that they run to destruction and secondly it delivers fake sensor data to the control panel to give the impression that everything is running normally.
From the precision with which the worm performed its function, many experts conclude that Israel must also have been involved, drawing the conclusion that live tests must have been carried out. All indications point towards Israel's Dimona project in the Negev desert, which includes a uranium enrichment facility, as the test site. All of this is of course strictly confidential and deniable – likewise US and Israeli involvement in creating Stuxnet. But, reports the newspaper, none of the American or Israeli experts were able to suppress a proud grin when noting that Iran's nuclear programme has been put back to at least 2015.