The Stuxnet virus that emerged in 2010 was a cyber weapon jointly developed by U.S. and Israeli officials in an effort to shut down the development of Iran's nuclear program, according to a report from the New York Times.
Stuxnet, an effort known as Olympic Games among U.S. intelligence officials, started in the Bush administration and continued after President Obama took office. It was intended to only affect the Natanz plant in Iran, but was mistakenly unleashed on the global Web.
"It appears to be the first time the United States has repeatedly used cyberweapons to cripple another country's infrastructure, achieving, with computer code, what until then could be accomplished only by bombing a country or sending in agents to plant explosives," according to the Times.
Olympic Games dates back to 2006 when the Iranians re-started their uranium enrichment program at Natanz. According to the Times, the Bush administration considered military action, until General James E. Cartwright and other intelligence officials suggested cyber attacks. After a months-long effort to infiltrate the Natanz computer systems, U.S. officials teamed up with a secret Israeli unit to release the Stuxnet worm, the Times said.
The actual deployment was carried out by "spies and unwitting accomplices," who physically carried thumb drives loaded with the virus into the facility.
By the time President Bush left office, no major damage had been accomplished, but the Times said he encouraged President Obama to continue the program, and he agreed.
By 2010, however, Stuxnet had been released in the wild after an engineer hooked up his laptop to the Natanz centrifuge and then hooked it up to the Web from home. "It began replicating itself all around the world," the Times said.
News of Stuxnet made its way into the press, with speculation focused on the Israelis and the Americans. In Jan. 2011, the Times first corroborated some of those reports, suggesting Stuxnet was jointly developed by the U.S. and Israel at the Dimona complex in the Negev desert. In April, a report from ISS Source said that a secret agent working for Israel planted the Stuxnet computer worm into Iran's nuclear power plant through a USB stick.
The recently discovered Flame malware is not part of Olympic Games, U.S. officials told the Times, but they declined to say whether the U.S. played any role in Flame. For more, see Flamer Isn't a Stuxnet Spinoff.
Sophos analyst Graham Cluley said in a blog post that the Times story is fascinating, but argued that "Stuxnet is old news. Even the recently discovered (and much hyped) Flame malware isn't an effective weapon today," he wrote. "There seems little doubt that state-sponsored cyberweapons (if that is indeed what Stuxnet was) continue to be developed - and chances are that it's not just the USA and Israel who are developing them but other developed countries."
"Question: To whom may the antivirus industry and its affected customers send the bill for the collateral damage done?" quipped security firm F-Secure in its own blog post.
Today's Times report is adapted from Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power, a book from Times correspondent David E. Sanger that will be published on Tuesday.
Update: During today's White House press briefing, Deputy Press Secretary Josh Earnest said he was "not able to comment on any of the specifics or details that are included in that story," though he did say that leaking classified data "would pose a significant threat to national security." Earnest instead focused on President Obama's approach to Iran, which holds the country "accountable for living up to their international obligations."