The boss asked for a piece on Stuxnet, and honestly, it is one of those stories that never stops being extraordinary no matter how many times you revisit it. In 2010, computer security researchers stumbled onto something unprecedented: a 500-kilobyte computer worm that had been quietly destroying Iranian nuclear equipment for years. The Stuxnet cyber weapon was not designed to steal data or extort money. It was built to break things, real physical things, using nothing but code.
Here is what happened, why it mattered, and why we are still living in the world Stuxnet created.
The problem: Iran’s nuclear program
By 2006, Iran had resumed uranium enrichment at its underground facility in Natanz, a sprawling complex with three underground buildings, two of which are designed to hold 50,000 centrifuges. The country’s president, Mahmoud Ahmadinejad, was publicly boasting about plans to expand the program. Western governments feared this was a path to nuclear weapons.
Military options looked terrible. The Bush administration believed that an Israeli airstrike on Natanz could trigger a regional war. Economic sanctions were stalled because European allies disagreed on how far to push. According to The New York Times, the CIA and NSA proposed a radical alternative: a cyberattack that could sabotage the centrifuges from the inside.
The classified program was codenamed Operation Olympic Games.
The Stuxnet cyber weapon: how it worked
Centrifuges are delicate machines. They spin uranium gas at supersonic speeds to separate the isotopes needed for nuclear fuel or weapons. Even small disruptions in their rotation can cause them to tear apart.
Stuxnet exploited this fragility. The worm targeted the Siemens software that controlled the centrifuges’ programmable logic controllers (PLCs), the small computers that manage industrial equipment. Once inside, it did two things: it made the centrifuges spin erratically, and it fed false data to the operators’ screens so that everything appeared normal.
The engineers at Natanz knew something was wrong. Centrifuges were breaking at unusual rates. But they could not find the cause because Stuxnet was hiding in plain sight, showing them recordings of normal operations while it destroyed the equipment underneath.
Getting inside an air-gapped facility
Natanz was not connected to the internet. This “air gapA security measure that physically isolates a computer or network from all external networks, including the internet. Prevents remote cyberattacks.” was supposed to make it immune to cyberattack. Stuxnet was designed to cross that gap via USB drives carried by people with physical access to the plant.
For years, the identity of the person who planted the worm remained a mystery. Then, in 2024, a two-year investigation by the Dutch newspaper De Volkskrant identified him: Erik van Sabben, a 36-year-old Dutch engineer recruited by the Netherlands’ intelligence service (AIVD) at the request of American and Israeli agencies. Van Sabben had a technical background, did business in Iran, and was married to an Iranian woman, making him an ideal candidate.
According to SecurityWeek’s reporting on the investigation, van Sabben may have introduced the malware through a water pump he installed at Natanz. Dutch politicians were never informed. “The Americans used us,” one intelligence source told the Volkskrant. Van Sabben died in a motorcycle accident in Dubai two weeks after the operation.
The damage
Between late 2009 and early 2010, Iran decommissioned and replaced about 1,000 IR-1 centrifuges at Natanz, according to data compiled by the Institute for Science and International Security from IAEA safeguards reports. While centrifuge breakage is normal at enrichment facilities, this level far exceeded expectations.
The worm infected over 200,000 computers worldwide after escaping the facility, though it caused no damage to systems that were not connected to the specific Siemens equipment it targeted. Some Obama administration officials estimated the program delayed Iran’s nuclear development by 18 months to two years, though Kim Zetter, the journalist who wrote the definitive book on Stuxnet, argued the attack was “premature” and “could have had a much bigger effect had the attackers waited.”
Discovery and fallout
Stuxnet was never supposed to be found. But a more aggressive version, deployed in 2009 or 2010, spread too far. An Iranian office unconnected to the nuclear program started experiencing mysterious reboots and crashes. A local security expert called a friend at the Belarusian antivirus firm VirusBlokAda, and the most consequential malware investigation in history began.
Researchers at Kaspersky Lab, Symantec, and other firms spent months reverse-engineering the code. They found it used four separate zero-dayA software vulnerability unknown to its developers that attackers can exploit before any fix is available. The name refers to having zero days of warning. exploits, an unprecedented number for a single piece of malware, along with stolen digital certificates from Taiwanese companies. Kaspersky estimated it took a team of at least ten developers two to three years to build.
In June 2012, The New York Times revealed that Stuxnet was the product of Operation Olympic Games, a joint US-Israeli program begun under Bush and expanded under Obama. Neither government has officially acknowledged responsibility.
Why Stuxnet still matters
Stuxnet was the first publicly known cyberattack to cause physical destruction of infrastructure. As former CIA director Michael Hayden told The New York Times: “Somebody crossed the Rubicon.”
