No smoking gun cleanly identifies the author of Stuxnet but three broad streams of evidence point away from the usual suspects of Israel, the US, or China. The code characteristics, the delivery mechanisms, and the geopolitical effects suggest one look for a state open to using proxies for relatively high value targets in cyberspace and a good reason to derail, but not destroy, the intended targets if they were the Iranian nuclear reactors.
First, the code is highly modular, consistent with software outsourcing in a major production project. That there were a number of authors is suggested not only by the enormous number of patches it accommodated across Windows operating systems, but also the small inconsistencies across the wide variety of modules. A single professional group in normally risk-averse westernized agencies or China would have made more effort to ensure consistency, lest a small error sink the whole complex and valuable application. That the final version was more or less ‘good enough’ is, however, consistent with the output of cybercrime communities.
Second, since largescale nuclear facilities are almost always individually tailored, one would have needed a physically similar testbed to have reasonable confidence the program would work. If the targets were Iranian nuclear reactors built with Russian expertise, reactors that are close enough equivalents are found in Russia or its clients, not the US, Israel, or China.
Third, the delivery is not consistent with the precision tendencies of highly professionalized intelligence agencies, but it is quite common in cybercrime to send applications out widely in pieces and see what works. Stuxnet in various iterations floated around for at least a year before it was discovered publicly in summer 2010. It is unlikely a small exceptionally talented group working professionally in a state organization would toss some sophisticated future crown jewels out into the world just to see if they hit a target valued apparently so highly. A broad spectrum of infections could be an initial mistake by westernized national agencies culturally, legally, and financially loathe to impose uncontrolled collateral damage, but they certainly are unlikely to keep updating an application so seemingly out of control and possibly exposed. Deep secrecy predilections would have kept the variants down to something closer to one or two with more highly precise targeting and delivery, lest the whole project be prematurely exposed or once exposed, no longer usable for all the expense.
Furthermore, Stuxnet showed up relatively widely in Chinese manufacturing facilities. For the level of expertise the Chinese government has sought in cyberspace for at least ten years, to deliberately allow such a blowback into Chinese production would at best be much too unsubtle or unprofessional, given the quality of other exploits widely viewed as Chinese in origin. At worse, the unfettered infections in China could easily be viewed as “un-patriotic hacking”. Although the Chinese government is seen to use a wide variety of Chinese hacker groups as proxies, it is exceptionally hard on hacking that blowbacks on China itself.
Fourth, the physical and geostrategic effects did not destroy the Iranian reactors, but reputedly disabled them in ways that seems to have simply frustratingly delayed them. If a nation were behind this infection, then it is worth asking who benefited from delay rather than destruction of the facilities. Had either the US or Israel orchestrated this outcome, destroying the reactors permanently would have been preferred. While the Stuxnet code could probably have allowed a more extensive destroy command, it did not. For its part, China has not shown eagerness for the rise of a nuclear Iran with no Chinese strings for control if needed. In case of a technical problem with large nuclear facilities, China is unlikely to be seen in Iran as the first country to call. Despite being seen as Iran’s closest ally on the UN Security Council, China revealed Iran’s nuclear arms ambitions to the UN in 2008.
For these likely suspects, logic and available evidence about Stuxnet does not seem consistent with their known normative, institutional, or operational predilections. However, if the originating state was Russia, the pieces fit reasonably enough. It is a state with a healthy cyber expert community on its territory especially found in its cybercrime networks, direct access to Russian-design nuclear facilities to use as a test bed, experience with success in achieving aims by wide distributions, and a strong national reason to slow, but not destroy, Iranian nuclear ambitions. Russian government is alleged widely to successfully employed proxies in Estonia 2007 and Georgia 2008, and it reputedly has deep connections with elements of the very highly skilled cybercriminal Russian business network (RBN). Along with its extensive list of cybercriminal associates for exceptional dispersed production, delivery, and targeting networks, the RBN business model would certainly include spreading around the infected thumbdrives without a great deal of concern for collateral damage.
Logically, Russia had a reasonable expectation of being called to help with the Iranian reactors – as the nation whose firms designed and built them and who was eager to continue the relationship via reprocessing fuel. For Russia, nuclear expertise has become a mainstay of export growth after oil and gas. But in 2007, nuclear support relations between Iran and Russia severely declined over insufficient payments by Iran. Relations have been up and mostly down in the interim, with no reactors completed in Iran. In June 2010, the Russian government voted in the UN for a fourth round of sanctions on Iran for its lack of compliance in nuclear matters. Nonetheless, after Stuxnet was publicly known, the Iranian government eased up on the Russian offer seemingly rather rapidly. Now the Iranian Bushehr reactor is scheduled to go to full operations in January with Russian reprocessing of the spent fuel rods.
If this analysis is correct, there is no downside to Stuxnet for the Kremlin. It has proved a rather impressive fingers-free (for a nation) example of a new wave of computer ‘DNA swarming’ operations. With it, Russia reacquired a paying client strongly dependent on Russian strength in nuclear skills, facilities, and deliveries. Furthermore, admitting authorship indirectly in quiet conversations in the corridors could provide considerable international political leverage well beyond public view. Certainly the more that Russian reprocessing processes control the inventory of weapons grade material acquired from Iranian reactors, the more kindly the US, Israel, and others feel towards whoever orchestrated that outcome. Indeed, this is the outcome preferred by the US and at least five other westernized nations.
Whoever did it first, the demonstration effect is already spreading. Despite its complexity, governments, computer industry experts, and cybercrime ateliers are now trying to see if they can re-engineer something like Stuxnet for whatever purpose they have in mind. The original programmers are still out there, able to do it or something like it again, probably for a healthy price that presumably has just gone up. And there will be buyers of such products across nations and non-state actors. As they buy and deploy, there will also be considerable national institutional changes in response – likely institutional trends across nations that are developing as part of the emerging cybered conflict age will be the subject of the next set of blogs.
Chris Demchak is an Associate Professor at the US Naval War College and at the University of Arizona. The views expressed are her own and do not reflect those of the Navy or the U.S. government. This article is the fourth in a series titled Cybered Conflict.
Image: digital-mind_0.jpg