How the ‘NYT’ swallowed the Stuxnet worm

on 34 Comments

On January 16, The New York Times ran a front-page story by William Broad, John Markoff, and David Sanger entitled “Israeli Test on Worm Called Crucial in Iran Nuclear Delay,” supposedly unveiling the joint US/Israeli role in creating and testing the now-famous Stuxnet computer virus reportedly employed against Iran’s nuclear program. According to the article, this piece of malware is responsible for setting back Iran’s nuclear program by possibly years.

The reaction in the blogosphere and news media following has been one of widespread awestruck acclaim, with various outlets referring to the advent of Stuxnet as an “Oppenheimer moment”, “the Hiroshima of our time” along with slews of hypothetical analyses of the world-changing implications of such technology.

I was astonished at the near-total acceptance of the claims laid out by the NY Times article. At first impression, the major themes of the commentary on Stuxnet sounded like science fiction and propaganda, and upon examination of the article, many, many questions arose in my head. I do not doubt the existence of Stuxnet, nor the revelation that Iran was indeed the intended target of the malware distributed globally; high officials of the Iranian government, including Ahmadinejad himself, have conceded in recent months at least some damage caused by the attack. However, the scope and scale and level of success of the Stuxnet virus implied by the coverage of the NY Times story warrant far more scrutiny than they have up to now received.

I was curious enough to start digging. What I’ve found leaves it very difficult to believe that The New York Times correspondents, following the culmination of a three-month investigative process, could have been unaware of the massive volume of publicly-available data that undermine the reporting they offered. Even more interesting, most of that contrary information is included inside the very same reports The New York Times cites in its evidence for its claims. What I have found follows:

The New York Times article is deliberately misleading, excluding publicly-available evidence that casts doubts on the facts presented within it. Chiefly it has excluded the likelihood that the Stuxnet operation was a failed or only minimally-successful experiment that did next to nothing in terms of setting back Iran’s nuclear program, as demonstrated by Stuxnet’s inconsequential effect on the production of low-enriched uranium– an effect documented in the graph below from the very report that The New York Times cites as the authoritative record for the timeline it puts forward, but a graph it failed to report to readers.

This graph, showing steady increases in Low Enriched Uranium production at Natanz, Iran, plant, was published in a document that the New York Times relied on for its story. But the Times did not provide this information to its readers.

Furthermore, technical analysis of the actual virus code shows a series of software revisions in 2010, long after the 2009 period of damage the authors assert was effected by Stuxnet– implying much less confidence in the success of the virus on the part of its developers, a conclusion again supported by quantitative data illustrating rising Iranian output of low enriched uranium over the past four years. And this conclusion is borne out by recent analyses of the software that once again the Times failed to mention.

I can only speculate on the motives of the authors in writing the piece, but here are the points that are making me twitch:

The article is almost completely unsourced, without names attributed to assertions of fact, with a few exceptions, which I’ll expand upon below and which only cast doubt upon the veracity of the story being reported. In the piece the authors claim that it was based on interviews conducted by The New York Times over the past three months, but aside from a few opinions from academic types and security experts, there is no source cited for the chronology of events in the piece aside from a section dealing with the AQ Khan nuclear network and Israel’s nuclear program in the 1970s–which is irrelevant to the major claims made by the article relating to Stuxnet and its development, testing and subsequent deployment against the Iranian uranium enrichment site at Natanz.

The piece begins its timeline with the German company Siemens, producer of tons of industrial equipment, cooperating since 2008 or so with the US government in experiments to supposedly identify weak points in the control systems for the various products they sell. That time frame raises questions.

The article asserts that the cooperation between Siemens and the Idaho National Laboratory began at some point in 2008, and cites as evidence of this cooperation a link to a PowerPoint document presented at a security conference held in July of that year with Siemens and INL as participants detailing various vulnerabilities found in the software used to run industrial control systems such as water plants, power grids, etc, over the past few years leading up to the conference.

A paragraph or two later the authors cite to corroborate their narrative some Wikileaks releases: State Department cables from April 2009 about efforts to interdict shipments of industrial equipment, manufactured by Siemens, to Iran. The article continues in the next sentence to say that the Emirates assisted in blocking a similar shipment of Siemens computers to Iran, seemingly around the same time.

Given the premise of the article– recent setbacks in Iran’s uranium enrichment program were the work of the United States and Israel employing a computer virus– interrupting hardware shipments would seem to make little sense. If, indeed the work on the Stuxnet virus and the related research into vulnerabilities in software and computers managing the workings of massive industrial infrastructure were, as the article implies, undertaken in an effort to create some kind of supervirus capable of sabotaging Iran’s nuclear plant, why would the article’s heroes want to block such shipments? If, as Markoff, Broad and Sanger forcefully suggest, Stuxnet was designed as a means of disabling enemy infrastructure remotely, or at least sabotaging it, what could possibly explain the efforts to prevent “poisoned”, or weak, easily exploitable hardware and software from reaching Iran? Wouldn’t this be exactly the make of equipment they’d want to reach that country, one they had been developing a secret killswitch for– rather than comparable technology purchased from elsewhere on the world market?

If the Times is right, and Stuxnet was designed/tested by the US/Israel, and was actually intended as a means of sabotaging the facilities at Natanz and elsewhere, the only possibilities I can think of to explain the effort at preventing this equipment from reaching Iran were a) perhaps the Stuxnet project/research wasn’t far enough along in 2009, not yet operable as a means to cause any setbacks to the enrichment program; b) it did not actually exist at all at the time the shipments took place, or c) the timeline has been carefully edited to be a self-serving fairy tale, speculating on/claiming causation for a series of unrelated events, and perhaps taking credit for them, or exaggerating their significance.

