According to a New York Times report on Friday, anonymous U.S. and Israeli officials have confirmed that the 2010 "Stuxnet" cyber-attack on Iran's nuclear enrichment facilities was a joint U.S.-Israeli operation known as "Olympic Games", conducted with the full knowledge of President Bush and President Obama.
When it emerged in the summer of 2010, Stuxnet was believed to be too sophisticated to be anything but the work of a nation-state. Attention focused on the U.S. and Israel as likely sources of the virus, but those suspicions remained officially unconfirmed. Unofficially, Stuxnet appeared to be an open secret.
In February 2011, a retirement party for Israeli Defense Force Chief of Staff Gabi Ashkenazi featured a video which mentioned Stuxnet among the successes of Ashkenazi's tenure. Later that spring, White House Coordinator for Arms Control and Weapons of Mass Destruction Gary Samore told PBS's Need to Know that "we're glad [the Iranians] are having trouble with their centrifuge machines," and "we - the US and its allies - are doing everything we can to make sure that we complicate matters further."
The Department of Defense acknowledged about a year ago that it had developed cyber-weapons and policies governing their use. Friday's New York Times story cited reports of isolated cyber-attacks on the personal computers of Al Qaeda members, but no U.S. use of cyber-weapons against another state has been officially acknowledged. Stuxnet represents the first sustained use of cyber-weapons against another nation's infrastructure, as well as the first cyber-warfare operation to do physical damage to a target.
Stuxnet achieved this by infecting the computers which controlled the centrifuges in Iran's uranium enrichment facility at Natanz. Designed to specifically target the proprietary software that runs Siemens industrial equipment (including the Iranian centrifuges), Stuxnet caused malfunctions which abruptly changed the speed of the centrifuges, damaging or destroying their sensitive parts.
In what one anonymous U.S. official called "the most brilliant part of the code," Stuxnet covered its tracks by sending the facility's control room false reports that all equipment was operating normally. This eventually led the Natanz facility to assign observers with radios to watch the centrifuges.
The virus's designers hoped "that the Iranians would blame bad parts, or bad engineering, or just incompetence." Iran's attempts to trace the problem proved as detrimental to their operations as the sabotage itself; they shut down many unaffected centrifuges along with the damaged ones.
Despite some claims to the contrary, Olympic Games appears to comply fully with the "rules of cyber-engagement" released last Spring. That policy requires U.S. cyber-attacks to minimize collateral damage and prevent civilian casualties, which the precisely targeted nature of the Stuxnet attacks facilitated in a way which might have been impossible with conventional military action. The active involvement from President Obama described in the New York Times report is also in keeping with the rules of engagement, which require explicit authorization from the president for the offensive use of cyber-weapons against a nation with which the U.S. is not at war.
Intelligence-gathering operations are more broadly authorized under the Pentagon's rules.
The New York Times report on Stuxnet broke amid furor over the emergence of a remarkably sophisticated espionage worm called "Flame" targeting computers in the Middle East - especially Iran.
Like Stuxnet, Flame is widely assumed to be the work of a nation-state. Initial reports cited similarities in the way the worms spread, their targeted nature, and aspects of their programming structure as possible indicators of a relationship between the attacks.
However, a recent report in PCMag offered evidence that Flame is not related to Stuxnet. Despite initial speculation, Flame is not built on the "TildeD" platform shared by Stuxnet and its successor Duqu (presumably also a U.S.-Israeli project). Unlike Stuxnet and Duqu, which were both written entirely in C and C++, important sections of Flame are written in Lua. Also unique to Flame is its use of pre-built third-party modules for some of its functions. It now appears possible that Flame could be the work of someone other than the U.S.-Israeli team who designed Stuxnet and Duqu.
Officially, U.S. authorities "say that [Flame] was not part of Olympic Games. They have declined to say whether the United States was responsible for the Flame attacks," but if Flame does prove to be a U.S. operation, it would be perfectly legal under the rules of engagement.
Sources within the Obama administration estimate that Olympic Games set Iran's nuclear program back by a year and a half to two years. Other analysts point out that Iran has steadily rebuilt its uranium enrichment program. In either case, the lasting legacy of Olympic Games may be simply "proof of the potential power of a cyberweapon."