Those revelations surfaced Friday in The New York Times, in a story written by David Sanger, who had been conducting research for his forthcoming book, Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power.
"This account of the American and Israeli effort to undermine the Iranian nuclear program is based on interviews over the past 18 months with current and former American, European, and Israeli officials involved in the program, as well as a range of outside experts," reported Sanger. "None would allow their names to be used because the effort remains highly classified, and parts of it continue to this day."
[ What do we know about the Flame malware? Read Flame FAQ: 11 Facts About Complex Malware. ]
Officials said that Stuxnet was developed as part of a classified program codenamed "Olympic Games," which was begun under President Bush, and which Obama ordered to be accelerated. As part of that program, malware was developed to first create a blueprint of an Iranian nuclear facility at Natanz. As fears of Israel launching an airstrike against Iranian facilities increased, the administration opted to make Israel part of the Olympic Games program. The Israelis worked with the National Security Agency to design Stuxnet, which was introduced into the Natanz facility via USB drives by spies and unwitting employees.
But in 2010, reported Sanger, an error in the code led to the virus spreading outside of the Natanz facility, at which point it began infecting PCs worldwide.
Stuxnet broke new malware ground because the complex application was designed for the sole purpose of sabotaging the high-frequency convertor drives used by the uranium enrichment facility at Natanz. That made it the first known virus to disable physical equipment. The virus managed to disable 1,000 of the 5,000 such drives Iran had in use at the time, delaying its uranium-enrichment program by 18 months to 2 years, according to internal Obama administration estimates. Outside experts, however, believed the resulting delays to be less substantial.
Security experts, of course, are now trying to unravel the mysteries of the Flame malware. The espionage and information-gathering virus, first detailed publicly on Monday, has predominantly been aimed at targets in the Middle East and Eastern Europe.
In the wake of the Stuxnet revelations, the next logical question is: Did the U.S. government also commission Flame?
U.S. officials told Sanger that Flame was not part of the Olympic Games program, although they declined to comment on whether the malware had been built by the United States. But based on code reviews, security experts already believe that Flame was commissioned by whomever ordered Stuxnet, although it was apparently built by a different group of developers.
Why are the revelations over who commissioned the Stuxnet program coming to light now, given that the virus was discovered back in June 2010? "Obama wanted to get credit for Stuxnet as that makes him look tough against Iran. And he needs that as Presidential elections are coming," tweeted Mikko Hypponen, chief research officer at F-Secure.
Furthermore, Stuxnet has arguably already served its purpose. "Stuxnet is old news. Even the recently discovered (and much hyped) Flame malware isn't an effective weapon today," said Graham Cluley, senior technology consultant at Sophos, in a blog post.
But for every Stuxnet, Flame, or Duqu, how many other pieces of espionage malware are now in circulation? "There seems little doubt that state-sponsored cyber-weapons (if that is indeed what Stuxnet was) continue to be developed--and chances are that it's not just the U.S.A. and Israel who are developing them, but other developed countries," Cluley said.
Hacktivist and cybercriminal threats concern IT teams most, our first Federal Government Cybersecurity Survey reveals. Here's how they're fighting back. Also in the new, all-digital Top Federal IT Threats issue of InformationWeek Government: Why federal efforts to cut IT costs don't go far enough, and how the State Department is enhancing security. (Free registration required.)