The New York Times’ timeline is so hazy– and so at odds with the chronologies contained in public reports the NYT points to as its own sources– that I conclude the article is deliberately vague.

Here is The New York Times timeline:

2008: Cooperation begins between Siemens and Idaho National Lab.

April 2009: Wikileaks cables dated detailing efforts by the United States to block shipments of Siemens industrial equipment.

June 2009: Stuxnet is discovered.

Late 2009: Centrifuges are revealed to have been destroyed by the IAEA due to unknown circumstances. 

Broad, Markoff, and Sanger offer June 2009 as the date of the discovery of the Stuxnet virus with no source cited for the claim, not even an “unnamed official” (the go-to source for these reporters in their work, particularly Broad and Sanger), a news report, or any other document. This is a significant claim because the malware now described as Stuxnet was first revealed to the world on June 14, 2010 by VirusBlokAda– the Belorussian security firm most widely credited with discovering the worm–according to the consensus of VirusBlokAda,  ESET, Symantec, Kapersky Research Labs, and, most tellingly, The New York Times’ own earlier story in November 2010 that accepted this consensus. This consensus described an infection that suddenly popped up on tens of thousands of computers worldwide, with 60% of these based in Iran, followed in numbers by Indonesia and India. In July 2010, Symantec followed VirusBlokAda with its own detection of Stuxnet. And Microsoft issued warnings regarding the vulnerability of Windows to Stuxnet on July 16, and two weeks later, in August 2010, issued a security patch plugging the discovered vulnerabilities in its Operating System to the virus.

Following the definitive discovery in June 2010, Symantec and ESET released dossiers on the Stuxnet worm stating that isolated variants of the worm did indeed, appear in 2009, and were retrospectively determined to be earlier variants of Stuxnet. But these papers provide further details that cast doubt over the NYT’s timeline: they state that components of the Stuxnet code were in fact developed in 2009 and subsequently revised throughout 2010 (evidenced by timestamps discovered within code sections). Possibly these references were the cause for the The New York Times setting of June 2009 as the time of the virus’ initial discovery? But if this ambiguity constitutes the evidence for the NYT’s purported discovery date, the exclusion of the overwhelming volume of technical documentation and news reports putting that date in 2010 should at the minimum have invited further scrutiny of the article from media critics discussing the piece, such as Robert Dreyfuss and Eric Alterman of The Nation, both of whom seem to have missed the contradiction in discovery dates (and more importantly, its almost complete lack of citations, which you’d think media critics would notice right away).

Later in the Times article, perhaps the most fascinating claim about Stuxnet’s efficacy in setting back Iran’s nuclear program in the entire piece is made:

“[O]ne small section of the code appears designed to send commands to 984 machines linked together [out of 8000 centrifuges in total].

Curiously, when international inspectors visited Natanz in late 2009, they found that the Iranians had taken out of service a total of exactly 984 machines that had been running the previous summer.”

The article attributes the 984 coincidence to a German security analyst, Ralph Langner, writing up the workings of Stuxnet (Langner first published in Fall 2010 and subsequently revised and summarized just a few weeks ago here) and the conclusions of those international inspectors, employees of the IAEA, the UN nuclear agency tasked with enforcement of the Non-Proliferation Treaty, in late 2009.

The IAEA publishes quarterly reports, available in the public domain, regarding their continued inspections of Iran’s nuclear facilities. I have searched through the reports of the IAEA from that period and have found nothing so far matching this claim. Perhaps there do exist additional documents or sources produced by the agency that the journalists draw this information from that are as of yet not publicly available. But in the NY Times piece, the findings of “international inspectors” are given the credit for this figure; and the findings of those international inspectors from around the period of late 2009 are here:

IAEA Board Report – February 2010

IAEA Board Report – November 2009

IAEA Board Report – August 2009

None of these documents contain figures that corroborate the 984 coincidence.

Oh, but several paragraphs later, the NY Times article informs the reader that the actual source for the “984” figure are the findings of a report last month issued by the ISIS, the Institute for Science and International Security, a thinktank that touts itself as “a non-profit, non-partisan institution dedicated to informing the public about science and policy issues affecting international security”.

This is where things become extremely confusing.

For the Times authority Ralph Langner also relied on ISIS. As I said, the Times credits Ralph Langner for the “984” discovery. Langner’s claim is here, a blog post published by the researcher dated December 29, 2010. Here is Langner’s description of the “attack code”:

“FC [Function Call] 6068 is called from FC 6070 six times, passing values from 1 to 6. Funny enough, 164 centrifuges are in one IR-1 cascade. Six cascades translate to 984 centrifuges.

Now go back to the ISIS report. The number of damaged cascades is six. That’s how you arrive at the “about 1,000 centrifuges”. The exact number is 984. Bottom line: We bet a gefilte fish that the damaged centrifuges were attached to one infected 417.”

Langner has seized on as a suspicious coincidence between the actual Stuxnet code and the ISIS report, which was based on IAEA documents. But this coincidence is misleadingly presented by The New York Times not as a bet on a gefilte fish, but as some kind of smoking gun. The ISIS report on which Langner bases this connection, and which The New York Times later in its article also cites, states the following:

“The February 18, 2010 IAEA safeguards report on Iran indicates that centrifuges in 11 of the 18 cascades in module A26 were disconnected, and these cascades were by implication no longer under vacuum. A module contained a total of 2,952 IR-1 centrifuges in 18 cascades; these 11 cascades contained 1,804 IR-1 centrifuges. Six cascades in module A26 continued to be fed with uranium hexafluoride. All but one cascade in module A24 continued to be listed as enriching uranium. In addition, cascades in module A28 were not under vacuum or being fed uranium hexafluoride, but centrifuges in two cascades were being removed.”

