Feeds

US officials confirm Stuxnet was a joint US-Israeli op

Well, sure ... so why are you telling us, Mr President?

Seven Steps to Software Security

Cyberattacks on Iranian nuclear program were a US-Israel effort started under the Bush administration and continued by President Obama, The New York Times reports.

The confirmation from Obama-administration officials that Stuxnet was a joint US-operation comes from extracts from a forthcoming book, Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power, by David Sanger that's due to be published next week.

The NYT teaser piece reports that Operation Olympic Games was devised as a means to throw sand in the works of Iran's controversial nuclear program. It was initially embarked upon in 2006 without much enthusiasm, as a preferable alternative to withdrawing objections against an Israeli air strike against Iran's nuclear facilities. There was little faith that either diplomacy or tougher economic sanction would work, especially since the international community might be expected to regard warning about another country developing weapons of mass destruction with extreme scepticism after the Iraq War debacle.

General James E Cartwright, head of a small cyberoperation inside the United States Strategic Command, developed the plan to create Stuxnet. The first stage involved planting code that extracted maps of the air-gapped computer networks that supported nuclear labs and reprocessing plants in Iran.

Development of the payload came next and involved enlisting the help of Unit 8200 – the Israeli Defence Force's Intelligence Corps unit – which had "deep intelligence about operations at Natanz", and the NSA. Bringing the Israelis on board was important not just for their technical skills but as a means to discourage a pre-emptive strike by Israel against Iranian nuclear facilities.

Keeping the Israelis on-side involved persuading them that the electronic sabotage by "the bug", as it was known, stood a good chance of succeeding. This involved destructive testing against P1 high-speed centrifuges, surrendered by the the former Libyan government of General Gaddafi when it abandoned its own nuclear programme back in 2003. Iran also used the same P-1 centrifuges, sourced from a Pakistani black market dealer.

Small scale tests were a great success, prompting a decision to plant the worm in Natanz using spies and unwitting accomplices (from engineers to maintenance workers) with physical access to the plant, around four years ago in 2008.

Operation Olympic Games proved successful at infecting industrial control systems and sabotaging high-speed centrifuges while getting the Iranians to blame themselves or their suppliers for the problems.

Obama allowed the operation to continue even after the Stuxnet code escaped from Iran’s Natanz plant back in 2010, via an engineer's computer, allowing the code to begin replicating across the net, something only possible due to a design mistake. Obama gave the go-ahead for the continuation of the scheme, with the development of fresh version of Stuxnet, after hearing the the malware was still causing destruction.

Sanger's account of the joint US-Israeli effort to develop Stuxnet is based on interviews with current and former US, European and Israeli officials involved in the (still secret) program.

The US government only recently admitted the existence of programs to develop offensive cyberweapons, and has never admitted using them. There's was discussion about using electronic attacks against Libyan air defence systems in the run-up to NATO-led air attack against the Gaddafi regime last year but that option was rejected.

The US relies more heavily on technology than almost any other country in the world and is much more vulnerable to cyber-weapons than most. Using cyber-weapons, even if they were narrowly targeted and closely controlled, could enable hostile government or hackers to justify electronic attacks against US interests.

Stuxnet is back in the news because of this week's publicity about the Flame worm, a cyber espionage toolkit that infected computers in Iran and elsewhere in the Middle East. US officials told Sanger that Flame was not part of Olympic Games, while declining to say whether or not the US was behind the headline-grabbing attack.

Industry experts had long speculated that Stuxnet, which involved the use of zero-day exploits and knowledge of industrial control systems, was a state-sponsored project highly unlikely to have been the work of criminal hackers. A US-Israeli joint project was widely rumoured to have led to the creation of Stuxnet.

Sanger's research is more evidence in support of this theory and the only real question is why officials have begun talking about the secret spy op.

The reasons could be political, security experts speculate.

"Obama wanted to get credit for Stuxnet, as that makes him look tough against Iran," said Mikko Hypponen, chief research officer at F-Secure. "And he needs that as Presidential elections are coming." ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.