The Rest Is Classified - 70. Israel Attacks Iran: The Virus Spreads (Ep 3)
Episode Date: August 3, 2025What was the "horse blanket" and how did it guide Obama's decisions on cyber warfare? How did the Stuxnet virus evolve to target Iran's centrifuges more aggressively? And what were the risks and ethic...al dilemmas involved in unleashing such a powerful and precise cyber weapon? Listen as David McCloskey and Gordon Corera delve into the Obama administration's acceleration of the Olympic Games program, the sophisticated targeting mechanisms of the Stuxnet virus, and the increasing pressure on Iran's nuclear ambitions. ------------------- To sign up to The Declassified Club, go to www.therestisclassified.com. To sign up to the free newsletter, go to: https://mailchi.mp/goalhanger.com/tric-free-newsletter-sign-up ------------------- Get our exclusive NordVPN deal here ➼ nordvpn.com/restisclassified It's risk-free with Nord's 30 day money back guarantee ------------------- Order a signed edition of Gordon's latest book, The Spy in the Archive, via this link. Order a signed edition of David's latest book, The Seventh Floor, via this link. ------------------- Email: classified@goalhanger.com Twitter: @triclassified Assistant Producer: Becki Hills Producer: Callum Hill Senior Producer: Dom Johnson Exec Producer: Tony Pastor Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
For exclusive interviews, bonus episodes, ad-free listening, early access to series,
first look at live show tickets, a weekly newsletter and discounted books, join the
Declassified Club at therestisclassified.com.
A covert action has been launched against Iran's nuclear programme, but this time on
the Rest is Classified, we look at how the Obama administration decides to accelerate the targeting of Iran's centrifuges
in a way that ultimately leads it to going out of control.
There was no consensus within the Obama administration about how these weapons should be used.
Even while Obama was approving new strikes on the Iranian nuclear plant, he harbored
his own doubts.
In meetings in the Situation Room in the first year of his presidency, Obama had repeatedly
questioned whether the United States was setting a precedent using a cyber weapon to cripple
a nuclear facility that the country would one day regret.
This was, he and others noted, exactly the kind of precision-guided weapon that other nations would someday learn to turn on us.
It was the right question, said one senior official who came into the administration after the Stuxnet attacks were over.
But no one understood how quickly that day would come.
Well, welcome to The Rest is Classified.
I am David McCloskey.
And I'm Gordon Carrera.
And that is David Sanger writing in his book, The Perfect Weapon, about, of course, the
Stuxnet virus, this effort by the allegedly Gordon, I guess, the United States of Israel
to disrupt and delay Iran's nuclear program. We have been looking
over the last couple episodes at the story of Iran's nuclear program and really some of the
first concerted attempts to sabotage it and take it down, not with bombs as we've seen recently,
but with this cyber weapon. And the last time we looked at how the virus was first
unleashed, it was around 2007, caused this massive confusion
inside the Iranian program as nobody could really
work out what was going on.
Centrifuges that you so eloquently talked about,
Gordon, the scientific basis of how a centrifuge works.
These centrifuges had been, of course,
used to enrich uranium.
They'd been more or less taken offline for periods of time by this cyber attack. And
this program is about to take a turn as the Iranians speed headlong toward a bomb and
the United States and Israel desperately try to stop them.
The cyber weapon had first been unleashed in 2007 under the Bush administration. But by the time you
get to 2009, President Obama is taking office and there is a handover, which I'd love to
sit in on by the way, one day, of all the secret operations that are underway, the really
secret stuff that only one president can brief another president about. And I think that
this time one of those secret operations that are underway is this one called Olympic Games. That's the code name for it, although
the virus itself will become known as Stuxnet. And it's interesting because President Bush
explains the program and personally recommends to President Obama that he should keep it
going because it's working because these Iranian centrifuges are blowing up.
You bring up a good point, though, which is that the program itself, this virus, this
weapon, has come to be known as Stuxnet, but nobody inside the United States government
at this time would have called it that.
This would all have been done under this Olympic Games sort of covert action program.
Like literally nobody would have called it Stuxnet.
It's a name that will be given later by the people who research it out in the wild, rather than the actual kind of teams behind it. But it's interesting, because President Obama is going to be very interested in this program when he takes office in 2009. And very focused on it. The briefers bring out something called the horse blanket, which is a giant folding map of Iran's nuclear program.
