A Half-Megabyte Worm Spent Two Years Wrecking 1,000 Iranian Centrifuges

In June 2010, the Belarusian security firm VirusBlokAda found a piece of Windows malware on a client's machine in Iran that no one had seen before. Over the next several months, Symantec and Kaspersky researchers reverse-engineered roughly half a megabyte of compiled C and C++ code and arrived at a conclusion no one was prepared to reach: somebody had built a precision weapon out of software and aimed it at uranium enrichment.

Stuxnet used four zero-day Windows vulnerabilities, signed its drivers with stolen certificates from two Taiwanese hardware companies, and spread through USB flash drives so it could cross the air-gap into industrial networks that were never meant to touch the Internet. Once on a target machine it looked for a very specific configuration: Siemens S7 programmable logic controllers running centrifuge frequency converters of a kind used in only one place — the Natanz uranium enrichment facility in Iran. Where it didn't find that configuration, it sat dormant. Where it did, it took control, reported normal frequency readings to the operators, and quietly drove the centrifuges past their tolerances. Estimates from later inspections put the destroyed Natanz machines at somewhere between 900 and 1,000.

Iranian and Western reporting eventually attributed the worm to a U.S.–Israeli operation that the Bush administration had named Olympic Games and that the Obama administration accelerated. Gary Samore, then the White House arms-control coordinator, gave reporters a winking acknowledgment in 2012. The worm contained a self-destruct date of June 24, 2012. Most of its code is still publicly available, and most of its successors look like its children.