Stuxnet: The Worm That Changed Warfare
Just a few decades ago, the idea of a virus being deployed to combat nuclear weapons proliferation would be unheard of. Stuxnet didn’t just damage Iranian centrifuges. It changed what warfare means. Here’s what it actually did, how it worked, and why the implications are still playing out today.
In 2009, centrifuges at Iranian nuclear facilities would begin to fail at a rapidly increasing rate. Bearings would seize, entire units would fail to the point of physical destruction, and slowly but surely, the rate of attrition would start to affect the capacity of these facilities to refine the uranium needed to produce a nuclear weapon.
Most mechanical failures leave clear signs that help engineers look at the aftermath to help understand what had happened to cause the failure. This time, things were different. Control screens were operating nominally. Diagnostic procedures would not identify faults. No signs in the data would help them to understand what had been happening in their systems.
In the background, the machines had quietly been tearing themselves apart. And sometimes, not so quietly. They were destroying themselves on instruction, and no one within the facility was able to see it taking place.
These attacks were the result of a weapon. This had no moving parts, left no entry wound, and had been inside the network for months before it even did anything at all.
That weapon was Stuxnet. And understanding what it actually was, how it worked, and what it opened up is worth getting right, because a lot of what gets written about it is more mythology than fact.
Stuxnet would be aimed and deployed directly at Iranian nuclear facilities. Source: Wikipedia.
Context: What Was at Stake
You only have to look at today’s news to understand that sometimes the more things change, the more they stay the same. And so it was in 2009 when Iran would be poised to make significant inroads into their nuclear program.
This was a serious concern for Western Governments. A nuclear-capable Iranian military, hostile to the West, was unacceptable in the long term. The problem was that despite this being a clear problem, the solutions for dealing with it were far less clear.
Airstrikes risked a regional war. Sanctions were slow. Covert action inside the facility was difficult by design, and the fact that many of the nuclear facilities within the country were airgapped would provide additional complications.
The only way to use traditional intelligence methods would be by gaining physical access to the system or, alternatively, using kinetic strikes to destroy it.
Somewhere, in some alphabet agency, someone made a conscious choice to decide that traditional intelligence methods would not be used this time.
Iran holds a missile and drone arsenal that is capable of causing significant pain. Source: Wikipedia.
A Precise Cyber Scalpel
Most pieces of malware will use a zero-day exploit to gain access. These are expensive exploits that are particularly valuable in the nation-state context. As you might imagine, the usage of unpatched exploits to gain access to an adversary's systems is pretty attractive to global intelligence agencies.
Stuxnet was unique for the sheer level of precision it would display. It would use four zero-day exploits to gain access, identify and eventually pivot before delivering a three-layered attack chain that was as elegant as it was competent.
Getting in:
It’s unknown how Stuxnet entered the Natanz network, but it’s suspected that it was via infected USB drives, carried in by contractors. Once on a Windows machine, it would spread using the four separate zero-day vulnerabilities we spoke of earlier. This included a Windows Shortcut flaw, a print spooler bug, two privilege escalation exploits, and a known vulnerability for good measure. Burning four zero-days in a single operation was a significant tell on its own. Zero-days are finite and expensive. Using that many in one hit tells you a lot about how much whoever built this cared about it working.
Finding the target:
Once inside, Stuxnet searched for Siemens Step7 software. This is the industrial control software used to program PLCs. No Step7, no action. If it found Step7, it would then look further. The connected PLCs had to be specific models managing centrifuge motor drives at specific frequencies. If that criteria was not met, Stuxnet sat quietly on the machine and would simply do nothing. This is why it ended up on 200,000 machines worldwide without most people noticing. Obviously, most people aren’t enriching uranium, so for them, Stuxnet never fired.
Doing the damage:
Once it confirmed it was in the right place, it reprogrammed the PLCs and started manipulating the centrifuge speeds to extreme levels. It would push the rotors too fast, then too slow, creating mechanical stress that built up over time until things started failing. While that was happening, it fed false readings back to the monitoring systems. Operators watching the screens would see nominal readings that indicated no specific faults in the controllers. The machines were lying to them.