So he could see what was being done
to different centrifuge cascades in the towns
and decide on next steps.
And it's compared to President LBJ
looking at maps of bombing targets in Vietnam.
Then it's about, where do you wanna bomb, Mr. President?
Here it's which centrifuge cascade should we go for
and how should we go for it using a cyber weapon. But it's which centrifuge cascade, you know, should we go for and how should we go for it using a cyber
weapon. But it's the same kind of thing with a briefer showing
this map to the president.
What's on the map? Is it just pictures of the facilities or
like,
I'm imagining it. It's you know, we talked in the very first
episode of the enrichment facility beneath the ground in
the tanks, the one they're building, which got room for 50,000 centrifuges.
I'm guessing it's almost a map of that. Maybe of other facilities as well.
But saying these are where these different cascades of centrifuges are and these are the ones we've already damaged and the Iranians are worried about.
And these are the ones we think we can take out with a new update to the cyber weapon. I'm guessing that's what it is. But he's also worried, he understands, as we heard from that opening quote, that this is,
you know, it's something new. And we'll come back to how new it is. But he understands there are
risks to unleashing this kind of cyber weapon, but he is going to accelerate it. I mean, one of the
reasons is that he actually wants to focus on diplomacy. And so back to that idea of buying time,
avoiding a military strike, and the Israelis pushing him into action or taking action themselves
by buying time for diplomacy through the kind of covert action side.
Well, that's interesting, right? I mean, you look at the sort of campaign Obama and then compare
that to what he did. There obviously was a sort of faith that developed in
the administration about covert action, right? And honestly, I guess that is some of the allure of it
is, well, it's pretty hard to conduct diplomacy if you're openly bombing a country. But if you're
clandestinely, covertly sabotaging its nuclear program, and they don't
even quite know what's going on, that doesn't exactly rule out diplomacy. You can sort of
walk and chew gum at the same time. So I can see why it would be alluring. Although 2009,
of course, it's a pretty big year inside Iran.
Yeah, it is. I mean, President Obama's tried to send a message, I think, in March 2009,
just a really unusual message
to the Iranian people kind of holding out the hand of friendship and sends private letters.
And he kind of, they get rejected, nothing happens, but I think he knows that, but he
feels he's got to try and open this diplomatic front.
But you're right, you know, 2009 big year inside Iran, because you have the protests
against an election which Iranian people believe is rigged. And they come out on the
streets famously in this big movement. The Green Movement.
Yeah, which is, you know, it's a big moment for Iran when people thought could this topple a regime?
And it's interesting because President Obama doesn't support them. He doesn't come out and
give a statement of support. He doesn't say the elections are rigged. And I think some of the people around him will later say this is a regret for them,
that they didn't side with the protesters a bit more.
But I guess it's always that problem that if you side with them, then it allows the
regime to say, well, you're all just, all the protesters are basically CIA puppets
and being manipulated.
So yeah, it's a difficult balancing act.
But yeah, there's a lot of change going on, I think, within Iran at that moment and challenge.
And I guess also an acceleration of the nuclear program at the same time, right? Because there's
more and more centrifuge installation, which you need to get to the quantities of enriched
uranium for a bomb. And then also, and I remember, I didn't, wasn't covering Iran at the agency at
this time, but I remember in September of 2009, Fordow, a site that had just been bombed, was found,
and I think publicly revealed for the first time. Yeah, and that was a really big deal. I remember
it as well, because you had a lot of Western leaders stand up together and say, we are going to reveal to the world that Iran has another secret site at Fordow.
It's really interesting, the backstory to this, because I think they'd known about it for some time.
This had been a Revolutionary Corps guards kind of base.
And Fordow, we should say, people might know about it because they've seen it in the news recently.
It's a mountain, you know, it's a mountain which has been tunneled into.
And I'm pretty sure that it was a walk-in. Maybe even on the British as
well as American side, it's all very secretive, but at first kind of tip them off about Iran building
another secret nuclear facility. And this is absolutely crucial to the story and obviously
to what's happened recently, because we've been talking about Natanz, you know, this place the inspectors had first visited in 2003, where they're building
the centrifuges. But now suddenly, it's being revealed that Iran had secretly also been building
another enrichment facility, covertly without telling anybody again, and doing it in a mountain.
