by Kim Zetter
Inside the large testing hall, tall racks of control systems from Siemens and other vendors were arranged like stacks in a library at the front of the cavernous space, while more than a dozen man-sized centrifuges were spaced throughout the hall across from them. Jury-rigged cables attached to sensors snaked out from some of the centrifuges to record diagnostics and measure such things as the heat of the casing or the wobbling and vibration of the pin and ball bearing that kept the centrifuge balanced.
Some of the centrifuges spun for months, while data on them was collected. These were the research specimens, however. There were others whose fate was more dire. Just inside the entrance to the hall was a large reinforced cage made of acrylic and metal mesh—what a hospital baby-viewing room might look like if it were designed by the team from MythBusters—where condemned centrifuges went to die. Workers at the plant always knew when a centrifuge was being destroyed in the protective cage because it made a horrific explosive sound, accompanied by a rumbling in the ground.
The operation was in full swing by 2008, with centrifuges being destroyed sometimes on a daily basis. “You could tell the budget had jumped significantly,” the source says. President Bush, perhaps not coincidentally, had just managed to obtain $400 million from Congress for covert operations against Iran’s nuclear program.
While tests were being conducted at Oak Ridge, other tests were reportedly done on centrifuges at Israel’s nuclear facility in Dimona. It’s unclear how long all of these tests took or when officials decided they had enough conclusive data to conduct a successful attack.
During the 2006 testing, the development of the attack code was already under way. The exact timeline for that development is unclear, but the Symantec researchers found that a key function used in the attack code appeared to have been modified in May 2006. It was the code that Stuxnet used to initiate communication with the frequency converters in the attack on the 315 PLCs. And as noted, code used for the two command servers that were used with that version of Stuxnet—mypremierfutbol.com and todaysfutbol.com—was also compiled in May 2006. Other key functions in the attack code were modified in September 2007. Just two months after that, in November 2007, Stuxnet version 0.5 popped up on the VirusTotal website after it was submitted by either the testers or an infected victim.
At some point, some of the centrifuges at Oak Ridge or another lab were taken off for another kind of test—to directly measure the efficacy of the digital weapon against the centrifuges. When the proof-of-concept tests were done, officials reportedly presented Bush with the results of their labor—the detritus of a destroyed centrifuge that proved the outrageous plan might actually succeed.20 Like the Aurora Generator Test, conducted by the Oak Ridge Lab’s sister facility in Idaho in early 2007, the centrifuge test showed that heavy machinery was no match for a piece of well-crafted code.
HOW OR WHEN Stuxnet 0.5 was introduced to the computers at Natanz is still a mystery.21 Because the industrial control systems at Natanz were not directly connected to the internet and this version of Stuxnet had few spreading mechanisms, the attackers had to jump the air gap by walking it into the facility or sending it via email. This version of Stuxnet had only one way to spread—via infected Step 7 project files. This meant it had to be introduced directly into a programmer’s or operator’s machine either with a USB flash drive—perhaps by an unwitting contractor who didn’t realize he was a carrier for the worm or by a paid mole—or by emailing an infected project file to someone at Natanz.22 From a programmer’s or operator’s machine, it was just a step or two into the targeted PLC. Unlike subsequent versions that kept a log file of every system they infected, as well as a timestamp indicating when each infection occurred, researchers found no digital breadcrumbs to trace the path that Stuxnet 0.5 took.
This version didn’t target the 315 PLC and frequency converters but instead attacked the 417 PLC and valves, opening and closing the latter to manipulate the flow of uranium gas.
Cascades at Natanz were configured into fifteen stages, with a different number of centrifuges installed at each stage; as the gas moved from one stage to the next, and the amount of gas being enriched diminished as it progressed through the stages, the number of centrifuges needed to enrich the gas also diminished.
Stage ten, for example, which was the “feed stage,” where new batches of gas were pumped into the cascade, had twenty-four centrifuges. As the rotors inside the centrifuges spun at high speed and separated the isotopes, gas containing the U-235 concentrate was scooped out and sent to stage nine, which had twenty centrifuges, where it was further enriched, and then to stage eight, which had sixteen centrifuges. In the meantime, the depleted gas containing the concentration of U-238 isotopes got diverted to stage eleven, where it was further separated. The concentration of U-235 from this stage then got passed to stage eight when it was ready to join the other enriched gas. This continued until the enriched gas reached the final stage of the cascade and the final depleted gas was discarded. The last stage of the cascade, where the enriched uranium was sent, usually consisted of just one centrifuge and a spare in case it malfunctioned.
Each cascade had auxiliary valves that controlled the gas into and out of the cascade and into and out of each enrichment stage. Additionally, each IR-1 centrifuge had three narrow pipes at its top, with valves on each pipe that controlled the flow of gas into and out of the centrifuge. The feed valve opened to inject gas into the centrifuge, after which the enriched uranium got scooped out through the product valve, while depleted gas was extracted via the tail valve and pipe.
Stuxnet didn’t attack all of the valves at Natanz. Rather, it was selective in its assault. The underground hall where the centrifuges were installed was divided into modules, or cascade rooms. Each module could hold 18 cascades containing 164 centrifuges each, for a total of about 3,000 cascades per room. At the time Stuxnet was unleashed, only one room in the underground hall was complete—filled with 18 cascades. But Stuxnet targeted only six cascades. Not all of the centrifuges in each cascade were affected, either. Stuxnet targeted the valves on only 110 of the 164 centrifuges in these cascades, leaving valves on the remaining 54 untouched.
Once this version of Stuxnet found itself on a system at Natanz, it lay dormant for about thirty days before launching its assault, conducting system checks to make sure that various valves, pressure transducers—for measuring the gas pressure—and other components were present and monitoring their activity.23
While it mapped the system, Stuxnet also recorded various data pertaining to the normal operation of the cascade to play it back to operators once the sabotage commenced, just as the 315 attack code did. For example, it briefly opened valves in the last stage of a cascade to take a pressure reading, then replayed this normal-pressure reading back to operators during the attack, to conceal the fact that the pressure had increased.
Once it collected all the data it needed, it waited until certain conditions on the cascade were met before proceeding. An individual cascade, for example, had to have been operating more than 35 days before the attack commenced, or all six of the targeted cascades—if they were all running—had to have been operating a total of 298 days or more.
Once it began, Stuxnet closed various valves, except the ones in the feed stage where the gas entered the cascade. In stage nine, for example, it closed the exit valves on only fourteen of the twenty centrifuges, and in stage eight, it closed the exit valves on thirteen of the sixteen centrifuges. The valves it closed in each stage were randomly chosen through a complex process.
With all of these valves closed, Stuxnet sat and waited for the pressure inside the centrifuges to increase as gas continued to pour into them but couldn’t escape. It waited two hours, or until the pressure in the centrifuges increased fivefold, whichever was first. Once either of these effects was achieved, Stuxnet proceeded to the next step, opening all of the auxiliary valves except three valves believed to be near the feed stage. Then it waited about three minutes and f
ed more fake data to operators while preventing any changes from being made to the system for an additional seven minutes. Toward the end of the attack, it opened a set of about twenty-five valves. Albright and his colleagues at ISIS suspected these valves were in the “dump line.” Each stage of the cascade had a pipe that connected to a dump line so that if something went wrong with the centrifuges or the enrichment process, the gas could be dumped from the cascade into a cooled tank. If Stuxnet opened valves for the dump line, then gas inside the cascade would exit into the tank, causing it to be wasted.
Once all of this was done, the attack ended and reset itself.
The fact that only some of the centrifuge valves were affected and that the attack lasted just two hours, during which operators were fed false readings, created great confusion among the technicians at Natanz, who would have seen problems occurring in the centrifuges over time, as well as a decrease in the amount of uranium that was enriched, without being able to spot a pattern or pinpoint the cause.
Researchers still don’t know precisely which valves were opened and closed by Stuxnet, so it’s impossible to say definitively what the effects were. But based on certain assumptions, Albright and his colleagues posited two scenarios. In one, the final product and tail valves at the end of the cascade were closed, so that gas would keep pumping into the cascade but couldn’t get out. In this scenario, the pressure would increase rapidly, and once it reached five times the normal level, the uranium gas inside the centrifuges would begin to condense and solidify. As the resulting solid got caught in the centrifuge’s spinning rotor, it would damage the rotor or cause it to become imbalanced and strike the wall of the centrifuge. This wobbling would also destabilize the bearings at the bottom of the centrifuge, causing the centrifuge to teeter off balance. A whirling centrifuge detaching itself from its mooring at high speed is a destructive thing and would take out other centrifuges around it.
In this scenario, the pressure would have built up in the later stages of the cascade faster than earlier ones, causing these centrifuges to fail first. Albright and his team estimated that such an attack might have destroyed about 30 centrifuges per cascade. It’s believed that by focusing its effort on centrifuges in the later stages of the cascades, where the enriched uranium was most concentrated, the sabotage would have had more impact. If a centrifuge was destroyed near the feed stage, where the concentration of U-235 was the smallest, less time and work were lost than if the gas had passed through the entire cascade and been enriched nearly to the point of completion before the end centrifuges were destroyed and the gas was lost.
It’s also possible, however, that Stuxnet didn’t close the product and tail valves at the end of the cascade. If that’s the case, Stuxnet’s primary effect would have been more modest—it would have simply reduced the amount of gas being enriched. Gas would have been fed into the cascade, but with valves on 110 of the 164 centrifuges closed, it would only have been able to pass through the 54 centrifuges in each cascade that weren’t affected by Stuxnet, which would have resulted in a smaller amount of gas being enriched and less enrichment achieved.
While Stuxnet conducted its sabotage and fed false data to operators, it also disabled a safety system on the cascade designed to isolate centrifuges before they could cause damage. The safety system was fairly elaborate and included an accelerometer on each centrifuge—to monitor the vibration of the centrifuge—as well as a couple dozen pressure transducers per cascade to monitor the pressure. If a centrifuge was at risk of crashing, the emergency response system acted rapidly—within milliseconds of detecting a problem—to close the valves on the centrifuge to isolate the gas inside it.24 The kinetic energy from a troubled centrifuge would create a pulse of hot gas that, if not contained, would radiate out through the cascade and damage other centrifuges. The emergency response system was supposed to act quickly to halt the flow of gas from that centrifuge, but Stuxnet disabled that system so there was nothing to isolate the damage.
The assault capabilities of Stuxnet 0.5 then were multipronged—it increased the gas pressure to damage the centrifuges and spoil the gas, it dumped some of the gas from the cascade so that it couldn’t be enriched, and finally it reduced the number of working centrifuges so that the amount of enriched uranium that came out of the end of the cascade was reduced. It is unclear just how successful this version of Stuxnet was. But judging by IAEA reports, it did appear to have some effect on the program.
THE INSTALLATION OF cascades at Natanz occurred in three stages, each of which the IAEA inspectors tracked during their visits.25 First, the cascade infrastructure—pipes, pumps, and valves—was put in place. Next the centrifuges were installed, and their motors turned on to start them spinning. At this point, the vacuum pumps removed air that might cause excessive friction and heat. When the centrifuges reached optimal speed, the gas was piped in to begin enrichment.
Iran had begun installing centrifuges in Hall A, one of Natanz’s two cavernous underground halls in early 2007. As previously noted, the hall was designed to have eight large rooms or units—A21 through A28—with eighteen cascades in each. Each cascade was designed to hold 164 centrifuges, for a total of 2,952 centrifuges in each unit.26
Technicians began installing the first centrifuges in Unit A24 in February that year and planned to have all eighteen cascades in the unit by May. But that didn’t happen.27 By mid-August, only twelve were installed and enriching gas. It took until November to get the rest of them in place. But by then, there were signs of trouble. Technicians were feeding less gas into the centrifuges than they were designed to hold and were holding back some of the gas in a “process buffer,” between the feed point and the cascades. From February to November, they fed about 1,670 kg of gas into the feed hull, but held 400 kg of it back in the buffer zone so that only 1,240 kg actually made it to the cascades. What’s more, the gas that got into the cascades produced much less enriched uranium than expected. It should have produced 124 kg of low-enriched uranium—10 percent of the amount fed into the cascades. But instead the Iranians got only 75 kg out of it.28 It’s a trend that remained constant for most of 2007, with more feed going into the centrifuges than product was coming out. The level of enrichment was also low. Technicians claimed they were enriching at 4.8 percent, but IAEA tests indicated the gas was enriched to between 3.7 percent and 4.0 percent.
Was Stuxnet 0.5 at play, messing with the valves and the enrichment levels? It’s hard to know for sure, but the problems didn’t go unnoticed by outsiders. The 2007 National Intelligence Estimate released by the United States in December that year noted that Iran was having “significant technical problems operating” its centrifuges. Centrifuges were crashing at a rate 20 percent higher than expected. A senior IAEA official told David Albright that the breakage resulted in partially enriched gas being dumped into waste receptacles, which was likely the cause of the low production numbers.29
At the time, Albright and his colleagues attributed the high breakage rate to the poor centrifuge design and the fact that Iran was still “learning the difficulties of operating centrifuges in large numbers.” But the problems were consistent with what would have occurred if the valves were being manipulated by Stuxnet 0.5.
Whatever the cause, Iran couldn’t afford to waste uranium gas. It had a limited supply of uranium imported from abroad and its Gachin mine doesn’t produce enough uranium to sustain its nuclear program.30
Between November 2007 and February 2008 technicians installed no new cascades in the hall and focused instead on trying to resolve whatever was creating the problems. Things appeared to turn around after February, however. By the time Ahmadinejad took his triumphant tour of the plant that spring, the cascades were operating in a more stable manner, with fewer breaking. Enrichment levels were hovering at a steady 4 percent, and where previously technicians had fed the centrifuges only half the amount of gas they could handle, they were now feeding them 85 percent of their capacity. Even the performance of individual cen
trifuges had increased.
By all accounts, Iran appeared to have mastered its problems with the cascades. Technicians began installing cascades at a breakneck pace—a pace that was much more rapid than reason or caution advised. As soon as one cascade was in place, they began feeding it gas, then moved on to the next cascade. In May 2008, Iran had 3,280 centrifuges enriching gas, but by August, the number had grown to 3,772, an increase of 500 centrifuges in three months.31
There was a lot of political pressure inside Iran to move quickly on the nuclear program. UN sanctions and the lack of progress in negotiations with the West irritated Iranian leaders, and they were tired of the delays. But the sudden ramp-up was ill-advised and likely was not supported by Iranian scientists and engineers. Even under normal conditions, installing centrifuges and getting them to run properly was a tricky business. Add to this the inherent fragility of the IR-1s and it didn’t make sense to move this fast.
“From an engineering point of view, it’s kind of a reckless procedure, because if you barely operated a 164-machine centrifuge cascade, why would you want to race and try to operate eighteen or thirty cascades all at once?” says Albright. “An engineer would say do this very slowly, and make sure that you’ve understood how to work all these things as a unit before you start scaling up like that.”32
But few problems occurred during this period, and by the end of the summer, the technicians at Natanz must have begun to grow confident that they had put earlier troubles behind them. Then conditions began to go south again.