The math in the ISIS analysis leaves a wide range of ambiguity, which is extremely interesting considering the NY Times article asserts that exact figure for disabled centrifuges, with no margin of error: 984. As Broad, Markoff, and Sanger purport, and Langner on his website purport, this conforms to a line of code in Stuxnet specifying the number of centrifuges to be disabled by the virus: 984.

Let me summarize the actual numbers in the ISIS report:

–Within the data set of affected cascades there are 3 Modules.

–1 Module = 18 Cascades

–1 Cascade = 164 Centrifuges.

–Thus, 1 Module = 2952 Centrifuges. 

–The sum total of the centrifuges housed by the 3 referenced modules (functioning at 100% capacity) is 3 X 2952, or 8852 centrifuges.

–For the first module, A26, 11 of the 18 cascades were disconnected, presumably due to device failure. This would translate to 1804 centrifuges destroyed or otherwise out of service for this one device. Then the piece notes that only 6 cascades remained intact, leaving only 984 online, in cascade A26, not the 984 destroyed according to Langner. 

–For the module A24, one cascade is inoperable. This accounts for an additional 164 centrifuges inoperable.

–And finally, for module A28, 2 cascades were “being removed”. This would translate to a further 328 inoperable centrifuges.

These figures add up to a total figure of 2296 destroyed, removed, or otherwise unuseable centrifuges. This does not come close to the conclusions drawn by Langner, or the New York Times based on the data extrapolated by ISIS from IAEA reports. Even if only a single module, A26, were used as the data set for this conclusion, at the very least, by the standard assuming within each cascade that every centrifuge was destroyed, there would be at least 1804 wrecked centrifuges, not the 984 that either piece claims.

Of course, there is no way of sorting out the exact cause of failure for any of the individual devices. Other reports by ISIS, such as this one, detail other possibilities for centrifuge loss, in addition to Stuxnet, such as regular mechanical breakdown; inability to smuggle or reverse-engineer modern equipment: “Stuxnet is not the only candidate for explaining breakage and other problems. Iran may also have significant centrifuge manufacturing and assembly problems, including shortages of domestically-produced, high quality centrifuge parts. The enrichment plant has an elaborate computer control system which may have caused other problems.”

These possibilities are excluded from The New York Times piece, leaving an opening that makes it, I believe, at minimum, reasonable to question the level of success of Stuxnet had in setting back Iran’s enrichment capabilities, if we accept the timeframe of late 2009 as the period of the damage.

Returning to Langner’s post, further doubts are raised. What Langner’s blog post asserts with near certainty, unless this is a simple, uncorrected error, is that the Stuxnet code has been carefully designed to destroy exactly 984 centrifuges within a specific cluster of devices. As I said, astonishingly, the passage in the piece he himself cites for this yields this figure for the number of centrifuges remaining intact in just one of the modules. By examining the very document Langner cites as the evidence for his voila moment, it would seem that, only by examining just one of the three damaged modules reported on by the ISIS report can a reader arrive at the 984 figure he touts, and this number seems to designate the quantity of surviving centrifuges. I cannot possibly believe that this error in simple arithmetic was missed by Langner if his report was ever at all reviewed beyond a first draft. I can only speculate that Langner attempted to latch onto a numerical connection between his own analysis of the Stuxnet code and the estimations of the ISIS and clung onto this tenuous linkage out of laziness, or a lack of faith in a general audience to dispute the conclusions of an expert in an extremely technical field.

Assuming the best intentions in Langner’s connection here, that what he meant to say was that the code was designed to actually leave intact 984 centrifuges in one of these groupings, further questions are raised. Why leave intact (or destroy) just a fraction of the purported 8000+ centrifuges spinning? Why not disable all of them, or at least try to? If it were indeed attempted by this virus to as comprehensively render inoperable the nuclear plant as possible, then it would seem that the virus was not very efficient, though technologically impressive nonetheless. If the cyberattack were not 100% successful, and only a portion of the devices were successfully sabotaged, then where exactly does this 984 figure highlighted by Markoff, Broad, and Sanger in their piece come from, aside from a pattern in the code, unconnected to the purported yield of its destruction? It seems implausible that it could come from the ISIS analysis, which mentions a vague figure of “around 1000” but whose actual assessment of ongoing damage seems to undermine this quantity. Or, it could simply be the unskeptical, echoing of Langner’s gotcha! moment due to the unwillingness of the reporters to test the veracity of the facts dangled before their eyes by difficult-to challenge scientific experts and pseudoscientific documents. The subject matter definitely has an aura of indecipherable technological wizardry, but this is no excuse for the authors of this piece to not scrutinize their own sources, either themselves or by interviewing other appropriately trained experts.

From what I can tell so far, the inclusion of the 984 “coincidence”, if it indeed can be considered such, seems like a retroactive boast taking credit for an achievement that could plausibly have failed, citing evidence the authors, and possibly Langner, have faith the public will never bother to examine for themselves.

Let me move on to another major weakness in the Times’ piece.

Both the Symantec and ESET dossiers put forward that the technology described in the press as Stuxnet is not one powerful innovation of software, and has in fact been several deployments of modifications to an original worm. Both papers, as well as Langner’s analysis, explain that Stuxnet was designed with the capability to receive code updates from a distant server under the control of the virus’ handlers/authors.

And this characteristic of the worm only deepens the mystery.

