The History of Stuxnet: The World’s First True Cyberweapon
How the world’s first-ever cyberweapon changed the history, and the future, of computer security.
On July 16, 1945, the United States detonated a completely new kind of weapon, the atomic bomb, and changed the world forever.
Sometime in 2009, someone launched another completely new kind of weapon. Unlike the one detonated in New Mexico more than fifty years earlier, this wasn't a physical weapon, but a malicious computer program, a virus or malware. But unlike any other malware before it, it was capable of causing real-world, physical damage.
It would later come to be known as Stuxnet, the first-ever malware to attack the real world. Stuxnet was designed to hit only one, very specific, target: the computers that controlled Iran's nuclear facility in Natanz, where international authorities suspected the country was working on its secret nuclear weapons program.
Stuxnet was programmed to make the uranium enrichment centrifuges spin faster than they were supposed to, causing them to get out of control to the point of damaging them. The malware was so well programmed that its victims could do very little to stop it. In fact, they didn't even know the outages and disruptions were caused by a computer virus.
"The operators were doomed, the plant was doomed."
"The operators were doomed, the plant was doomed," Eric Chien, a security researcher at Symantec who tore apart Stuxnet for months, says.
The attack was so well-done that the virus worked undetected for months, and its victims didn't know about it until security companies around the world discovered it and started talking about it.
At the time, the security world gasped at the sophistication of Stuxnet. No one had ever seen anything like it. Obviously, everyone was wondering who could have been behind such advanced and unprecedented malware, which is perhaps the only one—at least that we know of—to really warrant the definition of "cyberweapon."
To this day, the "whodunnit," at least officially, is unknown. No country has ever claimed or admitted responsibility. But six years later, it's widely assumed that the United States and Israel were the culprits.
As Kim Zetter, the author of the definitive book on Stuxnet, Countdown to Zero Day, puts it, "I don't think that there's a question that the US is behind it."
The revelation came in 2012, when The New York Times reported that the US government ordered the attack, which it was officially dubbed Olympic Games.
In this week's episode of the VICELAND documentary series CYBERWAR, Zetter refers to the years-long internal investigation that the US government launched after that New York Times article to find the leaker as one of the many signs pointing towards the US government.
"You don't launch a leak investigation for a covert operations you didn't do," she says.
We traced the history of Stuxnet, and how it changed the world, in this week's CYBERWAR episode. You can watch it on VICELAND on Tuesday, at 10:30 PM ET. Meanwhile, read some of Motherboard's best articles about the cyberweapon that changed history:
- Sex and Stuxnet: Obama's Favorite General Is the Target of a White House Leak Investigation
- Cybersecurity Researchers Are Hunted from All Sides
- The Only Way You Can Delete This NSA Malware Is to Smash Your Hard Drive to Bits
- There's a Stuxnet Copycat, and We Have No Idea Where It Came From
- War As Easy As Typing: Alex Gibney Spills the Secrets of 'Zero Days'