In July 2025, Kim Zetter testified before the U.S. House Homeland Security Committee that Stuxnet “provided stark evidence that physical destruction of critical infrastructure, using nothing other than code, was not only possible but also likely.” She noted that after Stuxnet, security researchers turned their attention to industrial control systems and found “not only software security holes but also whole architecture problems that couldn’t be fixed with a patch.”
The descendants of Stuxnet’s techniques have already appeared. As Zetter noted in her testimony, the 2015 and 2016 attacks on Ukraine’s power grid, attributed to Russia, caused blackouts affecting hundreds of thousands of people. The 2017 Triton malware targeted safety systems at a Saudi petrochemical plant, a step toward attacks that could directly endanger human life.
Marcus Ranum, one of the early innovators of the computer firewall, called Stuxnet “a stone thrown by people who live in a glass house.” The same industrial control vulnerabilities that Stuxnet exploited in Iran exist throughout American and European infrastructure. Fifteen years after its discovery, the world has not solved the problem Stuxnet revealed. It has only demonstrated, repeatedly, how real the threat is.
The boss asked for a piece on Stuxnet, and for anyone in cybersecurity, this is the case study that never gets old. In June 2010, researchers identified a 500-kilobyte worm that had been quietly sabotaging Iran’s uranium enrichment infrastructure for years. The Stuxnet cyber weapon represented a paradigm shift: the first confirmed instance of malware engineered to cause physical destruction of industrial equipment through manipulation of programmable logic controllers.
Operational context: Olympic Games
By 2006, Iran had resumed enrichment at the Fuel Enrichment Plant (FEP) at Natanz, an underground facility comprising three underground buildings, two of which are designed to hold 50,000 centrifuges. The Bush administration faced a strategic dilemma: sanctions were stalled, military strikes risked regional escalation, and the CIA’s prior sabotage efforts (introducing faulty components into Iran’s supply chain) had produced limited results.
According to The New York Times’ 2012 investigation, General James Cartwright of U.S. Strategic Command proposed a cyber operation targeting Natanz’s industrial control systems. The NSA developed the weapon in partnership with the CIA and Israel’s Unit 8200 (SIGINT). The program, codenamed Olympic Games, began under Bush and was accelerated by Obama.
The first phase involved deploying a beacon into Natanz’s Siemens control systems to map the facility’s architecture. The beacon “phoned home” to NSA headquarters with blueprints of the electronic directories and controller connections. The intelligence took months to collect.
The Stuxnet cyber weapon: attack architecture
Stuxnet’s architecture operated across three layers: Windows propagation, Siemens Step 7 software exploitation, and PLC payload delivery. The European Union Agency for Cybersecurity (ENISA) classified it as specialized malware targeting SCADASupervisory Control and Data Acquisition. A system for remotely monitoring and controlling industrial processes like power grids, pipelines, or nuclear facilities. systems running Siemens SIMATIC WinCC or STEP 7.
The worm exploited four zero-dayA software vulnerability unknown to its developers that attackers can exploit before any fix is available. The name refers to having zero days of warning. vulnerabilities simultaneously, an unprecedented count for a single malware specimen:
- An LNK (Windows shortcut) flaw for USB propagation
- A shared print-spooler vulnerability for network lateral movement
- Two privilege escalationA security attack where an intruder gains higher levels of access or control than originally granted, often by exploiting vulnerabilities in a system or application. exploits to achieve system-level access on locked-down machines
Additionally, it used digitally signed drivers with private key certificates stolen from two Taiwanese hardware manufacturers (Realtek and JMicron), allowing it to install a kernel-mode rootkit without triggering security warnings. Kaspersky Lab estimated the worm required a team of at least ten developers working for two to three years.
Two distinct payload sequences
Stuxnet contained two separate sabotage sequences, each targeting different aspects of centrifuge operation. The Institute for Science and International Security (ISIS) analyzed both in detail using Symantec’s reverse engineering:
Sequence A (valve manipulation): As Kim Zetter detailed in her 2025 Congressional testimony, the first version targeted the exit valves on centrifuges. After recording 30 days of normal operation, Stuxnet closed the valves to prevent gas from exiting, causing internal pressure to rise to five times normal levels. It simultaneously disabled cascade safety systems and fed pre-recorded normal data to monitoring stations. This two-hour sabotage cycle repeated every 30 days.
Sequence B (frequency manipulation): According to Zetter’s testimony, the second version targeted the frequency converters controlling centrifuge rotation speed. After a 26-day recording period, it raised the motor frequency from the nominal 1,064 Hz to 1,410 Hz for 15 minutes. ISIS confirmed that 1,410 Hz corresponds to a rotor wall speed of 443 meters per second, near the mechanical limit of the IR-1 centrifuge’s aluminum rotor (440-450 m/s). After 13 days, it then dropped the frequency to 2 Hz for 50 minutes, effectively undoing any enrichment progress before restoring normal operation.
Delivery: crossing the air gapA security measure that physically isolates a computer or network from all external networks, including the internet. Prevents remote cyberattacks.