According to these reports and tech news coverage, a feature of Stuxnet which astounded security researchers upon the virus’ discovery worldwide was its use of signed driver certificates, a means of authenticating the safety of installed software within Windows by utilizing a commercial “signature” to conceal the presence of the malware within the operating system. Valid signatures are provided by “trusted” and legitimate software developers, and the presence of these signature certificates proves the “reliability”, so to speak, of the software introduced to Windows, which then enables its installation. Use of this technique allowed Stuxnet to evade detection as malware to these computers by incorporating the signatures of legitimate commercial software. Apparently, the Stuxnet analyzed by researchers included two separate signed certificates by Taiwan-based software developers: Realtek and JMicron.

The first certificate discovered, that of Realtek, was determined to have been dated and compiled (activated) January 25, 2010. This would mark the start of the period of this component of the software’s “validity”, which would allow it to work within Windows. Already, this date does not gel with the timeline of Stuxnet’s efficacy, if we accept The New York Times’ claim of late 2009 as the period of centrifuge destruction attributable to the virus. Furthermore, the Symantec dossier notes that the Realtek certificate expired on June 10, 2010, at which point Windows would no longer trust the software, and its ability to replicate within new machines undetected would also end. This date is borne out by the discovery of Stuxnet that spring by VirusBlokAda and its announcement on June 17, 2010– an infection which suddenly popped up on tens of thousands of computers worldwide, with 60% of these based in Iran, followed in numbers by Indonesia and India.

The two security reports state that an additional security certificate, that of JMicron’s, was activated on July 14, 2010. The authenticity of this additional certificate was revoked (hence expired) within days on July 17, 2010.

Of course these timestamp dates are much later than the period of purported centrifuge destruction in late 2009 offered by The New York Times.

But the usage of the signed driver certificate is, for me, at least, the strangest part of this story of all. The employment of this method to bypass security features on Windows seems impressive on first look, but I cannot, for the life of me, understand the inclusion within Stuxnet of the Realtek signature’s seemingly deliberate expiration date. For Stuxnet appears to have been designed with a built-in termination date (June 10, 2010), one that would enable a five month period of use before the inevitable expiration of the signature, at which point the virus would become visible to Windows. Given the political stakes and logistics involved, and very definite possibility of discovery using this method, this expiration date seems laughably self-defeating. And accordingly, the expiration is corroborated by the sudden widespread discovery of the worm on tens of thousands of computers throughout the world by VirusBlokAda on June 17th.

Again, within days warning were issued, and software patches and remedies were issued by Microsoft and antivirus companies within days. And it seems that the attempt was repeated with the inclusion of the JMicron certificate timestamped on July 14. For me, it is difficult to entertain the possibility that such forseeable results were accidental, and twice. If the method was not risky and ineffectual before, it would be exponentially more brain-dead to attempt it again, but that seems to be what was done.

What seems at the very least plausible is that rather than employ the use of signed drivers to help conceal the presence of the virus within Windows, the inclusion of this feature was designed to reveal it– was designed to publicize its existence for political means, its insertion a clever poison pill not meant to mask its presence within infected computers, but rather ensure its inevitable detection and announcement to the world.

Returning to the reported late 2009 damage to equipment in Natanz, what I think is plausible, and what I believe the motivation of the spokesperson or administration official(s) who fed the tale to Sanger et al. is that the code being studied and called Stuxnet reflects a repeated effort to publicize a prior failed operation. If not to ensure the worm’s detection, the inclusion of the second signed driver certificate in July after the discovery of the virus seems to strengthen the notion that deployments of the malware had had very limited success, and so had to be continually recalculated and reconfigured to make up for the earlier near non-existent results– or, more devilishly, to publicize the worm and attempt to give credit to it, as the Times duly provided credit.

Because let us not forget: Whatever the exact time period of the damage done by Stuxnet, the same ISIS reports cited by The New York Times as their evidence provide the graph at the top of this piece for output levels of low-enriched uranium since 2007. (See the above graph once more.) With very few hitches, the Iranian program continues to increase its capacity, illustrating that Stuxnet has barely made a dent in the production of LEU. Again, this information is left out and doubtless, intentionally, unless New York Times reporters reached their positions at the world’s leading newspaper by reading only the first few paragraphs of their own source material. ISIS does offer comically vacuous lines of analysis to explain its own inability to demonstrate the damage done:

“Any effect is camouflaged since the rate of low enriched uranium (LEU) production increased significantly during the three month reporting period between November 2009 and February 2010. This gain was sustained in the months afterwards.”

The ISIS report is responsible enough to offer that Stuxnet’s introduction to Natanz could indeed be inconsequential, and the second half of the paper goes ahead to explain ISIS’s own doubts, providing numerical data that does not support the ISIS report’s own thesis.

Strangely, and irresponsibly, The New York Times did not find room in its own piece to mention these, nor examine the report’s provided quantitative data that undermine the premise of the ISIS paper’s own headline.

Beyond this, the NY Times piece’s authors’ inclusion of the qualitative speculations (rather than quantitative data) of the ISIS report, and not the direct findings of the IAEA for supposed technological figures and political assessments of the Iranian nuclear program, seems to be an unnatural choice, if accuracy were their mission. Having sifted through these ISIS papers, which are much more alarmist and hawkish, so to speak, than the quarterly reports of the IAEA (the UN source of the ISIS analyses), I would note that the IAEA continues to verify the non-diversion of nuclear materials from declared sites under IAEA safeguards, and Iran’s ongoing non-violation of the Non-Proliferation Treaty. The IAEA reports, in their conclusions, do raise concerns about Iran’s cooperation in adhering to the Additional Protocol demanded by the UN Security Council, but not the substance of the Non-Proliferation Treaty, the agreement it remains a signatory to– unlike those other regional nuclear powers, India, Pakistan, and Israel. None of the source IAEA reports provide the centrifuge figures used by ISIS, the ones subsequently cited by Langner and ultimately The New York Times. These breakdowns are instead extrapolated by the ISIS from the vague, raw, and much more politically neutral findings of the IAEA reports. Also, in literally every document produced by the ISIS there is a presumption of a covert Iranian nuclear weaponization program that is not shared by the IAEA– which I suppose would make the use of these primary documents, rather than the secondary commentary provided by the ISIS, less than ideal for The New York Times in crafting a war narrative.

