Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon
Page 44
39 David Albright et al., “Natanz Enrichment Site: Boondoggle or Part of an Atomic Bomb Production Complex?” ISIS, September 21, 2011, available at isis-online.org/isis-reports/detail/natanz-enrichment-site-boondoogle-or-part-of-an-atomic-bomb-production-comp.
40 Sometime in November 2010, technicians increased the number of centrifuges in six cascades from 164 to 174. See IAEA Board of Governors, “Implementation of the NPT Safeguards Agreement and the Relevant Provisions of Security Council Resolutions in the Islamic Republic of Iran” (report, November 23, 2010), available at iaea.org/Publications/Documents/Board/2010/gov2010-62.pdf. Although some observers believe that Iran increased the number of centrifuges in order to increase the amount of gas they could enrich in the cascades—perhaps to make up for time lost to Stuxnet—an IAEA source told me that the centrifuges were added at the latter stage of the cascades, which wouldn’t help increase the amount of gas that could be enriched in the cascade. He suggested that the additional centrifuges were simply meant to alter the configuration of the cascades in order to prevent any lingering copies of Stuxnet from working on them.
41 Sanger notes that the meeting between Panetta and Obama occurred midsummer, which would make it sometime in July, right around the time Stuxnet was exposed. But he also says within weeks after this meeting, the attackers unleashed two other versions of the worm. This suggests that new versions of Stuxnet were released after antivirus firms had already released signatures to detect it. As noted, no later version of Stuxnet has been found.
CHAPTER 18
QUALIFIED SUCCESS
A year after IAEA officials first began to notice technicians removing an unusual number of centrifuges from the underground hall at Natanz, the mystery behind the disappearing devices was at last solved. But with Stuxnet finally identified as the cause, and with details about the extensive resources behind it revealed, a couple of other questions begged to be answered: Just how successful had Stuxnet been at achieving its goals? And were the risks, costs, and consequences worth it?
“If Stuxnet’s goal was the destruction of all the centrifuges [at Natanz],” then it had certainly failed, David Albright of ISIS noted in a 2010 report. But if the goal was to destroy a limited number of centrifuges in order to set Iran’s uranium enrichment program back a bit, then “it may have succeeded,” he wrote, “at least for a while.”1
There was no doubt that Iran’s nuclear program was not where it should have been in 2010 when Stuxnet was discovered. The two massive underground halls at Natanz were capable of holding 47,000 centrifuges, yet more than a decade after their construction was complete, only one of the halls contained any centrifuges at all, and even that one was only one-third full. “Viewed from that perspective—what Iran had originally planned and where the program was now, the situation had worsened …” Albright wrote.
But how much of this was due to Stuxnet and how much to other causes—sanctions, diplomatic pressure, and the effects of other covert sabotage efforts—remains unclear. Ralph Langner believed the attack on Natanz was a huge success and had been “nearly as effective as a military strike” without all the risks and costs that a military strike entailed. The New York Times said Stuxnet appeared to be the “biggest single factor in putting time on the nuclear clock.”2
But there were varying opinions about just how many centrifuges Stuxnet affected and how far Iran’s nuclear program had been set back as a result.
Back in 2003, Israeli officials had warned that Iran would have enough enriched uranium for a bomb by 2007 if the nuclear program wasn’t halted. But two voluntary suspensions and a host of other factors had pushed back the clock, causing the Israelis to revise the bomb timeline first to 2008 and then to 2010. Now post-Stuxnet, the timeline was pushed back again.
When Mossad’s outgoing chief, Meir Dagan, left his job in early 2011, he told the Israeli Knesset that Iran now would not be able to produce a nuclear arsenal before 2015.3 US officials were less generous in their estimate, however, saying the program had been set back only eighteen to twenty-four months, rather than four years. According to US Secretary of State Hillary Clinton, the nuclear program had been “slowed” by technological problems and sanctions, but not to the point at which anyone could relax. “We have time,” she said, “but not a lot of time.”4 Ivanka Barzashka, a research associate at the Centre for Science and Security Studies at King’s College in London, believed the nuclear program had not been pushed back at all. She examined correlations between centrifuge numbers in the IAEA reports and the dates that Stuxnet was active in 2009, and found that evidence of the attack’s impact was circumstantial and inconclusive. If Stuxnet did have an effect on the uranium enrichment program, it wore off quickly.
“If sabotage did occur, it was short-lived and most likely happened between May and November 2009,” she concluded. “The malware did not set back Iran’s enrichment programme, though perhaps it might have temporarily slowed down Iran’s rate of expansion.”5
The Iranians, in fact, showed a remarkable ability to recover from any damages and delays that Stuxnet and other factors had meted out.
In early 2010, for example, shortly after technicians at Natanz replaced the centrifuges that were causing them problems, they stepped up their enrichment activity, feeding more gas into the centrifuges to increase the output they produced. As a result, Iran’s production of low-enriched uranium actually increased in 2010 and remained fairly steady thereafter. In the fall of 2008, for example, during the period that Stuxnet 0.5 was manipulating valves on the cascades, the centrifuges were producing only 90 kg of low-enriched uranium a month. At the end of 2009, when the next round of Stuxnet hit, the number dipped slightly to 85 kg a month. But in 2010, despite at least two more rounds of Stuxnet being released, the production level jumped to between 120 and 150 kg a month, and by 2011, Iran was producing a steady 150 kg of low-enriched uranium per month.
It should be noted, however, that these production numbers were still well below what the centrifuges should have produced by design. In 2010, it took 4,820 centrifuges to produce this volume of enriched gas, but in 2011 Iran was using 5,860 centrifuges to produce the same amount, suggesting the centrifuges were working less efficiently than they had before, possibly due to lingering effects from Stuxnet.6
But in the end, Iran was still making progress and still producing enriched uranium. By mid-2011, the centrifuges had produced a total of 4,400 kg of low-enriched uranium.7 What’s more, Iran had transferred at least 1,950 kg of this to the pilot plant to be further enriched to 19.75 percent, and by the beginning of 2011, Iran had 33 kg of uranium enriched to this level and announced plans to triple this amount.
Officials began enriching the uranium to this higher percentage following the destruction of centrifuges by Stuxnet. Iranian officials claimed they needed the higher-enriched uranium for cancer treatment research. But the higher-enriched uranium created a bigger problem for those opposed to the enrichment program, because at 20 percent enrichment, Iran was closer to the 90-percent weapons-grade material it needed for a bomb. “Starting from this higher enrichment level means that Iran cuts its time by more than half to produce weapons-grade, highly enriched uranium at about 90 percent enrichment,” noted Barzashka. In this regard, if “the purpose of [Stuxnet] was to decrease Iranian nuclear-weapons potential, it clearly failed.”8
Meanwhile, technicians also began installing more advanced centrifuges at the pilot enrichment plant at Natanz—IR-2m and IR-4 centrifuges. These centrifuges were much more efficient than the IR-1s. Whereas IR-1s could produce about 1.0 separative work units a day by design (though they seldom reached this level), the more advanced centrifuges could produce about three to five times this much. They were also more resilient than the IR-1s, which meant they were less prone to break under the kind of stress that Stuxnet produced.
Despite Iran’s seemingly quick recovery from Stuxnet, the digital weapon did have at least tw
o longer-lasting effects on the enrichment program. First, it cut into Iran’s supply of uranium gas. Several tons of enriched uranium ended up in dump tanks during the period that Stuxnet was doing its sabotage. The waste likely wasn’t all due to Stuxnet, since technicians experienced a number of varied problems with the centrifuges, but Stuxnet no doubt contributed to the loss. As previously noted, Iran had a limited supply of uranium on hand (some imported from abroad, some mined from its own land), and any gas that was wasted cut into these reserves.
But Iran also had a limited supply of centrifuges and materials to make new ones. With sanctions tighter than ever before, replacing damaged centrifuges now would become more challenging. In 2008, the IAEA estimated that Iran had enough components and materials on hand to build 10,000 centrifuges.9 If Stuxnet destroyed 1,000 of these, this cut the stockpile of centrifuges by 10 percent. On top of this, Iran lost about 10 percent of centrifuges each year to normal wear and tear. At that rate of attrition, “after five years, these guys are cooked,” says the IAEA’s Olli Heinonen.10
But Heinonen in fact believed that more than 1,000 centrifuges were damaged by Stuxnet. He believed the number was closer to 2,000. He based his assessment on the fact that IAEA reports provided only a snapshot of conditions at Natanz during a three-month period and the fact that there had been problems with tamper-evident security seals at Natanz, which raised the possibility that Iran might have secretly replaced some of its damaged centrifuges without the IAEA knowing it.11
Although IAEA inspectors visited the plant twenty-four times a year on average, their reports were only publicly disclosed once a quarter, and the numbers in each report were based only on the number of centrifuges the inspectors observed at the plant during their most recent visit prior to each report. Thus, there were numerous opportunities in between visits for technicians to swap out centrifuges away from inspectors’ prying eyes—as long as they did so out of the view of the IAEA cameras, which were, in theory, supposed to make such hidden swaps impossible.
Every time a new module of cascades was constructed at the plant, technicians placed portable walls around it, and made it accessible by only a single door—a door that an IAEA camera was positioned outside to monitor. Tamper-evident seals were also placed on the joints of the walls, to ensure that the door was indeed the single means of entry, and that technicians couldn’t simply move the walls aside to remove centrifuges out of the view of the cameras. But there had been problems at Natanz with security seals mysteriously breaking.12 Iranian officials said the breaks were accidental and that operators had been told “to exercise more vigilance.” But Heinonen says “an unusual pattern” of broken seals emerged in Iran, raising the possibility that the walls might have been moved to furtively remove and replace damaged centrifuges.13
But even if the number of damaged centrifuges exceeded 1,000, Stuxnet clearly wasn’t the magic bullet it might have been had it been designed for more immediate and widespread destruction—to take out thousands of centrifuges in a single blow—rather than for slower, more incremental effects.
There were some, in fact, who wondered why Stuxnet hadn’t been designed for more quick and severe damage. But the risk of repercussions for such an aggressive attack were greater. If Stuxnet had destroyed 3,000 to 4,000 machines at once, there would have been little question that the cause was sabotage, and Iran would likely have perceived it as a military assault to be responded to in kind. So Stuxnet’s slow and stealthy attack was a compromise of sorts that made it harder to achieve more extensive results but also made it harder for Iran to make a case for striking back.
Questions remained, though, about what the digital weapon might have achieved had it not been discovered in 2010. Iran’s enrichment program was just getting under way when Stuxnet struck, and the code was still in the early stages of mayhem when it was exposed. There was no telling what it might have accomplished over time as Iran installed more centrifuges and cascades. For this reason Barzashka believed the attackers made a mistake in unleashing Stuxnet too soon. Had it been held in abeyance until more centrifuges were installed and more uranium gas was in play, its effects on the program might have been more detrimental.
One thing was certain: it would now be harder for the attackers to repeat the feat. Stuxnet, as Langner had noted, was effectively a one-shot weapon: the attack, once discovered, had made the Iranians more cautious, thereby making future attacks by the same means more difficult to pull off. After this, anytime equipment at Natanz malfunctioned, the Iranians would immediately suspect sabotage and respond more swiftly. At the first sign of trouble, technicians would shut down the systems and examine them more closely for malware or manipulation.
But regardless of all the factors that limited Stuxnet’s effects and cut its life short, the stealth attack made at least one group very happy.
“In the non-proliferation community, Stuxnet is just a welcome development,” David Albright says. “It means we won’t have to have a war with Iran.”14
BUT EVEN IF the Stuxnet operation bought diplomatic negotiators a little more time, the weapon clearly didn’t put an end to the political crisis or eliminate the possibility of war entirely. In 2011, a fifth round of UN sanctions was being levied against Iran, and the United States was planting Patriot missiles throughout the Middle East to protect its allies in the event of war. And Iran’s adversaries continued to employ lethal measures against its scientists in an attempt to cripple the nuclear program. In July 2011, a thirty-five-year-old physicist named Darioush Rezaeinejad was shot in the throat while picking up his daughter from kindergarten in Tehran. The two gunmen reportedly escaped on motorcycles. The IAEA said Rezaeinejad had been involved in developing high-voltage switches for setting off explosions needed to trigger a nuclear warhead.15
Then in January 2012, just a day after Israel’s military chief of staff said that 2013 would be a crucial year for Iran’s nuclear program, motorcycle assassins struck again in Iran, this time killing Mostafa Ahmadi Roshan with an explosive attached to his car. Roshan was initially identified as a thirty-two-year-old chemist who worked at Natanz, but an Iranian official later revealed he actually managed the Natanz facility and also worked procuring specialized equipment for Iran’s nuclear program. Roshan’s title was deputy for trade affairs at Kala Electronics Company, which provided parts for Natanz. Kala, of course, was one of the companies believed to have been struck by Stuxnet.16
A string of mysterious explosions also began to plague Iran. In November 2011, a massive explosion at a long-range-missile testing site killed more than thirty members of Iran’s Revolutionary Guard, including the general said to be the architect of Iran’s missile program.17 Iran denied the explosion was the result of sabotage, insisting that it was an accident. But a Western intelligence source told the New York Times that the actual cause mattered little. “Anything that buys us time and delays the day when the Iranians might be able to mount a nuclear weapon on an accurate missile is a small victory,” he said. “At this point, we’ll take whatever we can get, however it happens.”
That same month, a blast occurred at the uranium conversion plant in Esfahan, reportedly damaging a facility where raw materials for the uranium enrichment program were stored.18 Then in August 2012, explosions took out power lines feeding electricity from the city of Qom to the underground enrichment plant at Fordow. News reports indicated that one of the explosions occurred when security forces found an electronic monitoring device disguised as a rock and tried to move it. The booby-trapped device was reportedly designed to intercept data from computer and phone lines at the enrichment plant.19 In discussing the incident, an Iranian official revealed that power lines feeding electricity to the plant at Natanz were also taken out in a separate incident, though he didn’t say when or offer further details.20 Whatever Stuxnet’s gains, they weren’t enough to allow the West to relax.
None of this should have been a surprise to anyone, according to Henry Sokolski, executive director of the Non
proliferation Policy Education Center. Every president since Bill Clinton had tried covert operations to disrupt Iran’s nuclear program, he noted to the New Republic, and none had succeeded. “Bush did it, Obama is doing it,” he said. But covert action was never a substitute for sound foreign policy. It could only ever be “a holding action” not a solution, he said.21
Questions about the true nature of Iran’s nuclear pursuits remained. Toward the end of 2011, an IAEA report, described as “the most damning report ever published” about Iran by the agency, declared that the Islamic Republic had been working on building a nuclear weapon since 2003, despite earlier assertions by US intelligence that Iran had abandoned its weapons program that same year.22 The IAEA report wasn’t based on new information but on earlier documents the agency had received, including ones from the Iranian mole known as “Dolphin.” But although the information wasn’t new, the IAEA’s willingness to now assert that the documents were evidence of a nuclear weapons program was.23 Israeli prime minister Benjamin Netanyahu once again renewed his call for a military strike against Iran. This time, however, the Iranians welcomed it. Iranian foreign minister Ali Akbar Salehi said defiantly that Iran was “ready for war” with Israel.24
IF THERE IS one thing to be said in Stuxnet’s favor, it’s that the digital attack, along with other covert operations, did succeed in staving off an ill-advised military attack against Iran. And despite continuing tension and gamesmanship, nobody has been willing to take that step in the wake of Stuxnet—a fact that ultimately left the door open for historic negotiations with Iran over its nuclear program that began in 2013. The initial discussions resulted in Iran agreeing to freeze core parts of its nuclear program—including halting the installation of new centrifuges and limiting the amount of enriched uranium Iran produces—in exchange for some loosening of sanctions against it.25