You know, the point is, that's's a bad luck for your peaceful nuclear program.
Because Netanis is like 30 feet below ground or something like that.
This is hundreds of feet below kind of rock and concrete.
So it's a completely different target.
It's interesting, there was in some of the books about this,
there's references that the end of the Bush presidency,
where they'd first learned of it, there'd been some discussion about whether they could actually send a special forces
team onto Iranian territory to try and sabotage it before it developed too much. But they obviously
decide against that, it would be a hugely risky operation to try and do. So instead, they reveal
it to the world in September 2009, that this new enrichment facility is being built. And that then creates another
big debate about the nuclear program, because the Israelis fear that Fordow gives them a
kind of zone of immunity where, free from inspections, deep underground, Iran can quickly
move towards a bomb and they won't have the intelligence or advanced warning that they're
doing this breakout that we talked about and making that final push towards a bomb. So as you get to 2009, there's lots going on and Israel
is also upping the pressure on the US as a result. And it looks like they're kind of thinking what
else can we do to delay the Iranian program, assassinations will come back onto the agenda. So 2009, 2010 is a big period
of pressure. And that's why it looks like there is this decision to accelerate Olympic
Games, to push it, you know, to take it up a level, even from what it's been doing before.
And so taking it up a level in this context looks like targeting more of the Cascades
more frequently.
Yeah.
I mean, there's this balance, right?
Now that you've got this, I mean, access, right?
You don't want to lose it.
And so you have to be, I guess you have to be careful how frequently you mess with them.
Because if you just are constantly doing it, eventually they might find the code.
They might discover that, you know, this is actually foreign actors doing this.
So you run a great risk, I guess, if you up the frequency or you start to target other
pieces of these sites.
And I guess that's the decision making and the debate which must be going on at the highest
level.
The horse blanket, by your point over the horse blanket.
Yeah, the horse blanket.
I guess that is the point of the horse blanket, isn't it?
It's going, okay, if we could take down these centrifuges by
upping our game, but there is a risk that it will get discovered or that something will happen,
which will blow the program, but they're going to up the game. So the early attacks that we talked
about from 2007, it's thought they target the valves which let the uranium gas in and out of
the machine. So this new set of attacks from around 2009
is instead going to target the frequency converters
which supply power to the centrifuges.
Back to our centrifuge lesson, very delicate,
have to spin at the right speed.
The power has to be maintained precisely
to get them to spin at this supersonic speed.
So if you mess with that power supply and with the power being
delivered into the centrifuges, you can slow them down, you can speed them up, you can mess with them
and you can put kind of strains and stresses on the systems by making them spin faster and
slower. So that's what the new code looks like. The best account, by the way, of all the detail of how the code worked is in Kim Zetter's book Countdown to Zero
Day on Stuxnet, which is a brilliant book, which really gets deep into this, and I'd
really recommend that. But again, what they do with this new set of code is they record
what normal operations look like and feed it back in when the attack's underway so
no one would spot anything.
So for 13 days there's a recon stage where the code sits on the programmable logic controller,
the thing that controls the power supply recording the normal operations.
When it's got enough data it moves to an attack phase, two-hour countdown,
then it targets the frequency converters which deliver the power for 15 minutes,
slows down, speeds up the centrifuges, does it for just 15 minutes, and then goes back to normal.
I mean it's wildest. And then it waits for 26 days while recording normal processes again,
and then goes back into another attack cycle, this time for 50 minutes rather than 15, and then alternates this 15-50 minute
attack cycle over 26 days. So it's really interesting because again, it's so precise,
because what they're trying to do is introduce stresses on the materials inside the centrifuges.
So they're not just like switching off the power or speeding it up to the point where the centrifuges crash, they're stressing
the centrifuges so that they break. I mean, again, it is just amazing the amount of research
and understanding of how these centrifuges work and what you can do with them in order to develop
code to do it that precisely and to know you'll have an impact. I just think it's amazing when
you think about it. I love this quote that you put on here, Gordon, which I think
really captures it well, which says the attackers were in a
position where they could have broken the victim's neck, but
they chose continuous periodic choking instead. And I guess at
this point, they've been in Natanz for a few years, messing
with it, right? I mean, which is also incredible is that they've just sort of been slowly sapping
this facility is productivity, right for four years at this
point. And I guess maybe there's a good chance to take a break.
When we come back, we'll see how this choking starts to get even
tighter. See you after the break.
No frills delivers get groceries delivered to your door from no tighter. See you matter the size.
Whether you're taking over your parents' basement
or moving to campus, IKEA has hundreds of design ideas
and affordable options to compliment any budget.
After all, you're in your small space era.
It's time to own it.
Shop now at ikea.ca.
["The Star-Spangled Banner"] Well, welcome back. It is December of 2009, early 2010, and Gordon, now we've got the
return of our good friends at the IAEA, the International Atomic Energy Agency, who are
going to be this dance of inspectors coming
into Iran and trying to get access to facilities.
We're back to this.
We're going to have inspectors crawling around looking at Natanz, looking at Fordow, all
up in the Iranians business while Stuxnet is going on in the background.
I love the idea of inspectors.
It makes it sound like, I imagine like Inspector Cluso with like a magnifying glass looking
around looking at things.
Definitely. They definitely have clipboards, a lot of clipboards and magnifying glasses.
I don't think that's what they really like.
I think they have high-tech samplers, but I just think this idea of international inspectors.
But yeah, they're visiting the site late 2009, 2010.
They can see the Iranians are replacing centrifuges at a faster rate than normal, that some of
them are getting damaged, that they don't know what's going on. It looks like the Iranians are firing some of their engineers
and they're running tests on the motors to find out why the speed's changing. It's
this whole confusion they've got, but they're still pressing forward. So in early 2010,
it looks like US and Israel, who we assume are behind this, decide, as people say, to swing for the fences,
which I guess is a baseball thing.
That is a baseball thing.
It's a baseball thing.
I was trying to look at that,
because I read that in Kim's book.
I was thinking, swing for the fences, you know,
just take a big shot to get the home run.
Have I got the language right?
You're going for the home run, try to clear your bases.
I don't know, anyway, I never understand baseball.
What you said there isn't technically wrong,
but it doesn't
sound right. Like you would not go for the home run.
Okay. But the other analogy I like is that they supersize the
virus, which is like, you go into your McDonald's and say, I
want the Big Mac meal, I supersize it. So it's like supersizing
the virus. To go after and they're going to supersize it to
go after a specific array of 1,000 centrifuges.
Now, here is the thing.
They're going to be more aggressive.
They want to move fast.
So they're upping their game.
And they still have this problem,
which is getting over the air gap to get into the systems.
So you want to get your new virus into the systems
and do the damage.
And of course, as we said before, these systems are not connected to the regular internet. And previously
they'd use flash drives, giving them to lots of people hoping they get in and then they spread.
Now they're going to slightly change it looks like the delivery mechanism for the virus and
they're going to use what's called a worm. And the point about computer worms is they self-propagate.
They spread by themselves.
And this has been something that's known about for years
that you can do this with computer worms.
And some of the earliest computer worms are fascinating.
There is a great story about,
I won't do the whole story here, about the Morris worm,
which is the first computer worm, November, 1988,
where this student wants to
test how far he can spread a worm. So he launches it. I think he goes to MIT to launch it to try and
hide his tracks, even though he's not an MIT student. And it spreads and it basically takes
down the entire internet because he's made some of his worms basically what are called immortal
worms, which might die, and they spread. and immortal worms are bad and they spread anywhere.
So it takes down the internet.
But here is the bit I love about the Morris worm story is one of the people who gets a
phone call to say it's a problem is the chief computer scientist at part of the NSA, America's
Signals Intelligence Agency, who works for the National Computer Security Center. And his name is Robert Morris. And it turns out it's his son who's unleashed the worm.
And you always think that's a bad day in the office when your son, when you work at the NSA
and your son has taken down the internet.
Like father, like son, no. Gordon, come on.
Exactly. He's an expert. But that is the point about worms.
Why are they self-propagating though? That's an inherent feature of the code that makes it a worm?
That is why it's a worm rather than a virus, because it spreads by itself. You don't need to
just infect a host like a virus, but the worm, this is the idea of it in computer speak, cyber speak, is that it
will move from machine to machine by itself. So it's got a life of its own effectively.
That's the idea that you get it onto the network somehow, and then it can spread around the
Iranian network, machine to machine, even in their local network, until it finds a way in to the centrifuges you want to hit. But you know,
the crucial thing is it's still very targeted in terms of what it's trying to actually
do and who it actually unleashes its payload on.
Is the hope in this kind of new phase that they will reach other facilities? Is it we're
trying to get beyond Natanz to get
into Fordow or like just different pieces of the cascade at Natanz?
I think it's more that pressure to up the game, to get to the centrifuges you want,
and knowing that this could take quite a long time to get to them. And it could take quite
a long time through the previous methods before the right USB
hits the right computer, which is connected to the right computer. So instead, you inject it into the
system somehow through one person. And then you just let it spread until, and this is the crucial
bit, until it finds the exact system that it's looking for. And it's really interesting because
it's really precisely engineered. We talked before, you know, these are programmed to look for
Siemens logic controllers, but in this case it is looking for a logic controller connected to a specific array of
systems running Iranian centrifuges. And if that very specific combination of different software and hardware
packages is not in existence, then the code just sits there and does nothing.
It's quite interesting.
It's really, again, the complexity of it is amazing
because it's got to contact its kind of controller
when it affects a new system.
And whoever's designed this has set up fake football websites
to act as the command and control server.
So when it reports back-
American football?
No, I think it's proper football, David. Okay.
Because the theory is that that will mask, if someone is seen checking football results
websites, if that's spotted, it will just look like an engineer who's maybe checking
how Real Madrid or someone are doing. Yeah, that would be bad if it was American
football because I can't imagine there's too many...
Checking how the Dallas Cowboys are doing....Ronnie and nuclear engineers who are like, oh, let's go and check in on the Cleveland
Browns scores today.
So it's really precisely engineered. And if the exact conditions aren't met, it does nothing.
It just doesn't release its payload. So it's so interesting because the whole aim of this is to
avoid collateral damage to other systems. So to avoid hitting a different logic controller,
a different industrial facility and activating.
There's even, I mean, this is the next bit
that's fascinating about it, an expiration date for it.
So every time it infects a new machine,
it checks whether it's after June the 24th, 2012.
And if it is after that date, then it stops, doesn't do anything.
So the whole thing is timed to self-destruct as well as only actually affect one single target machine.
So you've got something which is going to spread across the Iranian network,
but look for only one machine to be able to hit its target. And even then only lasts for a couple of years.
Which I guess does market as kind of a government program,
right, because you'd figure if this is actually a group
of hackers or something like that,
that you wouldn't figure an expiration date being built in.
I think that again is one of the clues that will come out
of the discovery of this virus,
because everything about the way this
is engineered is to be precisely targeted.
And people I spoke to said, I remember I spoke to US cyber czar, Richard Clark, who did
it, and he said, it just says lawyers all over it.
Oh, I can't even imagine how many lawyers must have been all over this thing.
I mean, every covert action program is just covered in lawyers anyway, right?
And this seems, with all of the potential risk that this weapon might get out.
Because when you put together a covert action finding, it's not a particularly complicated
document to draw up, but you're of course, one of the sections you're going to list is
like what are the risks associated with this, right? And I would think here, you not only have the risk that this thing gets out, right? But you also have a risk when you're if you're messing with an industrial facility, I guess you're taking a risk along the way that there'd be people who get killed in these accidents, right? And so you're having to get a more elevated sort of authority to conduct attacks like
this.
Even if the risk isn't particularly high, it still would have to be acknowledged as
part of this.
So you're going to have lawyers all over this thing, for sure.
And I think everything that you see about the code and the way it's designed suggests a real rigor
and deep kind of oversight accountability, lawyered process to put together that code.
You can see someone going, if you're releasing something which can take down industrial facilities,
then it absolutely has to be totally targeted so that it will definitely
only affect one place and affect one type of system.
And we want an expiration date so this doesn't last forever.
It doesn't take down the whole world and self-propagate in that way.
So you can see actually, I think it's really interesting with the precision of the delivery system and of the kind of restraints and constraints
which are put around it, that this is the result probably of quite a lot of arguing and interagency
meetings. And you can imagine, and we don't know the detail of it, you can imagine President Obama
going, I'm only going to sign this off, you know, this more aggressive attack, if I know it's not going to take down Iranian electricity grids or
neighboring countries electricity grids or come back to our electricity grids and take them down
and do these kind of things. You could imagine that that will be the stipulation which is put on
unleashing this new COVID action, more aggressive covert action as part of the program. But of course, I guess you can put an expiration date on it and you can write up the legal
kind of language, however you'd like. But the reality with self-propagating computer
worm is that you really have no control where it's going to end up, right? So at some point,
presumably, you know, spoiler alert, it's going to escape.
Yeah. And I think the idea was it would just remain within this Iranian network
of Natanz and look for the configuration it was after and then act. But...
Oops.
Oops. The problem with a self-propagating worm is that it's a self-propagating worm and you
can't control where it goes.
So just like Robert Morris, this kid in the 80s who didn't plan to crash the entire US
internet at that time, there are unintended consequences when you release something onto
the internet.
And so it looks like, I mean, we can't know exactly what happens, but there must have
been a moment where perhaps an Iranian scientist whose laptop had been
infected with this worm then plugs into the internet, you know, with maybe the same laptop.
And at that point, the worm escapes.
I just have this vision of a kind of big kind of cybery worm.
It's a giant sand worm.
Like in June.
Yeah, like in Dune.
Yeah.
I just imagine it tunneling through a fibre optic cable, like I'm free and escaping onto
the internet.
Free at last.
And it's out.
And it looks like it is a mistake in the code.
It looks like there wasn't intended to get out onto the general internet, but it is going
to escape all around the world. And so in the summer of 2010,
suddenly it's appearing and it's appearing on machines, this bit of code everywhere. And it is
the most sophisticated piece of malicious software any cybersecurity researcher has ever seen in the
history of the world. And it's out there on all these machines. And yet it's not doing stuff to their machines.
The one person who had their laptop connected
to a Siemens PLC was shocked to see what was happening.
And it's gonna take them months to understand,
but also in the White House as well,
as soon as they realize this, which is in the summer of 2010, there is panic. There's an emergency meeting of top US officials in the Situation Room.
Once they realise it's out in the wild, and it's really interesting because they agree that this
isn't going to be secret for long. People are going to work out what it is. And so they're
actually going to roll the dice again and give it another chance to do as much damage as possible before the Iranians work out what it is.
So it looks like they actually at that point inject two more versions into the system to
try and hit the thousand centrifuges they really want to take out.
They're going to swing for the fences again as a kind of last swing.
They're going for the home run.
Before you get caught out.
Is that what happens?
Before they catch you out and they catch the ball?
Is that a good analogy?
No, no, that one doesn't work.
But one question that I have is, so this virus, this worm,
I mean, sat on computers inside the Iranian nuclear program now at this point for three
years and wasn't discovered. Why is it that as soon as it gets out, it's seen right away?
It must be something to do with that specific bit of code because the original code was also
really carefully designed to be encrypted, to also not show up when you do a kind of virus scanning system,
to be hidden in all those ways. But at this point, it is out. It is a larger bit of code than
anything that's ever been seen before. And it is starting to sit on systems. And on some systems,
it does kind of muck around with them a bit. So in a few places, it doesn't quite switch them off, but you can start to see that there's
a big block of code sitting on a system and doing something, even if you don't understand
what it is.
And so now the race is on because you've got the code unleashed, you've got the Iranians
perhaps about to realise that there might be a link between what's happening and the
problems in their nuclear program,
and all these researchers in the outside world from the summer of 2010,
trying to pick it apart and understand what's happening.
So we are really reaching the final stages now of this covert action.
That sounds like a great cliffhanger, Gordon, to end our third episode on Stuxnet and Olympic Games and look toward the thrilling climax in which the US and
Israel allegedly will double down yet again on the power of this cyber weapon and a whole host
of cybersecurity researchers are going to start to unpack what exactly is this worm that has escaped and
look at this kind of history changing cyber weapon as it gets out into the wild.
But of course, you don't have to wait for that episode.
You can join the Declassified Club at therestisclassifiedatgoalhanger.com.
Get early access to all of these wonderful episodes,
get bonus content.
There's so many reasons to do it.
We hope to see you there and we'll see you next time.
See you next time.