By the way, the ISIS has offered the possibility of Stuxnet being responsible for setbacks in LEU production levels with more than one timeframe. In an earlier piece of theirs, dated November 27, 2010, they offer another speculation for possible Stuxnet damage, one of fall 2010. Again, the graphs do not corroborate any kind of setback and in fact illustrate the largest gain in output of LEU from August to November 2010. Readers should be aware of long-standing criticism of the founder and director of ISIS, David Albright by other writers on non-proliferation issues like Scott Ritter and Muhammad Sahimi, who basically write him off as sort of an obsequious number-cruncher, who in their opinion works to provide scientific cover for presidential administrations to bomb other countries dating to the period of the first Gulf War. Readers can gauge the credibility of their criticisms of Albright and the thinktank that is his brainchild here and here. The New York Times is certainly aware of these criticisms of ISIS, but strangely chooses to present its findings without comment.

What was the point of the New York Times article at all, aside from the obvious entertainment value? Certainly co-author David Sanger has a rep as being one of the primary conduits for and conjurers of war propaganda in making the case for an attack on Iran– similar to the role Michael Gordon played in the lead up to Iraq, largely by presenting unsourced and unverified claims from unnamed officials about threats posed by enemy states.

But while you might think that Sanger has the desire to sell a possible war with Iran to the general public, this story seems to undermine the possibility of such a war, if, as the article claims, the Iranian nuclear program has been set back years as a result of Stuxnet. It seems to put the brakes on a narrative that has been animating nearly all Sanger’s reporting for the past four years, and I’ve found myself puzzled again trying to discern the article’s political intent. Could this article be a signal by someone in the Obama administration that a war is not coming anytime soon? It seems to at least be a possiblity that the Stuxnet story could indeed present an opportunity to cover a retreat from that option with a claim of success that, as some pro-Israeli sources have suggested, is the equivalent of a military attack.

I am suggesting that the article is a form of damage control related to the recent statements by Meir Dagan that Iran no longer poses an imminent threat. I can think of other motives: an attempt to claim credit by the US/Israel for the work of unknown cyberassailants, an attempt to save face for a failed, unfocused operation. Interestingly, Ralph Langner himself has suggested multiple possible culprits for the attack in addition to the United States and Israel, including Russia, China, and Germany. Again, though, and irresponsibly, The New York Times excluded all these culprits even though it uses Langner’s work to buttress its most important technical details.

My conclusion is that the authors’ purpose was simply to craft a fantastic and fawning patriotic narrative, overstating joint American and Israeli power in light of less than stellar results, a caricaturized timeline to suggest a much longer and greater degree of sophistication, planning and strategic capacity in the Stuxnet effort than the actual chronology of events reveal, and a possible means of backing away from a war that may be off the table now, by writing up a self-congratulatory victory fable.

Yes, I am speculating. I cannot be 100 percent confident about that conclusion. I hope that forthcoming events will illuminate the true intention behind this story’s publication.

(Thanks to Eli Clifton, Jim Lobe and Gareth Porter of IPS for their invaluable insights during the preparation of this piece.)

Qadir’s piece was written in late January and early February. He offers this addendum

On February 11, Symantec published a revision to its Stuxnet dossier, confirming more or less my speculations above, by verifying the existence of multiple revisions and deployments of the virus. From examination of around 3300 strains of Stuxnet recovered from infected computers, the security firm determined that at least three variants of the same malware were deployed in June 2009, March 2010, and April 2010. Accordingly, ISIS has updated its December 22, 2010 report to include some of this information. Symantec and ISIS now report that the “417” controller attack sequence was inoperable and unfinished at the time of each of its deployments. Now it is impossible to continue to credit this part of the Stuxnet code with the late 2009 damage detailed by ISIS. The “417” controller attack sequence is the source for Langner’s and the ISIS’ earlier claim of 984 centrifuges damaged by the virus. Incredibly, ISIS continues in its update to claim ”To date, Stuxnet is known to have had at least one successful attack. It is increasingly accepted that, in late 2009 or early 2010, Stuxnet destroyed about 1,000 IR-1 centrifuges out of about 9,000 deployed at the site.” But the new revelation completely contradicts this, and there is almost no case left for attributing the centrifuge damage in late 2009 to the specific section of Stuxnet code that was held up as evidence of enrichment setbacks cited by The New York Times. Albright himself almost completely slithers away from his earlier assessments in this February 16 article in the Washington Post. Perhaps other sections of the Stuxnet code were indeed responsible for this damage, but the case becomes more circumstantial as more information comes out. The New York Times went ahead and attributed causality, damage, and declared victory on the basis of extremely dubious evidence that can now be excluded from any assessment of Stuxnet’s utility.

Returning to the Symantec update, and its identification of three strains of Stuxnet up to March 2010, remember that the The New York Times gave June 2009 as the discovery date for the virus– when this date was somewhat ambiguously (and only retroactively) supported by the security firm’s published findings at the time of the article’s release. This leads me to suspect that this date was fed to the Times by another one of their unnamed sources, or chosen by them for the purpose of framing this narrative.

