There’s a popular theory that Stuxnet was intended to cripple Iran’s nuclear power program. Other theories could fit the facts, but for the sake of argument, let’s say that theory is credible. How would it work?
Here’s what I think is a plausible scenario:
1. Stuxnet is released in Iran so that it will spread there most quickly.
2. Stuxnet, possibly but not necessarily, reaches some control software somewhere in an Iranian plant and does something to make things go wonky, proving that it is a menace.
3. Stuxnet is discovered, either when #2 happens or before, and carefully analyzed.
4. His Utmost Ridiculousness Ahmadinejad and other Iranian leaders believe they’ve had a brush with a serious threat, and they get hopping mad.
5. Iran retaliates for the worm against the United States using physical force, in some showy way.
6. In the United States there are high-fives behind certain closed doors, and outrage at Iran’s unprovoked aggression in front of the TV cameras.
7. Immediately half of Iran’s air force is wiped out, along with virtually all the land-to-sea missiles planted along the Persian Gulf; ships are torpedoed; military communications are smashed up… and as if it were an afterthought, Iranian nuclear research facilities are obliterated, setting the bomb-making program back five years.
That’s how I see Stuxnet could work.
This isn’t so much a real theory I’d like to defend as it is an exercise in coming up with a theory that fits the facts. The theory that Stuxnet by itself, without supporting aircraft and cruise missiles, could seriously inconvenience Iran’s nuclear bomb making efforts, isn’t credible.
Notes:
1. For the Iranians to retaliate forcefully, they have to notice they’ve been “attacked”. Stuxnet is an internet Windows worm, that spreads using clever zero-day exploits. Once released, it was certain to spread widely and certain to be discovered. That’s something the Stuxnet creators could depend on.
Windows rootkit worms aren’t invisible, except to Windows itself. They typically communicate across networks (Stuxnet does), so they are noisy; a worm will stand out like a camel in a flock of sheep when a file system is inventoried outside of Windows.
The Stuxnet team probably figured they had six months max, and maybe just days, before security researchers would be all over it. But if released the right way in Iran, it might spread enough there to seem threatening.
2. For the Iranians to retaliate forcefully, they would have to believe the worm was really a military-grade threat. With the internet infested by every manner of virus, worm and scam, coming up with a worm that is “military grade” is no small task. Stuxnet is very clever. For “military-grade?” it checks the block.
3. Plausible deniability. Stuxnet is a Windows worm, which has spread all over the world. There’s nothing about its spreading techniques that would limit it to Iran. There’s no way to conclusively tie the worm to any attacker. Many countries and criminal enterprises could put together 5 to 10 engineers plus testers and management for six months.[1]
The discovered payload of the worm (as opposed to the spreading technology) messes with PLC code, but the worm was provided with means to get updates in the wild, so presumably the payload could be switched out for something completely different.
4. In Operation Mincemeat, the British convinced the Germans to do what they otherwise would not have done (concentrating defenses on Greece and Sardinia rather than Sicily). We know the story from a movie, “The Man Who Never Was.” A dead body was dressed as a British officer, with an attached briefcase containing misleading papers, and dropped into the sea off the Spanish coast. A great deal of effort went into making the body convincing. The Germans were fooled, and this affected what the German military did.
From the perspective of many nations — the U.S., Israel, Saudi Arabia, Kuwait, Russia, the UAE, the UK… — a good excuse for someone to reduce Iran’s nuclear weapons program to a smoking ruin would be most welcome. A great deal of effort went into making Stuxnet convincing.
PB
—–
[1] Symantec’s estimate
Peter Barry 