U.S. President Barack Obama ordered the use of Stuxnet against Iran as part of an effort to disrupt the country's nuclear ambitions, according to The New York Times.
In a story adapted from an upcoming book by New York Times Chief Washington Correspondent David Sanger, anonymous sources are quoted as saying that Obama accelerated plans for a cyber-attack against Iran that were first started during the administration of George W. Bush.
According to The Times, Obama decided to continue the attacks after Stuxnet became public in the summer of 2010 due to a "programming error that allowed it to escape" Iran's nuclear enrichment plant in Natanz.
According to The Times, when Obama was told it was unclear how much the Iranians knew about the code and it was still causing problems, the president decided the cyber-attacks should proceed. In the subsequent weeks, the Natanz plant was hit by two newer versions of the computer worm, with the last of that series of attacks temporarily taking out nearly 1,000 of the 5,000 centrifuges Iran was using for purifying uranium.
The paper reports that for years, the CIA had introduced faulty parts and designs into Iran's systems, for example, sabotaging imported power supplies so that they would blow up, but their efforts had produced little results. The failures prompted Gen. James E. Cartwright, who had established a cyber-operation within the U.S. Strategic Command to present then-President George W. Bush and his national security team with the idea of a cyber-weapon. The result was an effort code-named Olympic Games.
The effort involved the National Security Agency (NSA) and a secret Israeli military unit known as Unit 8200, The Times reported.
"Previous cyber-attacks had effects limited to other computers," former CIA Chief Michael V. Hayden told The Times, though he declined to say what he knew of the attacks when he was in office. "This is the first attack of a major nature in which a cyber-attack was used to effect physical destruction."
The origins of Stuxnet have been the subject of speculation since it was first publicized in July 2010. Much of the speculation centered on the United States and Israel. Nearly 60 percent of the computers found to have been infected by Stuxnet as of September 2010 were in Iran.
Designed primarily to compromise SCADA, or supervisory control and data acquisition, software used at nuclear facilities, the malware targets frequency converter drives in industrial control systems. The technology is used to control electrical power supplied to motors, thereby controlling motor speed.
Stuxnet was also notable to security researchers because of its overall sophistication. For example, the malware used four zero-day vulnerabilities targeting Microsoft products to infect computers.
The news of U.S. involvement "opens a Pandora's box of new complications," said Andrew Storms, director of security operations at nCircle.
"The biggest question in my mind is why the government isnt doing more to make our critical infrastructure more secure," he said. "If we know enough about the attack vectors to exploit SCADA vulnerabilities in other countries, we should be working harder to harden our own defenses against similar attacks. You have to wonder about the cyber-attacks in development now. If the government is willing to talk about Stuxnet, the current generation of cyber-weapons (is) definitely far more sophisticated."