All of this focus on the design intent in Stuxnet and the corresponding damage distract from a much larger point here though, and probably the only thing to add with the discovery of these variants (and the revelation of the inoperability of the 417 attack sequence) is that the Iranian nuclear program continues unabated, and the publication of The New York Times piece could very well be a recognition of the program of ongoing uranium enrichment now as a fait-accomplit in the eyes of American/Israeli military programs. In drawing this conclusion, one only needs to refer to the above graph. Perhaps Stuxnet has, indeed, slowed the rate of acceleration of uranium enrichment capabilities, but output of LEU itself has only continued to grow as months pass. Would the rate have increased faster and more steeply sans Stuxnet? There is literally no way at all to quantify or prove this, whether arguing for or against the efficacy of the virus. The fact that the only possible period of quantifiable damage to Iranian nuclear equipment cited by the ISIS reports and The New York Times is in late 2009 seems to confirm the continuing impotency of the Stuxnet exercise.

34 Responses

  1. gingershot
    February 22, 2011, 11:20 am

    David Sanger of the NYTimes is a full-time Israeli-hasbara-ist and bends, twists, and warps any news to a pro-Israel, pro-attack Iran agenda

    It’s just pitiful that so many Americans rely on the NYTimes – ‘the Judith Miller Institute for Neocon-propaganda’. They have no shame even with having led the Neocon lies about Iraq and helping lie America into that war for Israel

    • marc b.
      February 22, 2011, 11:36 am

      nothing sanger writes should be accepted at face value. he has zero credibility as an objective reporter or analyst. as the author has pointed out, there are fundamental contradictions between the ‘analysis’ provided and the underlying facts. m.b.oren had just inserted another apocalyptic prediction regarding the iranian nuclear program in his recent op-ed in the times on the egypt-israel relationship, citing the current director of the IAEA as the source for confirmation of regular and increasing uranium enrichment by the iranians. the aparatchiks at the times just can’t keep their stories straight, wildly jumping from propaganda extolling the brilliance of israel to the exterminationist impulses of the iranians, palestinians, lebanese, pick your strawman. what a friggin’ complex sanger et al have. ‘five psychiatric sessions a week, five, and not a dent.’ quote from ‘quiz show’, more or less.

    • Hu Bris
      February 23, 2011, 7:48 am

      It’s just pitiful that so many Americans rely on the NYTimes – ‘the Judith Miller Institute for Neocon-propaganda’

      the best description of the NYT I ever heard was “The NY Academy of Fellatial Stenography”

  2. MHughes976
    February 22, 2011, 11:38 am

    If the decision, after so many threats sedulously retailed by all too cooperative journalists and academics, goes against war with Iran the stuxnet story will provide the pleasantly postmodern excuse.

  3. Dr Gonzo
    February 22, 2011, 11:42 am

    Very interesting piece.

    I have been following the Stuxnet story since it broke and will openly admit that I’m out of my league when it comes to the technical aspects of the case. The central argument that Irans enrichment has continued rising is an interesting indication of the true effects of the virus.

    The fact that the virus was designed in such a way that it would attract publicity is also interesting. Could very well be that it was designed to save face for America in its backdown from military action.

    Could also be the case that it simply makes up another part of the long running psychological campaign against Iran. The secret war has also been ongoing. Masoud Ali Mohammadi, an Iranian quantem physicist was killed in Jan 2010 outside his home by an exploding motorbike. Majid Shahriari another nuclear scientist was killed in an explosion outside a University Campus in Nov 2010 (the shady Israeli source Debka claims he was led investigator of the Stuxnet virus).

    • JewishAnarchist
      February 24, 2011, 2:22 am

      This post (Stuxnet Authors Made Several Basic Errors) on Kaspersky Lab’s blog also makes it appear that hiding the worm wasn’t a high priority.

  4. Potsherd2
    February 22, 2011, 11:50 am

    It’s interesting that the US and Israel brag about their cyberterrorism, when if anyone else, individual or state, had deployed such a tactic against them, it would have been prosecuted to the hilt.

    Exceptionalism keeps raising the bar.

  5. pabelmont
    February 22, 2011, 12:20 pm

    Presumably no mention, by NYT, that the WONDERFUL USA/Israeli cooperation [PART OF THE STORY THAT I DON’T DOUBT — AM I WRONG IN THIS?] to manufacture and place in use this ITEM OF ECONOMIC WARFARE might [1] be illegal per se, as most anti-computer stuff is, and no war having been declared and [2] might be a model for every electronic warrior to do the same to the USA, to Israel, to anyone at all. In other words, letting viruses loose in the world is dangerous, just as the USA’s letting the Atomic-Bomb loose on the world was a dangerous thing.

    But what the heck, if we’re not planning to do anything about global warming, why not have fun Stuxnet-style wrecking our economic systems while we wait for the collapse of the world? We’re so important after all, so after us the deluge!

    And never forget that an Iran armed with a few A-bombs (or even H-bombs) does NOT threaten anything EXCEPT Israeli hegemony in the region. No-one has ever supposed that an (ISLAMIC !!!) Iran would sent a bomb-laden missile upon the holy city of Jerusalem.

    • Les
      February 22, 2011, 6:22 pm

      Excellent final point. The next time anyone brings up Iran as a nuclear threat to Israel, I will ask why they think Iran would bomb Jerusalem or risk its destruction?

  6. ToivoS
    February 22, 2011, 12:30 pm

    The stuxnet virus story has had one very positive outcome. Threats of war against Iran from both the US and Israel has declined considerably. If the whole story was concocted just to allow us to save face then that is OK with me.

