The Stuxnet Worm: The Cyberweapon Everyone Denied for Years

A piece of code walked into an Iranian nuclear plant and broke the machines. For a long time, nobody would admit it existed.

Contents

In the summer of 2010 a small anti-virus company in Belarus took a support call from a client in Iran. The client’s computers kept crashing and rebooting, and nobody could work out why. A researcher named Sergey Ulasen began pulling the machines apart and found something that did not behave like ordinary malware. It spread through USB sticks using a flaw in the way Windows drew shortcut icons. It carried valid digital certificates, apparently stolen from two real Taiwanese hardware firms. And it was enormous — half a megabyte of dense, layered code where a typical worm might be a few kilobytes. Ulasen and his colleagues did not yet know what they were looking at. Within months, security researchers on three continents would work out that they had stumbled onto the first weapon in history made entirely of software, built to physically destroy machinery in a specific building in Iran.

The weapon that really existed

Advertisement

The temptation with a story this cinematic is to suspect it has been dressed up. It has not needed dressing. Stuxnet was a real, functioning cyberweapon, and almost everything solid we know about how it worked we know because the code itself was captured, disassembled and studied line by line — first by researchers at Symantec, then in exhaustive detail by the German industrial-control expert Ralph Langner, whose analysis in late 2010 first identified the true target.

The target was Natanz, Iran’s main uranium-enrichment facility, buried under earth and concrete in the desert south of Tehran. Enriching uranium requires centrifuges: tall aluminium rotors spinning at tens of thousands of revolutions per minute, arranged in long cascades, controlled by industrial computers called programmable logic controllers. Natanz ran controllers made by Siemens, the S7-300 series, driving frequency converters that governed how fast the centrifuges turned. Stuxnet was written to attack exactly that configuration and, as Langner showed, to attack nothing else. It checked the machine it landed on for a precise fingerprint — the right Siemens software, the right model of controller, the right number of converters from two specific vendors, one Iranian and one Finnish. If it did not find that fingerprint, it did nothing. It sat inert. This was not a worm loosed at the world; it was a guided munition that happened to travel by USB stick.

What it did once it found its target was patient and cruel. Rather than smashing the centrifuges outright, which would have been obvious, Stuxnet altered their speeds subtly and intermittently — spinning them up beyond their safe tolerance, then slowing them, in episodes spaced weeks apart. While it did so, it fed the plant’s monitoring systems recorded readings of normal operation, so the engineers watching their screens saw nothing wrong even as rotors cracked and failed. The centrifuges wore out and broke, and the Iranians, for a long time, could not tell whether the fault lay in bad parts, bad workmanship or sabotage. Reports from the International Atomic Energy Agency, whose inspectors visited Natanz, recorded an unexplained wave of centrifuge replacements in late 2009 and early 2010 — hundreds of machines pulled out and swapped, consistent with exactly the kind of slow attrition the code was designed to cause.

The engineering was extraordinary, and this is the part that told the researchers they were not looking at ordinary crime. Stuxnet used four separate “zero-day” exploits — previously unknown flaws in Windows — in a single package. Zero-days are valuable; criminals hoard and sell them one at a time. Spending four of them at once was the signature of an actor who did not care about the cost, a state rather than a gang. The stolen certificates, the deep knowledge of Siemens industrial systems, the intimate familiarity with Natanz’s exact layout: all of it pointed the same way. Somebody with the resources of a national government, and detailed intelligence about a hardened Iranian facility, had built this.

The care taken over the sabotage told its own story. The code did not merely change centrifuge speeds; it selected which cascades to attack and rotated through them, so that failures looked random and scattered rather than systematic. It waited to be sure it was inside the real plant before doing anything, checking the fingerprint repeatedly over days. When it did strike, it recorded the plant’s normal readings first and played them back to the operators, a false video loop laid over a bank-heist camera. Every one of those choices spoke of designers who understood the machinery and the humans watching it alike — engineers modelling the psychology of the Iranian technicians who would be staring at the monitors, trying to work out why their beautiful cascades kept dying. That is not the craft of a vandal. It is the craft of a patient intelligence service that wanted the sabotage to be mistaken, for as long as possible, for bad luck.

The years of nobody-said-anything

Here the story becomes a study in a particular kind of silence. From the moment Stuxnet was identified, the obvious question — who made it — had an obvious short list, and no one on that list would answer.

The technical evidence pointed heavily toward the United States and Israel. The sophistication and the target both fitted a joint effort against the Iranian nuclear programme, which both governments had spent years trying to slow. Researchers noticed suggestive fragments in the code — a reference to a file path containing the word “myrtus,” which some read as an allusion to the Book of Esther, and a marker resembling a date connected to the execution of an Iranian Jew in 1979 — clues that were tantalising and, precisely because they were so on-the-nose, possibly planted to mislead. The forensic work could establish capability and intent. It could not, on its own, produce a confession.