Natanz’s control systems were air-gapped from the internet. Stuxnet was engineered to propagate via removable media, particularly USB drives. The NYT reported that “there is always an idiot around who doesn’t think much about the thumb drive in their hand,” as one operation architect put it.
A critical piece of the delivery puzzle emerged in January 2024, when a two-year investigation by Dutch newspaper De Volkskrant identified Erik van Sabben, a Dutch engineer recruited by the AIVD (Netherlands’ General Intelligence and Security Service) in 2005 at the request of US and Israeli intelligence. Van Sabben infiltrated Natanz using his business connections in Iran and his marriage to an Iranian woman.
SecurityWeek reported that the malware was allegedly planted on a water pump van Sabben installed at the facility, though security researcher Ralph Langner, who conducted his own in-depth analysis of Stuxnet, noted that “a water pump cannot carry a copy of Stuxnet,” suggesting the actual delivery mechanism remains debated. Former CIA director Michael Hayden, interviewed by De Volkskrant, could neither confirm nor deny the water pump claim, citing classification.
Impact assessment
IAEA safeguards data analyzed by ISIS showed that between late 2009 and early 2010, Iran decommissioned approximately 1,000 IR-1 centrifuges in the FEP, roughly six cascades of 164 centrifuges each. Module A26 was hit hardest: 11 of its 18 cascades were disconnected, affecting 1,804 centrifuges. The peak installed count at Natanz had reached 8,692 IR-1 centrifuges before the incident.
Iran’s President Ahmadinejad admitted that Western adversaries “succeeded in creating problems for a limited number of our centrifuges with the software they had installed in electronic parts.” The IAEA data suggests otherwise. However, Iran’s LEU production rate actually increased during this period, suggesting the plant operators compensated by prioritizing repair of enriching cascades.
Assessments of strategic impact diverge. Internal Obama administration estimates claimed an 18-month to two-year delay. Kim Zetter argued at Stanford that “Stuxnet actually had very little effect on Iran’s nuclear program” and was “premature,” noting Iran made a net gain in uranium stockpile while under attack and subsequently upgraded to more resilient centrifuge designs.
The worm eventually infected over 200,000 computers worldwide after escaping Natanz, with the majority of infections concentrated in Iran. Outside the facility, it caused only nuisance symptoms (reboots, blue screens) on machines lacking the targeted Siemens configuration.
Discovery and reverse engineering
Stuxnet’s discovery began with a tech support call. An Iranian office was experiencing persistent reboots even after fresh OS installations. Sergey Ulasen at the Belarusian firm VirusBlokAda isolated the malware and recognized the zero-day exploits. He shared his findings with the broader security community.
Symantec’s Liam O’Murchu described it as “by far the most complex piece of code that we’ve looked at, in a completely different league from anything we’d ever seen before.” After three to six months of reverse engineering, his team determined “99 percent of everything that happens in the code.” The key breakthrough came when they matched the code’s parameters (eight or ten arrays of 168 frequency converters) to the IAEA’s published specifications for a uranium enrichment facility.
Kaspersky’s Roel Schouwenberg noted the four zero-days “all complement each other beautifully” and that the code was “too sophisticated to be the brainchild of a ragtag group of black-hat hackers.” The code embedded the string “DEADFOO7,” likely a reference to the aviation term “dead foot” (a dead engine).
Legacy and continuing relevance
In July 2025, Zetter testified before the House Committee on Homeland Security that Stuxnet “provided stark evidence that physical destruction of critical infrastructure, using nothing other than code, was not only possible but also likely.” She warned that “once security researchers turned their sights on these systems, they found not only software security holes but also whole architecture problems that couldn’t be fixed with a patch.”
The malware families that followed traced a clear lineage from Stuxnet’s innovations:
- Duqu (2011): Intelligence-gathering malware sharing code with Stuxnet, targeting industrial firms for reconnaissance
- Flame (2012): Espionage platform targeting Iranian government systems, with code at least five years old at discovery
- BlackEnergy/Industroyer (2015-2016): Attacks on Ukraine’s power grid causing blackouts for hundreds of thousands, attributed to Russia
- Triton (2017): Targeted the safety instrumented systems at a Saudi petrochemical plant, a step toward attacks that could cause physical harm to workers
Stuxnet’s strategic lesson is double-edged. It demonstrated that cyber operations could substitute for kinetic military action, potentially preventing an Israeli airstrike on Iran. But it also, as Zetter told Congress, opened an era where the same techniques “could be deployed against civilian and military systems worldwide, disrupting essential services, damaging equipment, and in some cases, causing loss of life.” The vulnerabilities in industrial control systems that Stuxnet exploited in 2007 remain pervasive across critical infrastructure globally. Fifteen years after its discovery, Stuxnet’s core revelation, that code can destroy, has only grown more urgent.