    • Psychopathic god
      February 22, 2011, 1:27 pm

      I would prefer to think I pay taxes and vote in a nation that behaves honorably.
      faux cyber war to “save face” is a piss poor third place.

      but look at the fallout, from the combination of US-Israel cooperation on sneak cyber attacks on other nations infrastructure and the recent, temporary extension of US Patriot Act which permits eavesdropping even if one is NOT an alleged terrurist, plus, the presumption that Siemens was co-opted in some way to force them to go along with this scheme.
      Result: security of the internet is seriously compromised. How happy should that make operations like TDAmeritrade, or all the online banks, or every online marketer — LLBean comes to mind; ebay, the list goes one — what happens when the general public figures out that everything they do on line is wide open to government scrutiny? How happy does that make you?

      How happy should be the purchasing committee shopping for something Siemens produces, if that potential buyer thinks Siemens will sell out to American pressure?

      Lies are the devil’s workshop.
      Who sez the US has lost its manufacturing base?

      • ToivoS
        February 22, 2011, 4:21 pm

        I would prefer to think I pay taxes and vote in a nation that behaves honorably.

        Me to. But I recognize that I live in a nation behaves otherwise.

  7. Chaos4700
    February 22, 2011, 12:34 pm

    I’ll have to go over this article later when I have more time, but from what I’ve seen so far, kudos. It’s quite an impressive bit of research.

    I have just one initial comment:

    What I’ve found leaves it very difficult to believe that The New York Times correspondents, following the culmination of a three-month investigative process, could have been unaware of the massive volume of publicly-available data that undermine the reporting they offered.

    Oh! To be 1999 again.

  8. annie
    February 22, 2011, 12:37 pm

    I am suggesting that the article is a form of damage control related to the recent statements by Meir Dagan that Iran no longer poses an imminent threat.

    ha! we think exactly alike (check the email i sent you about 15 minutes ago phil)

    the reason the nyt piece is all fuzzy is because it was thrown together lickity split. EMERGENCY (hebrew press 2/9 sunday: Prime Minister Binyamin Netanyahu is furious with outgoing Mossad Director Meir Dagan because of the briefing Dagan gave journalists last Thursday. ). i recall sending this link @ the time w/note HUGE. (you broke the news here prior to goldberg’s piece w/the headline “Will the ‘Atlantic’ report it here?”) there was nothing at all in the western press on 2/9 and when the news did break it didn’t say ‘furious’.

    i posit there was a massive coordinated counter offensive wrt this news PRIOR to it breaking in the western press and when it did break (monday morning) every single story mentioned the massive success of the stuxnet worm. the nyt story came out on the 16th. that’s not a lot of time to throw together a three-month investigative process, now is it.

    edit, just realized phil didn’t write this post. we think alike Mr. Qadir !

    • Psychopathic god
      February 22, 2011, 1:31 pm

      this morning either NPR or C Span news brief reported joint US-Israeli missile test off coast of California.

      real or faux, me suspects a response to Iranian boats in Mediterranean.


      Iranian “cyber army” hacks VOA website, gently tells Hillary Clinton to stop interfering in Islamic countries.

      • annie
        February 22, 2011, 1:36 pm

        oh loverly.

      • annie
        February 22, 2011, 3:56 pm

        i meant oh loverly about joint US-Israeli missile test off coast of California. the iranian hacking job is hysterical. nice graphic.

      • fuster
        February 22, 2011, 4:50 pm

        The Iranians are worried about this stuff—–

        Voice of America Uses Social Media to Aid Foreign Dissent

        link to

        —-“Later today, Secretary of State Hillary Rodham Clinton will outline the next phase of the Obama administration’s so-called Internet freedom agenda. So far, that agenda has been about demanding other countries keep Internet access open. But when that fails, the Broadcasting Broad of Governors, which oversees the government-owned media organizations that send pro-American messages to foreign audiences, has begun using social media to go around online restrictions in repressive countries.’—-

      • Chaos4700
        February 22, 2011, 7:59 pm

        So far, that agenda has been about demanding other countries keep Internet access open.

        …yet the Democratic Party has been lukewarm to aversive about properly taking up net neutrality at home. Funny, that.

      • fuster
        February 22, 2011, 9:01 pm

        yeah, that’s about your usual level of comprehension. everything in base 2

  9. Formerly T-Bear
    February 22, 2011, 1:13 pm

    For a parallel Emptywheel’s post with William Ockham at FDL also had an intriguing write-up on stuxnet:

    link to

    Between the two reports, a stereoscopic view emerges for the persistent reader with a functioning memory.

    • annie
      February 22, 2011, 1:33 pm

      thanks for the link f t bear

  10. annie
    February 22, 2011, 2:34 pm

    while reading this article as soon as ISIS was introduced i checked theisis sourcewatch page.


    * W. Alton Jones Foundation,
    * Carnegie Corporation of New York,
    * Compton Foundation, Inc.,
    * Ford Foundation,
    * John Merck Fund,
    * New-Land Foundation, Inc.,
    * Ploughshares Fund,
    * Prospect Hill Foundation,
    * Rockefeller Brothers Fund,
    * Scherman Foundation, Inc.,
    * U.S. Institute of Peace, and an anonymous member of the Rockefeller family.
    * ISIS also receives contributions through the federal government’s Combined Federal Campaign.

    i saw albright’s name but i took a different track and decided to check out U.S. Institute of Peace perhaps because of the odd “and an anonymous member of the Rockefeller family”. from their link i followed President and Chief Executive Officer
    * Richard Solomon, 1992-Present
    and noticed on his bio served as head of the Political Science Department at the RAND Corporation.

    and thought, hmm rand corporation. plus there was this listing: Multimedia

    * The 2006 National Security Strategy Featuring National Security Advisor Stephen J. Hadley (March 2006)

    hmmm. multi media/strategy/neocon hadley. so i checked out U.S. Institute of Peace’s Upcoming Events page.

    hmmm. my guess is they’re fixtures.

    excellent report Rehmat Qadir .