The Air Gap
If you work in tech, you probably don’t need to be told how big a deal evading the Airgap would be. But if you don’t, it’s worth pausing for a second to highlight how big an impact that this would have on the whole attack.
Bypassing an air gap is not easy. However, to do so, a well-known strategy would be leveraged to make the whole process easier. It’s now widely theorised that a supply chain attack would be responsible for compromising the machines used as part of the nuclear program, allowing for Stuxnet to take hold and do its thing once it had been released.
This sounds simple in theory, but when considering it in detail, you would see why this was so effective. The whole program would rely on specialists and contractors, many of whom would move between important sites while taking their hardware with them.
Stuxnet would be able to move laterally between connected devices thanks to this central weakness. In these circumstances, it would simply be a matter of waiting for an infected machine to be used at the right location to make the whole chain come together.
While supply chain attacks primarily rely on compromising hardware, there’s no denying that strong elements of human behaviour would also play a role in enabling it all to work. 
The Strait of Hormuz has always created a unique problem for geopolitical analysts. Source: Wikipedia.
The Damage….And The Fallout
If you weren’t around back then, it’s probably no surprise to hear that at the time, Stuxnet would be massive news that would dominate the headlines.
This was for good reason too, as it would later be disclosed that more than 1000 machines would be damaged or compromised. Contextually, this would be more than 20% of the total enrichment capacity at Natanz, and as a result, enrichment levels would drop dramatically in the months afterwards.
Western officials at the time would claim that the attack would set back Iranian nuclear aspirations by years, but like most things in life, the real answer was a little more nuanced than that.
The more realistic assessment overall is that while the delay was real, it was only temporary. Iran eventually identified the attack, would replace the machines, and pushed forward with more advanced centrifuge designs. With time, the program recovered, and the enrichment would continue.
The JCPOA agreement would come later, before it would eventually be cancelled, which would then lead to the current circumstances of today. A regional war that carried very real implications to the global economy.
The Elephant In The Room
When Stuxnet was publicly identified in June 2010, every serious research team and nation-state actor with the capability and motivation would start pulling it apart.
They would help to identify the techniques used. Air-gap traversal via USB, PLC manipulation, sensor spoofing, and lying to operators in real time would go from classified to documented fact. Stuxnet would change the dynamic of warfighting in cyberspace, and this fact would unlock some very real consequences globally.
Cyber warfare with actual real-world effects had been unleashed. What had previously been treated with restraint had been opened up to the world with the entirely predictable results.
Duqu in 2011 used Stuxnet’s codebase to log keystrokes and extract data from industrial facilities. Flame arrived later in 2012. These were not coincidences. Stuxnet’s public exposure created a reference implementation that anyone capable of reading Symantec’s technical reports could study and adapt.
It would also set a precedent for using cyberwarfare strategies in the wild.
For the first time, cyberwarfare could achieve kinetic-like results by merely deploying code. While airpower would remain king, the rules were changing. Source: Wikipedia.
A Final Consideration
There are two versions of the Stuxnet tale. In the first, it’s a precision weapon that would avoid a war, buy time and deliver a casualty count of exactly zero. In the second, it’s the operation that handed a detailed blueprint to every state actor or civilian hacktivist who was capable of reading a technical report.
What if both versions were true?
Stuxnet would prove that you could use code to bridge the gap, target a system and deliver kinetic results that previously would have required an airstrike or similar to achieve. That was most definitely new.
However, the techniques it would use are directly relevant to all of us. In the modern world, supply chain infection, PLC manipulation and sensor spoofing are part of the standard threat model for critical infrastructure that is almost everywhere. The same architecture that would make Iranian enrichment capacity vulnerable is also deployed in power plants and industrial systems all over the globe.
Stuxnet’s long-term contribution to the world would be to permanently change the threat landscape and the rules by which we operate. It would also redefine in the modern age, just what exactly counted as a battlefield.
Investigator515 explores the RF spectrum, cybersecurity, and the hidden tech behind modern espionage.
Follow for new content weekly
Bluesky • X • Substack
You might also like,
- OSINT Investigators Guide to Self Care & Resilience
- Spies In The Mud: The RF-111 Aardvark