The confession, when it came, came the way these things usually do — through journalism rather than any official acknowledgement. In June 2012 the New York Times reporter David Sanger published an account, drawn from unnamed officials and expanded in his book Confront and Conceal, describing a joint American-Israeli programme code-named Olympic Games, begun under President George W. Bush and accelerated under President Barack Obama, of which Stuxnet was a part. Officials speaking anonymously described a president being shown diagrams of Natanz’s cascades and weighing whether to continue. Neither government confirmed the programme on the record. But the leak was detailed, sourced to people with direct knowledge, and never seriously denied — and the ensuing federal leak investigation, which treated the disclosures as real classified matters, was itself a kind of confirmation. You do not launch a criminal inquiry into the leaking of a programme that does not exist.

So for years the honest position was suspended between two certainties. It was certain the weapon was real, because the code was on the table. It was certain a state had built it, because no one else could have. What was withheld was the acknowledgement — the plausible deniability that is the whole point of a covert operation, maintained even after the operation had been dissected in public. This is the ordinary condition of the covert. As with Iran-Contra, the machinery of denial can outlive the secret it was built to protect; the deniers keep denying long after the room has seen the evidence, because admitting it costs more than the silence does.

The fork: how the invincible worm grew

Everything above is sourced. The mythology begins where a specific, targeted, self-limiting weapon gets reimagined as an unstoppable digital plague with a will of its own.

The seed was real. Stuxnet did escape Natanz. Its USB-spreading design, meant to reach an air-gapped facility that no cable connected to the internet, also carried it out again on the same sticks and laptops, until copies turned up on tens of thousands of computers around the world — a great many of them, ironically, inside Iran, but also across Asia and Europe. This is what let the anti-virus companies find it in the first place. But — and this is the fork — those stray copies did essentially nothing. On any machine without the exact Siemens-and-Natanz fingerprint, Stuxnet checked, found the wrong environment, and lay dormant. The worm that “got loose upon the world” was, everywhere but one building, an inert passenger.

The popular telling loses that distinction fast. In the retellings that spread through news segments and forum threads, Stuxnet becomes a rogue superweapon roaming the internet, capable of leaping into any system and wrecking any infrastructure — a kind of digital Frankenstein’s monster that slipped its leash. The truth is closer to a key cut for a single lock, dropped in the street, harmless to every door but one. The distinction matters because the mythologised version teaches the wrong lesson: that cyberweapons are indiscriminate acts of god. The real Stuxnet teaches something more disquieting — that they can be exquisitely precise, aimed at one target with the care of a sniper, and still leave a copy of themselves lying around for the rest of the world to pick up and study.

That second lesson is the one that came true. Once Stuxnet was public, its techniques were no longer secret. Security researchers found related tools — Duqu, Flame, Gauss — apparently from the same stable, built for espionage rather than sabotage. And the broader worry, voiced by the very people who built such things, was that the United States had demonstrated a capability that others would now copy against targets of their own, including targets in America. The genie the myth imagined as a wild monster was, in the sober version, worse: a well-behaved tool whose blueprint had been handed to every adversary the moment it was caught.

What the silence was really about

Stuxnet sits at the hinge of an old suspicion and a new reality. For decades, the idea that a foreign power could reach across the world and physically wreck a nation’s machinery with nothing but code was the stuff of thriller writers and paranoid forums — the sort of claim a sensible person filed alongside weather-control fantasies like HAARP. Then it happened, it was caught, it was disassembled, and the thriller premise became a footnoted fact.

The denials that followed were not really about hiding whether the thing existed; by 2011 anyone could download the analyses. They were about preserving the space between knowing and admitting — the deniability that lets a government act and never own the act, that keeps a covert operation covert in law even after it has become notorious in fact. That space is where a great deal of statecraft lives, and it is exactly the space in which conspiracy theories breed, because a public that can see the evidence but cannot get an answer will, reasonably, conclude that it is being lied to. In the Stuxnet case, it was.

What makes the episode worth sitting with is not that a wild secret turned out to be true, and not that the world’s most careful cyberweapon turned out to be a monster. It is the narrower, stranger truth in between: that the most disciplined act of sabotage of the century was also, by its own success, the thing that taught everyone else how it was done. The weapon worked perfectly and gave itself away completely, and the men who built it went on denying it long after the code had told the whole story to anyone patient enough to read it.

Advertisement
Advertisement
Wren
Written by Wren

vo.rs's investigator of belief. Wren traces where our strangest stories come from — the conspiracy theories, hoaxes, urban legends and stubborn myths — following how each one spreads, why it sticks, and what real history lies tangled underneath. Every piece takes the believer seriously and ends on understanding.