(Photoillustration: Tablet Magazine; Natanz photo: Getty Images; code: Wikimedia Commons)
Navigate to Israel & The Middle East section


Israel may or may not have been behind the Stuxnet ‘worm’ attack on Iran—and it doesn’t matter whether it was

Yossi Melman
October 05, 2010
(Photoillustration: Tablet Magazine; Natanz photo: Getty Images; code: Wikimedia Commons)

A year and a half ago, the German engineering giant Siemens won a contract to supply the Israel Airports Authority with a new conveyor system worth $50 million. The deal raised eyebrows inside and outside Israel. For years, Siemens had been the largest German trade partner with the ayatollahs in Iran, providing them with sophisticated hardware and software for key industrial plants, including oil rigs, gas pipelines, and refineries, to the tune of over one billion euros. Occasionally, it was reported that some of the Siemens equipment and “dual use” components had found their way to Iran’s nuclear installations. Why was the Israeli government allowing one of its state-owned authorities to do business with Siemens?

Complaints about the dubious deal were brought to Uzi Arad, the national security adviser who, together with his boss, Prime Minister Benjamin Netanyahu, rarely misses an opportunity to sound alarms over the threat of Iran destroying the Jewish state with a second Holocaust. Arad shrugged the situation off, explaining that the matter was neither under his watch nor part of his turf; instead it was for the Ministry of Finance. But that ministry also did nothing.

The Siemens deal was interpreted at the time as a typical Israeli bureaucratic entanglement—or an example of official Israeli hypocrisy. But with the discovery of Stuxnet, the malicious software—a “worm”—that was eating and damaging Iran’s nuclear computers and slowing down at least two key installations (the uranium enrichment facility at Natanz and the nuclear reactor at Bushehr), a third possibility suggests itself: a hidden connection between the Israeli intelligence community and a German company that was selling advanced machinery to Israel’s most dangerous adversary.

Computer experts agree that the Stuxnet worm was created by a powerful, resourceful, and technologically skillful organization—and not by freelance hackers. The worm contaminated Siemens control software that was sold by the company to Iranian civilian projects but somehow found its way into its nuclear sites despite U.N. Security Council sanctions.

The major question is how the creators of Stuxnet did it. There are a few possibilities. One is that the intelligence agency behind the attack recruited a Siemens programmer who sold his secrets for financial gain or for other reasons. Another explanation could be that Siemens, suffering from a degree of liability and guilt—Germans perpetrating a second Holocaust—willingly cooperated with Israeli intelligence, which in return offered Siemens a way out of being implicated if and when the worm was discovered.

This last seems to be the least plausible scenario, since the German corporation admitted that 15 of its customers have been affected—including chemical and power plants and production facilities. Five of the 15 companies affected have their headquarters in Germany, while the others are based in the United States, other Western European countries, and Asia. But even if Siemens itself didn’t cooperate, it’s also possible that the BND—Germany’s foreign espionage agency, which is a strong ally of both the Israeli Mossad and the CIA and is a partner in the battle against Iranian nuclear program—was somehow involved in the operation.

Whatever the facts are, Siemens has invested extensively in Israeli high-tech and industrial companies.

According to computer security experts, the worm managed to penetrate the Siemens software and find its way into Iran via Taiwan. Two and a half years ago, the writers of Stuxnet broke the security protections of two Taiwanese firms and planted the worm on their equipment. One, JMicron, is a small and relatively unknown company. The other, Realtek Semiconductors, is large and fairly well-known in its field. A few months later, both the Mossad and the CIA filed complaints to the Taiwanese government that Iranian agents had penetrated the market and acquired 100 transducers, which were secretly shipped to Tehran. The transducers, an essential component for operating centrifuges in Natanz, were originally manufactured in Europe and then sold to a company in Taiwan, which then sold them to Iran’s defense ministry.

Can it be that the complaints about the transducers were a decoy to divert attention from the original Mossad or CIA break-in via Taiwan? In the dark world of secret intelligence operations, characterized by disinformation and webs of lies, everything is possible.

There could be, however, a simpler version of what happened.

Iran’s intelligence minister said on Saturday that authorities had arrested several “nuclear spies” who were working to derail Tehran’s nuclear program through cyberspace.

Without saying how many people had been arrested or when, Heydar Moslehi, the intelligence minister, was quoted on state television’s website as saying Iran had “prevented the enemies’ destructive activity.” He added that intelligence agents had discovered the “destructive activities of the arrogant (Western powers) in cyberspace, and different ways to confront them have been designed and implemented.” Behind Moslehi’s vague words was the suggestion that the enemies of Iran had planted the worm using the techniques of classical intelligence work: recruiting Iranian agents and providing them with the malicious software.

