When America dropped its two atom bombs, Little Boy and Fat Man, over Japan in August 1945, it launched the world into a devastating new era of warfare. Nearly 70 years later, humanity is still trying to contain the fallout. But in its zeal to check nuclear proliferation, America–along with Israel–opened up yet another theatre of war: cyberspace.
In 2007 a computer worm called Stuxnet was detected for the first time by virus-scanning software, although signs of it may have existed unnoticed before that. At least three more versions followed, seeking to wreak havoc upon Iran’s uranium-enrichment facility at Natanz. Stuxnet made itself busy. It turned valves on and off and meddled with the centrifuges, wasting uranium and damaging equipment. It succeeded in slowing Iran’s uranium enrichment, and by extension its purported nuclear-weapons programmes, making Stuxnet the first documented case of cyber-warfare intended to cause physical damage.
Where Stuxnet fell short was in remaining hidden, thanks to a series of “flubs that should never have occurred”, writes Kim Zetter in “Countdown to Zero Day”, an authoritative account of Stuxnet’s spread and discovery. In June 2010 a tiny antivirus firm in Belarus stumbled upon Stuxnet while investigating a malfunctioning machine in Iran. The worm contained a “zero-day exploit”–a previously undiscovered software bug–that brought it to attention. An unprecedented five “zero-day exploits” were eventually found in the code. Researchers also discovered that Stuxnet had used a stolen digital certificate, the foundation of the internet’s web of trust, bringing the worm further renown.
Such attention-grabbing tactics were the first mistake. The second was failing to anticipate the willingness of security experts to make up for the shortcomings of Iranian investigators. Researchers at Symantec, and Kaspersky, an American and a Russian computer-security company, tore apart Stuxnet and its siblings for more than two years in a bid to reveal the full range of their abilities.