Skip to content

Danger, USB! Was Israel Behind Stuxnet or Not?

danger usbPeter Robinson over at Ricochet recently suggested that Israel deserves at the very least a crate of champagne for managing to disrupt the Iranian nuclear program, an accomplishment that has eluded Barack Obama, Hillary Clinton, the EU, and the IAEA — and all without a single plane sent into harm’s way, a single bomb dropped, or a single shot fired in anger. Israel (if it was she) has apparently not only slowed things down at the Bushehr nuclear reactor, but also seriously compromised the enrichment of uranium at Natanz — a facility that is eight meters underground and covered with reinforced concrete and earth, making it a tough hit. Natanz seems to have been brought to a near-standstill by the worm, which was likely brought in initially on an infected USB stick.

Think back to the summer, before news of the cyber-attack hit the front pages. There was much discussion, and had been for some time, on the likelihood of an Israeli air strike to take out, or at least seriously damage, Iran’s nuclear program. Speculation on timeframes had been rife for months, with zero hour shifting from spring to summer to autumn as dates passed with no action. Knowledgeable individuals far and wide weighed in on the gravity of the danger Iran’s program poses to Israel and to the world and the necessity that action be taken soon, a concern often coupled with anxiety over the perceived unwillingness of the American administration to step up. The question asked was rarely “should Israel strike?” or even “will Israel strike?” It was instead: “Will the Israeli strike take place with our without American permission?”

But an Israeli air strike didn’t happen. Why not?

Here’s a theory. Israel didn’t send in the air force because she knew something the punditry didn’t, something that threw conventional wisdom about the imminence of Iran’s nuclear capability out the window. That knowledge was secure enough to preclude the necessity, at least in the short term, of a physical strike. Israel knew that Iran’s nuclear program was about to be seriously disrupted — and so it was, by the Stuxnet virus.

Okay, sounds reasonable. But did Israel do it?

I think it’s likely — and there may well have been cooperation between the Israelis (Unit 8200?) and the Americans (USCYBERCOM, hitting the ground running?), although don’t wear yourself out looking for confirmation. The scale of the attack would have required two things that seem to discount rogue hackers in their bedrooms: substantial, coordinated manpower and “the resources of a nation-state”, according to a discussion of the virus on CNetComputerworld consulted Liam O Murchu, manager of operations with Symantec’s security response team, and Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab, both of whom concur with CNet’s supposition:

“There are so many different types of execution needs that it’s clear this is a team of people with varied backgrounds, from the rootkit side to the database side to writing exploits,” [O Murchu] said.

The malware, which weighed in at nearly half a megabyte — an astounding size, said Schouwenberg — was written in multiple languages, including C, C++ and other object-oriented languages…

“And from the SCADA [the Siemens supervisory system that was vulnerable to the virus – JL.] side of things, which is a very specialized area, they would have needed the actual physical hardware for testing, and [they would have had to] know how the specific factory floor works,” said O Murchu.

“Someone had to sit down and say, ‘I want to be able to control something on the factory floor, I want it to spread quietly, I need to have several zero-days [security gaps – JL.],’” O Murchu continued. “And then pull together all these resources. It was a big, big project.”

The Economist agrees that there was a major investment here:

Normally, anyone who discovers a new zero-day exploit can expect to sell it for a handsome fee to hackers who can then make use of it. Whoever built Stuxnet, however, was prepared to pay for four such exploits, which cannot have been cheap, to boost its chances of success. They also had deep knowledge of particular control systems. So it seems to be an expensive piece of software aimed at one specific facility.

The Christian Science Monitor puts it this way: “Stuxnet is essentially a precision, military-grade cyber missile deployed…to seek out and destroy one real-world target of high importance.” Michael Assante, former chief of industrial control systems cyber security research at the US Department of Energy’s Idaho National Laboratory, calls Stuxnet “the first direct example of weaponized software, highly customized and designed to find a particular target.” The object was not the theft of data or the ransoming of systems. It was destruction.

I’d say the evidence is compelling that a nation was behind Stuxnet, and since we’re the nation Ahmadinejad has rhapsodized about wiping off the face of the earth, we’re a likely suspect. And Israel has made no secret of its commitment to cyber defense and warfare. As long ago as 2007, an Israeli cyber attack apparently shut down Syria’s defense infrastructure, enabling the air force to take out their budding nuclear weapons development program in a night air raid. This past February, Maj. Gen. Amos Yadlin said that “Using computer networks for espionage is as important to warfare today as the advent of air support was to warfare in the 20th century.”

There has been much feverish discussion about two alleged clues suggesting the long arm of Israeli hackers in the code: the word “MYRTUS” and the number string 19790509. “Myrtus” could refer to the myrtle tree, and myrtle in Hebrew is Hadassah — the original name of Biblical Queen Esther, who rescued the Jews of Persia from extermination. The number string could refer to May 9, 1979, on which date Iran executed a prominent Jewish philanthropist, Habib Elghanian, for spying.

I’d advise caution here. It seems a little counterintuitive for Israel to go to great trouble to conceal her agency and then plant such heavy-handed clues. Of course, the clues could be misdirection to prompt exactly that reaction. And Israel does relish the well-placed message. In 1967, for example, when Israel wiped out Egypt’s air force before it could take off, the IAF left Egypt’s dummy planes intact on the tarmac, just to freak them out a little. The clues in Stuxnet’s code are far from conclusive, but I wouldn’t put it past the Israelis to give the enemy a little something to keep them guessing. If Israel was behind Stuxnet, I imagine her object was not only to slow down Iran’s nuclear progress, but to make a statement as well: that she is watching, she knows what Iran is up to, and if they get too far out of line, she’ll come calling.

Peter, I wish I could confirm that Israel deserves that champagne. (Or perhaps I don’t.) In any event, I’m pretty sure that even hackers love Bollinger. Just please make sure it gets here before June 24, 2012. That’s Stuxnet’s built-in kill date, and there’s no telling what’s in store after that.

[For those who would like more detail on Stuxnet, Symantec has published an exhaustive dossier, and there’s more analysis here. Symantec also published a short breakdown of the various theories about its origin (lone wolf or state-sponsored espionage?). And if you’d like to read an interesting debunking that culminates in a pretty zany theory, look here.]