If indeed Israeli intelligence independently (or in a joint operation with its U.S. counterpart) is behind this unique and unprecedented cyberattack, they will never admit it. These are the rules of the espionage game. You spy, you steal secrets, you bug phone lines, you plant viruses that sabotage, and you even kill, but you never take the responsibility, even if you are caught red-handed. A worldwide search is now under way for clues to the identity of the creators and spreaders of the worm.

Last week the New York Times reported the discovery of the word “Myrtus” in the Stuxnet code, which corresponds to the Hebrew word for the Bible’s Queen Esther. The article noted that the Book of Esther describes “the Jews preempt[ing] a Persian plot to destroy them.” The computer security firm Symantec analyzed another data point about the worm. It found the digits 19790509. This is thought to be an infection marker, which, if set correctly, allows infection to occur. The digits appear to point to the date of May 9, 1979.

While a variety of historical events occurred on May 9, 1979, one of them, according to Wikipedia, is that “Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian Jewish community. [Elghanian] was the [president of Tehran’s Jewish society] and the first Jew and one of the first civilians to be executed by [Iran’s post-revolutionary] Islamic government. This prompted the mass exodus of the once 100,000 member strong Jewish community of Iran which continues to this day.”

These explanations have an anecdotal value. When you plan such an operation, you check and recheck and double check each digit and each letter. Israeli and U.S. intelligence are not so sloppy as to leave behind such clumsy fingerprints. If they wanted to engage in a mind game, they would have done it in a more amusing and sophisticated manner.

The evidence pointing to Israel remains circumstantial. Israel is threatened by Iran, whose president, Mahmoud Ahmadinejad, continues to talk about the need for history to wipe the Jewish state from the face of earth. Israelis fear—rightly or wrongly—that once Iran has nuclear weapons, Israelis might be victims of a nuclear attack. The Israeli government has attempted to mobilize international diplomatic pressure on Iran and utilize friendly intelligence agencies to collect data on Iran’s nuclear program. Since Meir Dagan was appointed as head of Mossad eight years ago and assigned to coordinate Israeli efforts, Iran’s nuclear program has topped Israel’s list of intelligence priorities.

Israel has recruited top agents among the upper echelon of Iran’s nuclear scientists and directors. Alone and together with other international espionage agencies, Israeli intelligence has been trying to sabotage Iranian facilities in order to slow down progress toward a bomb. Iran’s uranium enrichment complex is the prime target for any future Israeli or U.S. military assault. A glimpse into the shadow war against the Iranian nuclear program was provided in the sections of James Risen’s 2006 book State of War, in which he detailed joint Mossad and CIA plans to sabotage the electrical grids leading to Iranian nuclear sites—plans that failed to materialize.

Over the past decade, Mossad and CIA planners successfully set up front and dummy companies all over the world with the aim of gaining the trust of Iranian purchasing networks and then selling them flawed components—a method known in intelligence parlance as “poisoning” enemy systems. So, why not try to “poison” Iranian systems further by planting malicious worms?

Israeli intelligence was one of the first in the world to understand the importance of computers and to apply them for military-intelligence use. Rafi Eitan, a former Mossad agent who specialized in covert operations and served as a chief adviser to several prime ministers, told me that already in the late 1970s he realized the significance of the evolving Internet and the virtual world for intelligence-gathering operations. Since then, Israel’s unit 8200 of the military intelligence branch—the equivalent of the National Security Agency in the United States—has been at the forefront of military efforts into technological attacks. Unit 8200 pioneered sigint (signals intelligence—listening to, intercepting, and deciphering enemy communication lines), elint (electronic intelligence), visint (visual intelligence—the collection of data and imagery from satellites and reconnaissance flights), and, in the last decade, netint.

Netint is the art of using cyberspace for intelligence purposes: You engage and try to recruit enemy agents by emails and chat rooms, send coded messages, “poison” computers. A few months ago, General Amos Yadlin, the commander of Israeli Military Intelligence, gave a public lecture at the Institute for National Security Studies at Tel Aviv University. His topic was the changing nature of intelligence in the 21st century. The virtual world, he said, is important to the daily work of intelligence in two ways: defending one’s secrets and assaulting the enemy. His lecture was delivered long before the world learned about Stuxnet.

Yossi Melman is a senior writer on strategic affairs, intelligence, and nuclear issues for Haaretz. He is writing a book about the Mossad’s wars in the last decade.

Yossi Melman is a longtime reporter on strategic affairs, intelligence, and nuclear issues. He is writing a book about the history of the Israeli intelligence community.