New Stuxnet documentary that debuts tomorrow in Berlin reportedly reveals how Israel blew its cover, and the worm just one element of a much larger US-Israel cyber spy operation in Iran.

One of the most intriguing mysteries of Stuxnet is why such a super-stealthy operation spread beyond its targets in Iran’s nuclear facility and exposed the malware -- and ultimately, the attack campaign itself.

There has been plenty of speculation since Stuxnet first was discovered in 2010: A bug in the code caused it to go awry. Israel launched a splinter attack. The US and Israel just went for it in their quest to knock out the uranium-enrichment centrifuges at Iran’s Natanz facility. The debate has raged on.

Now a new documentary on the unprecedented cyberattack weapon maintains that Israel acted on its own with a more aggressive version of Stuxnet. According to media outlets that screened the film “Zero Days” – which was directed by Alex Gibney and debuts tomorrow at the Berlin International Film Festival -- Israel’s aggressive push to annihilate the centrifuges basically ended up derailing subsequent planned attacks by the US and Israel to thwart Iranian nuclear weapon development.

According to reports by Buzzfeed and The Jerusalem Post, both of which viewed the film in advance, the so-called Olympic Games operation that included Stuxnet was just one element of a much larger and more comprehensive cyber initiative called Nitro Zeus in which US (NSA and CIA) and Israeli intelligence agencies had infiltrated key systems supporting Iran’s infrastructure. The film also reveals that Britain’s’ GCHQ unit assisted in the operation, but that the US and Israel were the leads.

Stuxnet’s exposure in 2010 appears to have thwarted further plans to disrupt other nuclear ops, including sabotaging systems at Iran’s Fordow nuclear enrichment plant. “We spent millions on this operation to sabotage all of the computers of the Iranian infrastructure in the instance of a war,” The Jerusalem posts quotes a source from the documentary. “We penetrated the government, electricity lines, power stations and most of the infrastructure in Iran.”

Liam O’Murchu, a Symantec researcher who was one of the first to study the Stuxnet worm, says the film’s reported theory of a more aggressive variant of the Stuxnet malware follows what his team had witnessed. “We did see the threat get dramatically more aggressive, and the end of 2009 and the beginning of 2010, when they added the USB and zero-day” elements to spread it, says O’Murchu, who manages Symantec’s security response operations team for North America. 

Symantec in early 2013 revealed that it had discovered an earlier variant of Stuxnet that shows the attacks on Iran’s Natanz nuclear facility dated back as early as 2005, and targeted another piece of uranium-enrichment equipment. That new timeline and malware version revealed how the attackers became increasingly aggressive in their attacks with the later versions of the malware.

“When we looked at this telemetry, it did strike us as strange that previous versions had been so quiet and [spread] in such a discreet manner. And then this version spread all over the world,” recalls O’Murchu, who says he and his team were interviewed for the documentary and showed the film’s producers samples of Stuxnet code to support the technical details. O’Murchu is currently in Berlin to attend the film at its debut tomorrow.

“When we found those [earlier] versions [of Stuxnet], they were less aggressive in the way they spread” and the configuration files allowed the malware to spread for a shorter period of three weeks versus the later version, which spent up to three months of infecting machines, he says.

Ralph Langner, a renowned Stuxnet expert who is also interviewed in “Zero Days” but has not yet seen the film, says he’s not convinced of some of the conclusions reported by the media outlets’ early screenings of the film.  For one, he disagrees that the 2009 version of the Stuxnet worm was “hastily” developed, as some reports of the film suggest, he says.

“Code analysis does not show any evidence that the spreading that we have seen in the 2009 version of Stuxnet was unintentional,” say Langner, who is founder of The Langner Group. “I also do not see that the 2009 version of Stuxnet was developed hastily, thereby causing detection that prevented [widening] the whole operation to other targets like Fordow.”

Langner documented his postmortem study on Stuxnet in November of 2013, in a report entitled “To Kill A Centrifuge.”

“Multiple deliberate design elements in the 2009 version of Stuxnet suggest that the developers had anything in mind but to stay under cover and widen the operation for another couple of years,” Langner says. “Deliberate design features -- such as bringing 1,000 centrifuges simultaneously to overspeed and then almost [completely] stop -- rather seem to indicate that the perpetrators were eager to find out how incompetent Iranian engineers really were.”

“I'm more inclined to believe that the film does not accurately account the hidden plans of the perpetrators which it, obviously, cannot fully know,” he says.

[Symantec finds 'missing link' in infamous Stuxnet malware that sabotages another piece of equipment in Iranian nuclear facility--attackers became more aggressive as campaign ensued. Read Stuxnet, The Prequel: Earlier Version Of Cyberweapon Discovered.]

The Jerusalem Posts quotes an unnamed NSA source interviewed in the film, who says while US intel kept a “low profile,” the Israeli intelligence team “constantly pushed to be more aggressive.”
“Our friends from Israel took a weapon that we developed jointly, among other things in order to defend Israel, and did something crazy with it, and actually blew the operation. We were very furious,” The Jerusalem Post quotes a source as saying.

The two nations had agreed they could act on their own as long as they kept one another in the loop, according to the reports. That’s where the disconnect may have occurred with the louder, more aggressive version of Stuxnet allegedly unleashed by Israel.

Gen. Michael Hayden, who served as the director of the NSA and the CIA, is interviewed in the film, saying US officials worried that “the real goal of an Israeli attack [against the nuclear facilities in Iran], would be to drag us into war” with Iran.

Operation Olympic Games began in 2006 during President George W. Bush’s presidency, and carried over to President Barack Obama’s first term.

Symantec’s O’Murchu says the attacks indeed required heavy reconnaissance to pull off, and it makes sense that the attacks were part of a broader cyber operation against Iran. “We didn’t have any idea it was as large as what’s being described in the articles” about the documentary, he says, such as malware that could control systems other than centrifuges.

“We haven’t seen evidence of that … But it certainly fits with the strategies of what countries are thinking about in cyberwar nowadays,” he says.

Another mystery that remains unsolved is just what the official code name for Stuxnet really was. O’Murchu says he’s interested in seeing if the film reveals any hints there.

Related Stories

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights