The Shadow War

Someone is killing Iran’s nuclear scientists. But a computer worm may be the scarier threat.

By Christopher Dickey, R. M. Schneiderman, Babak Dehghanpisheh

The covert operations that target Iran’s nuclear program suddenly came to light with explosive violence and stunning implications for the future of warfare on Nov. 29.

On that Monday morning, dawn had just broken over a bustling Tehran so deeply shrouded in smog that many commuters wore face masks to protect against the fumes and dust in the air. On Artesh Street, among rows of new and half-finished apartment blocks, the nuclear physicist Majid Shahriari was working his way through rush-hour traffic with his wife and bodyguard in his Peugeot sedan. A motorcycle pulled up beside the scientist’s car. Nothing extraordinary about that. But then the man on the bike stuck something to the outside of the door and sped away. When the magnetically attached bomb went off, its focused explosion killed Shahriari instantly. It wounded the others in the car but spared their lives. A clean hit.

Only a few minutes later and a few miles away, in a leafy neighborhood in the foothills of the Alborz Mountains, again a motorcycle pulled alongside the car of another scientist, Fereydoun Abbasi Davani. A longtime member of Iran’s Revolutionary Guards, Abbasi Davani was named specifically in a United Nations sanctions resolution as “involved in nuclear or ballistic missile activities.” Sensing what was about to happen, he stopped the car, jumped out, and managed to pull his wife to safety before the bomb went off.

That same morning, in Israel, where many see Iran’s nuclear program as a threat to the very existence of the Jewish state, nobody celebrated the Tehran attacks publicly. Nobody claimed responsibility. But nobody denied it, either. And as it happened, that was the morning Prime Minister Benjamin Netanyahu announced that Meir Dagan would be stepping down after eight years directing the Mossad and its secret operations against Iran. Under a photograph of Shahriari’s thoroughly perforated Peugeot, one of Israel’s tabloids ran the headline LAST SHOT FOR DAGAN?

This longest day in a dark war was not over yet, however. In Tehran that Monday afternoon, at a press conference that had been delayed for two hours, Iranian President Mahmoud Ahmadinejad told reporters there was “no doubt the hand of the Zionist regime and the Western governments” had been involved in the attacks on the scientists. Then, for the first time, Ahmadinejad admitted something that his government had tried to deny until that moment: the high-speed centrifuges used to enrich uranium for use as nuclear fuel in reactors, or possibly for weapons, had been damaged by a cyberattack. Iran’s enemies—he didn’t specify which ones—had been “successful in making problems for a limited number of our centrifuges with software they installed in electronic devices.” Ahmadinejad assured the press that the problem was now taken care of. “They are unable to repeat these acts,” he claimed. Yet only a few days before, top Iranian officials had declared there was no problem at all.

Rarely has a covert war been so obvious, and rarely have the underlying facts been so murky. Conspiracy theory hangs as heavy in Tehran these days as the smog: a number of Iranian reformists opposed to Ahmadinejad have suggested the two scientists targeted in November, as well as another one, Masoud Ali Mohammadi, killed by an exploding motorcycle in January, were attacked by the regime itself because their loyalties were suspect. All reportedly sympathized to some extent with the opposition Green Movement. Both Mohammadi and Shahriari had attended at least one meeting of SESAME, a U.N.-linked research organization based in Jordan, where Israelis as well as Arabs and Iranians were present. “In the eyes of the Revolutionary Guards, everybody’s a potential spy,” says a former Iranian intelligence officer, who asked not to be named because of likely retributions inside Iran. “You are either 100 percent dedicated to the system or you are an enemy.”

So, who done it? The speculation itself is part of the psychological game played by various governments against Iran and to some extent against each other. In what Cold War spies would have called “a wilderness of mirrors,” different intelligence services may take credit, with a wink and a nod, for things they did not do, while denying they did what they actually did do. Enemies of Iran can take pleasure, for now at least, in the fear stirred up by uncertainty.

What we can deduce from the limited evidence that has emerged so far, according to former White House counterterrorism and cyberwarfare adviser Richard Clarke, is that at least two countries conducted operations against Iran simultaneously and not necessarily in close coordination. One likely carried out the hits; the other created and somehow infiltrated the highly sophisticated Stuxnet worm into computers of the Iranian nuclear program. In an interview, Clarke, who now runs a security-consulting business, strongly suggested Israel and the United States are the likely sources of the attacks. Other analysts suggest that France, Britain, and especially Germany, home of Siemens, which made the software and some of the hardware attacked by the Stuxnet worm, might also be involved. (A spokesman for Siemens says the company no longer does business with Iran.)

Historically, Israel’s covert operations have been on the violent side. When it comes to strategic murders, the Mossad has established a record 50 years long of “targeted assassinations,” often taking out scientists who tried to help its enemies develop weapons of mass destruction. It has carried out hits all over the Middle East and Europe. Iran knows this history well: Israeli intelligence sources, who decline to be named on the record, coyly suggest that the Iranian Revolutionary Guards are so convinced the Mossad directed the assassination plots that the Guards are taking extreme measures to protect the man considered next on the hit list: Mohsen Fakhrizadeh, a professor of nuclear physics whom the Israelis sometimes call “the Iranian Dr. Strangelove.” They believe he’s directing a secret nuclear-weapons program that is distinct from the public enrichment operations at Natanz and elsewhere, which are open to United Nations inspectors. (The official Iranian government position is that all its nuclear research and all its uranium enrichment are for purely peaceful purposes.)

The real damage to the Iranian nuclear program, however, was done by Stuxnet—the most sophisticated computer worm ever detected and analyzed, one targeting hardware as well as software, and a paradigm of covert cyberweapons to come. “Stuxnet is the start of a new era,” says Stewart Baker, former general counsel of the U.S. National Security Agency. “It’s the first time we’ve actually seen a weapon created by a state to achieve a goal that you would otherwise have used multiple cruise missiles to achieve.”

According to figures compiled by David Albright of the Institute for Science and International Security, a Washington think tank that follows the Iranian program closely, Tehran had major problems bringing new centrifuges online throughout 2009. The first 4,000 already installed at the Natanz facility continued to spin, but the next 5,000 were beset by delays. The worst problems came in an array of centrifuges known as A-26, which Iran began installing in late 2008—around the time Stuxnet was sent on its mission. In the late summer of 2009, half the functioning A-26 centrifuges had to be pulled out of service. At the turn of this year, Albright has learned, 1,000 more simply broke down. This may have been the “limited number” Ahmadinejad was talking about.

Not all of the breakdowns can be attributed to Stuxnet. Spies from Israel and probably elsewhere have long been involved in the sabotage of high-tech materials and components for the Iranian nuclear program that Tehran has had to acquire on the black market because of U.N. sanctions. As far back as April 2007, Eli Levite, then deputy director of the Israeli Atomic Energy Commission, told a closed forum that “our efforts gained time for us and have doubtlessly caused significant delays in the [Iranian nuclear] project.” The threshold at which Iran can be deemed a real nuclear-weapons power—which is the point at which Israel might launch a military strike to neutralize the threat, even if that risked dragging the United States into a third Muslim-world war—is pushed back by these covert operations. And that gives diplomacy a chance even if, as happened in Geneva last week, talks with Iran appear to make little progress.

Some press reports suggest that Stuxnet, too, is an Israeli weapon. They point to Tel Aviv’s prowess in computer science, especially in highly secretive groups like Unit 8200, the Israeli military’s legendary cyber outfit. They point to some code in Stuxnet that might suggest the date on which a prominent Jewish businessman was executed in Tehran in 1979, or the name “Myrtus,” which could be construed as a reference to Esther, the biblical Jewish queen of Persia who stopped a genocide, and so on. But Clarke cautions against such convoluted explanations. “The argument is that the Israelis are trying to subtly let the Iranians know it was them—not so subtly that they claim it publicly, but enough so the Iranians get to know,” he says. “Stay away from all that.”

What’s clear, says Clarke, is that major resources went into Stuxnet’s development. Microsoft estimates that building the virus likely took 10,000 man-days of labor by top-rank software engineers. Unlike most of the worms and viruses that wreak havoc on computers, this one was not designed to spread far and wide, doing damage wherever it landed. It is structured to target a specific set of devices manufactured only in Finland and Iran that are used to determine the speed at which the centrifuges rotate. If that speed is not modulated perfectly, vibrations make the machines break down, as indeed they have. According to Eric Chien of the antivirus firm Symantec, who has pulled Stuxnet apart like a strand of DNA, all that incredibly complex information was built into it before it ever infected the Iranian system. Clarke suggests that whoever developed Stuxnet probably had the same types of software and centrifuges on which to run tests. “That’s expensive,” he says. “That’s millions of dollars.”

Because the Iranian nuclear program’s computers are not connected to the Internet, the worm couldn’t have been introduced to them online. It’s presumed to have come from a USB thumb drive that the user may or may not have known was infected: Stuxnet was designed to do nothing to computers that didn’t connect with the control mechanisms it targeted. And then, depending on where it found itself, Stuxnet was supposed to self-destruct. According to Chien, different components of the virus have different “time to live” mechanisms. A USB key inserted into a newly infected computer can’t carry the worm for more than 21 days. After that, it disappears. The worm is programmed to quit exploiting one particular weakness in Microsoft’s software after June 1, 2011, and the worm’s overall time to live runs out in June 2012.

Why bother with an expiration date at all? The answer supplied by Clarke is so very Washington-centric that it’s almost a dead giveaway. “All that suggests to me a nation-state actor with a series of lawyers involved in looking at the covert action,” says Clarke, whose latest book is Cyber War: The Next Threat to National Security and What to Do About It. “I’ve never seen or heard of a worm before that limited its spread.” One explanation, of course, is that the creators of the virus hoped it would self-destruct before it was discovered. Another, however, is that the creators and their government hoped to limit their liability if they were ever exposed. A former senior intelligence official in the U.S. government has doubts the CIA could have vetted such an attack. “The applicable presidential findings we had in this arena did not cover this kind of activity,” he says. If the United States were involved, he adds, it would have had to be a Defense Department operation.

Whoever was behind this seminal cyberattack, the next such worm, which might be adapted from the Stuxnet codes that are now widely circulated, may not be so punctilious. (Imagine what WikiLeaks-supporting anarchists might do with it. Or the Iranians.) Like other weapons that have transformed the battlefields of the last century only to become so widespread that they threaten their creators, this worm could turn.

12-51