    • Rowan
      February 24, 2011, 2:48 am

      I think you have to be prepared for Albright & Co at ISIS to provide what looks like authoritative technical documentation for what are in fact completely bogus claims. They did this with regard to the imaginary Syrian nuclear reactor bombed by Israel on Sep 6 2007, about which the best detailed critical article is still Seymour Hersh’s of Feb 11 2008, which is here:
      link to

      • annie
        February 24, 2011, 9:48 am

        good catch rowan, pg2

        The main piece of evidence to emerge publicly that Syria was building a reactor arrived on October 23rd, when David Albright, of the Institute for Science and International Security, a highly respected nonprofit research group, released a satellite image of the target. The photograph had been taken by a commercial satellite company, DigitalGlobe, of Longmont, Colorado, on August 10th, four weeks before the bombing, and showed a square building and a nearby water-pumping station. In an analysis released at the same time, Albright, a physicist who served as a weapons inspector in Iraq, concluded that the building, as viewed from space, had roughly the same length and width as a reactor building at Yongbyon, North Korea’s main nuclear facility. “The tall building in the image may house a reactor under construction and the pump station along the river may have been intended to supply cooling water to the reactor,” Albright said. He concluded his analysis by posing a series of rhetorical questions that assumed that the target was a nuclear facility:

        more from albright @ the article. i have never bought that story.

        check this out

        These are screenshots taken from a slideshow presented to congress. A McClatchy piece explains the issue.

        For comparison first four aerial pictures released (pdf) by David Albright’s ISIS, which are suposed to show the “Box-on-the Euphrates” in Syria which allegedly Israel bombed last September. Blue before and red after the raid.


  11. Citizen
    February 22, 2011, 3:00 pm

    Thank you for the report, Mr Qadir.

  12. Eva Smagacz
    February 22, 2011, 3:41 pm

    I believe that Voice of America was hacked by Iranian Hesbollahi, who are completely separate “Party of God”, and don’t have anything whatsoever to do with Lebanon Hezbollah, but I am sure it is the distinction lost on most Americans, including Hillary Clinton.

  13. bijou
    February 22, 2011, 5:00 pm

    It’s no surprise that the NY Times is once again serving as a convenient mouthpiece for the government (and the dog that wags it) to dish up their swiss-cheese propaganda tales du jour… but it’s most gratifying to see this actually confronted and dissembled with a careful analysis of facts.

    Thanks very much for your efforts to this end. I hope you continue them.

    Whatever it all *really* signifies, if it means we are not launching another lunatic Middle Eastern/Asian war any time soon then it can’t but be for the greater good….

  14. Les
    February 22, 2011, 6:20 pm

    Since Anonymous claims to have Stuxnet, how long before it is inserted into Israel’s nuclear systems?

    link to

  15. Philip Weiss
    February 22, 2011, 8:53 pm

    Rehmat, I haven’t thanked you publicly for this piece, it is a great addition to this site. You have a great mind; and I find your theorizing both plausible and persuasive here. I hope you follow up on this, I will attempt to do so too, in my way,

  16. Shingo
    February 23, 2011, 1:55 am

    An outstanding piece of investigative research and analysis Rehmat. I am floored by your attention to detail.

    Of course, any article written by those shameless propagandists at the New York Time is bound to be filled with half truth, deception and omissions, so there are always going to be grounds to debunk their reports.

    On a much simpler level, I am amazed that so many people accepted the claim that STUXNET set back Iran’s nuclear weapons program. Even if one were to accept the STUXNET story, is fails to address one fundamental issue; how could the nuclear weapons program have been set back if no evidence of any such program has ever surface, even after the so called attack.

    If STUXNET did indeed disable a nuclear weapons program, then why hasn’t the program been uncovered?

    My theory was that the Israelis and Washington have known all along there is no nuclear weapons program, sop rather than produce evidence that one exists, they attacked the civilian program and tried to present that as an attack on a so called weapons program. Then by claiming the weapons program had been set back 3 -5 years, the problem of proving that one exists goes away.

    • Psychopathic god
      February 24, 2011, 10:16 am

      proving yet again the soundness of the advice every good lawyer gives the client: TELL THE TRUTH. It’s easier to remember.

  17. Avi
    February 23, 2011, 2:58 am

    The NYT is no different than the daily Israeli tabloid, Ma’ariv. The tabloid often brags about Shin-Bet accomplishments and Israel’s military apparatus.

    Yet, when the moment of truth came in 2006, Israeli ground forces found themselves unable to capture a small Lebanese town a mere two (2) miles from the border, much in the same way they were unable to advance past one refugee camp in the northern part of the Gaza Strip in 2009.

    Perhaps another Victory at Entebbe, made-for-TV movie is in order. This time around Richard Dreyfuss can play the role of Benyamin ‘Bibi’ Netanyahu.

    You see, Zionists and the US government alike think that international affairs boil down to good PR. If Israel is being delegitimized, then the most appropriate solution would be to boost its image, not change its policies. Similarly, if drones are killing hundreds of civilians, an act that enrages Afghans, then the solution must be a media blackout.

  18. lareineblanche
    February 23, 2011, 11:45 am

    Great !

    The NYT piece does seem to be a form of damage control, once they realized that the option to attack Iran was no longer “on the table”. This is a small mouse to throw to the hawks, though, we’ll see if it keeps them satisfied.

    I sent an email to Langner with a link so he could read this, see if he (or someone over there) responds.

Leave a Reply