Policy —

Massive US-planned cyberattack against Iran went well beyond Stuxnet

"Nitro Zeus" reportedly targeted Iran's air defenses, communications, and power grid.

Massive US-planned cyberattack against Iran went well beyond Stuxnet
Aurich Lawson

The Stuxnet computer worm that destroyed centrifuges inside Iran's Natanz uranium enrichment site was only one element of a much larger US-prepared cyberattack plan that targeted Iran's air defenses, communications systems, and key parts of its power grid, according to articles published Tuesday.

The contingency plan, known internally as Nitro Zeus, was intended to be carried out in the event that diplomatic efforts to curb Iran's nuclear development program failed and the US was pulled into a war between Iran and Israel, according to an article published by The New York Times. At its height, planning for the program involved thousands of US military and intelligence personnel, tens of millions of dollars in expenditures, and the placing of electronic implants in Iranian computer networks to ensure the operation targeting critical infrastructure would work at a moment's notice.

Another piece of the plan involved using a computer worm to destroy computer systems at the Fordo nuclear enrichment site, which was built deep inside a mountain near the Iranian city of Qom. It had long been considered one of the hardest Iranian targets to disable and was intended to be a follow-up to "Olympic Games," the code name of the plan Stuxnet fell under.

The Nitro Zeus revelations first came to light in the documentary Zero Days, which describes the growing conflict between the west and Iran over its nuclear enrichment program and the disagreements that developed inside the US and Israel about how to stop it. The movie, which is scheduled to be first shown on Wednesday at the Berlin Film Festival, was directed by Alex Gibney, who has also directed the Oscar-winning Taxi to the Dark Side and We Steal Secrets: The Story of WikiLeaks. The NYT wrote:

Mr. Gibney and his investigative team, led by Javier Botero, interviewed current and former participants in the Iran program who revealed details of the effort to infuse Iran’s computer networks with “implants” that could be used to monitor the country’s activities and, if ordered by Mr. Obama, to attack its infrastructure. (Under rules laid out in presidential directives, some made public three years ago by Edward J. Snowden, the former National Security Agency contractor, only the president can authorize an offensive cyberattack, just as the president must approve the use of nuclear weapons.)

The New York Times conducted separate interviews to confirm the outlines of the program. The findings were described over the past two weeks to the White House, the Pentagon, and the Office of the Director of National Intelligence, all of which declined to comment, noting that they never discuss planning for military contingencies.

For the seven-year-old United States Cyber Command, which is still building its cyber “special forces” and deploying them throughout the world, the Iran project was perhaps its most challenging program yet. “This was an enormous, and enormously complex, program,” said one participant who requested anonymity to discuss a classified program. “Before it was developed, the US had never assembled a combined cyber and kinetic attack plan on this scale.”

Nitro Zeus had its roots in the Bush administration but took on new life in 2009 and 2010, just as Mr. Obama asked General John R. Allen, at United States Central Command, to develop a detailed military plan for Iran in case diplomacy failed. It was a time of extraordinary tension, as the Iranians accelerated their production of centrifuges and produced near-bomb-grade fuel and Western intelligence agencies feared they might be on the verge of developing a nuclear weapon. It was also a period of extraordinary tension with Israel, partly because of its presumed role in the assassination of Iranian nuclear scientists, and partly because of evidence that Mr. Netanyahu was preparing a pre-emptive strike against Iran, despite warnings from the United States.

According to two other publications that also had access to the documentary, Zero Days also claimed that for most of the time Stuxnet was in operation, its joint US-Israeli developers programmed it to infect only small numbers of computers inside Iran to prevent the outside world from learning about it. Then around 2009, Stuxnet began infecting unintended targets and eventually compromised the secrecy of the entire covert operation. As Ars reported in 2013, the discovery of an early Stuxnet version showed the worm was in development no later than November of 2005, almost two years earlier than had been previously thought.

According to an article published by BuzzFeed, the more aggressive version of Stuxnet was unilaterally released by Israel personnel, to the consternation of many of their US counterparts.

"The secrecy of the operation has been blown," a US source told the filmmakers, according to BuzzFeed. "Our friends in Israel took a weapon that we jointly developed—in part to keep Israel from doing something crazy—and then used it on their own in a way that blew the cover the operation and could've led to war."

At least some Stuxnet experts have disputed parts of the narrative laid out in Zero Days. Ralph Langner, one of the first security experts to determine Stuxnet was a cyberweapon that targeted Iran's nuclear program, told the Dark Reading publication that there's no evidence that Stuxnet's more aggressive spreading in 2009 was unintentional. "Multiple deliberate design elements in the 2009 version of Stuxnet," he said, "suggest that the developers had anything in mind but to stay under cover and widen the operation for another couple of years."

Channel Ars Technica