recommended reading

Stuxnet Used an Old Movie Trick to Fool Iran's Nuclear Program

An Iranian technician works at the Uranium Conversion Facility just outside the city of Isfahan, Iran.

An Iranian technician works at the Uranium Conversion Facility just outside the city of Isfahan, Iran. // Vahid Salemi/AP File Photo

In a fascinating new read, Foreign Policy's Ralph Langer explored the deep history of Stuxnet, the super computer virus jointly authored, allegedly, by American and Israeli intelligence services to attack Iranian nuclear facilities. In doing so , he learned the real story involves not one, but two viruses, including an early, previously unreported version of the virus that relied on the cyber-attack equivalent of the camera trick from the movie Speed.

Langer's impressive three-year investigation into the virus's effects on the Iranian nuclear program shows how it effectively tore the system limb-from limb. It reportedly destroyed 1,000 out of 5,000 nuclear centrifuges and, by Langer's estimates, set the program back by two full years. Langer also discovered that a much more complicated and lesser-known gambit than the one we're most familiar with, was already being carried out years earlier. 

Stuxnet was allegedly jointly created by U.S. and Israeli military forces to infiltrate and then damage Iran's nuclear program from the inside. It became public knowledge after it malfunctioned — or worked a little too well — and infected millions of non-Iranian computers worldwide in the summer of 2010. 

But years before the Stuxnet we know and love went to work, an early variant targeted Iran's Natanz nuclear facility. Natanz employs a complicated, cascading system of safeguards to prevent centrifuges used for uranium enrichment from overheating and malfunctioning in order to overcome the country's outdated and dubious nuclear technology. Stuxnet's genius was in its ability to override those safety systems, by infecting computers that weren't connected to the outside world, and without anyone realizing it was being done until it was too late.

What the very early Stuxnet virus was designed to do is "so far-out, it leads one to wonder whether its creators might have been on drugs," Langer says. But in reality, they may have got the idea from a brilliant 1994 action flick starring Reeves and Sandra Bullock. 

A controller infected with the first Stuxnet variant actually becomes decoupled from physical reality. Legitimate control logic only "sees" what Stuxnet wants it to see. Before the attack sequence executes (which is approximately once per month), the malicious code is kind enough to show operators in the control room the physical reality of the plant floor. But that changes during attack execution.

One of the first things this Stuxnet variant does is take steps to hide its tracks, using a trick straight out of Hollywood. Stuxnet records the cascade protection system's sensor values for a period of 21 seconds. Then it replays those 21 seconds in a constant loop during the execution of the attack. In the control room, all appears to be normal, both to human operators and any software-implemented alarm routines.

In you're too young (or old) to remember Speed, a terrorist installs a bomb on a Los Angeles bus and holds the passengers, including a cop played by Reeves, hostage by watching them through a closed circuit camera. The cops win by intercepting the video feed, and replacing it with looped footage of bus; making it appear to the villain that everything was normal, while the hostages escaped unnoticed. There was a big explosion at the end, too. 

Anyway, once the Iranian system was blinded to the threat, American hackers remotely messed with the safety systems, routinely destroying Iranian centrifuges through coordinated attacks that would do significant damage without revealing the virus's existence. The version of Stuxnet that came later was much more abrasive, and did more damage in a shorter time. Staying hidden was no longer a goal, Langer posits, because once the damage was done, the creators wanted the world to know what they were capable of in the realm of cyberwarfare. It was time to reveal the secret.

Threatwatch Alert

Network intrusion / Spear-phishing

Researchers: Bank-Targeting Malware Sales Rise in Dark Web Markets

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.