Tag Archives: Stuxnet

The Kangaroo Infiltration

On June 22nd 2017, WikiLeaks published documents from the Brutal Kangaroo project of the CIA. Brutal Kangaroo is a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives…

The documents describe how a CIA operation can infiltrate a closed network (or a single air-gapped computer) within an organization or enterprise without direct access. It first infects a Internet-connected computer within the organization (referred to as “primary host”) and installs the BrutalKangaroo malware on it. When a user is using the primary host and inserts a USB stick into it, the thumbdrive itself is infected with a separate malware. If this thumbdrive is used to copy data between the closed network and the LAN/WAN, the user will sooner or later plug the USB disk into a computer on the closed network. By browsing the USB drive with Windows Explorer on such a protected computer, it also gets infected with exfiltration/survey malware. If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange. Although not explicitly stated in the documents, this method of compromising closed networks is very similar to how Stuxnet worked.

Excerpts from Brutal Kangaroo Press Release Wikileaks, June 22, 2017

CyberWeapons: the Regin Malware

Malware Statistics

An advanced piece of malware, newly uncovered, has been in use since as early as 2008 to spy on governments, companies and individuals, Symantec said in a report .  The Regin cyberespionage tool uses several stealth features to avoid detection, a characteristic that required a significant investment of time and resources and that suggests it’s the product of a nation-state, Symantec warned, without hazarding a guess about which country might be behind it. The malware’s design makes it highly suited for long-term mass surveillance, according to the maker of antivirus software…

The highly customizable nature of Regin, which Symantec labeled a “top-tier espionage tool,” allows for a wide range of remote access Trojan capabilities, including password and data theft, hijacking the mouse’s point-and-click functions, and capturing screenshots from infected computers. Other infections were identified monitoring network traffic and analyzing email from Exchange databases….

The malware’s targets are geographically diverse, Symantec said, observing more than half of the infections in Russia and Saudi Arabia. Among the other countries targeted are Ireland, Mexico and India. [ Regin have been identified also in Afghanistan, Algeria, Belgium, Brazil, Fiji, Germany,Indonesia, Iran, Kiribati, Malaysia, Pakistan, Syria]

Regin is composed of five attack stages that are hidden and encrypted, with the exception of the first stage, which begins a domino chain of decrypting and executing the next stage. Each individual stage contains little information about malware’s structure. All five stages had to be acquired to analyze the threat posed by the malware.  The multistage architecture of Regin, Symantec said, is reminiscent of Stuxnet, a sophisticated computer virus discovered attacking a nuclear enrichment facility in Iran in 2010, and Duqu, which has identical code to Stuxnet but which appeared designed for cyber espionage instead of sabotage.  Symantec said it believes that many components of Regin remain undiscovered and that additional functionality and versions may exist.  “Regin uses a modular approach,” Symantec said, “giving flexibility to the threat operators as they can load custom features tailored to individual targets when required.”

Excerpt from Steven Musil Stealthy Regin malware is a ‘top-tier espionage tool’, CNET, Nov. 23, 2014

See also White paper Karspersky Lab 

The Secret Bugs: Exploits

computer code

Packets of computer code, known as “exploits”, allow hackers to infiltrate or even control computers running software in which a design flaw, called a “vulnerability”, has been discovered. Criminal and, to a lesser extent, terror groups purchase exploits on more than two dozen illicit online forums or through at least a dozen clandestine brokers, says Venkatramana Subrahmanian, a University of Maryland expert in these black markets. He likens the transactions to “selling a gun to a criminal”.

Just a dozen years ago the buying and selling of illicit exploits was so rare that India’s Central Bureau of Investigation had not yet identified any criminal syndicates involved in the trade, says R.K. Raghavan, a former director of the bureau. Underground markets are now widespread, he says. Exploits empower criminals to steal data and money. Worse still, they provide cyber-firepower to hostile governments that would otherwise lack the expertise to attack an advanced country’s computer systems, worries Colonel John Adams, head of the Marine Corps’ Intelligence Integration Division in Quantico, Virginia.

Exploits themselves are generally legal. Several legitimate businesses sell them. A Massachusetts firm called Netragard last year sold more than 50 exploits to businesses and government agencies in America for prices ranging from $20,000 to more than $250,000. Adriel Desautels, Netragard’s founder, describes some of the exploits sold as “weaponised”. The firm buys a lot from three dozen independent hackers who, like clients, are carefully screened to make sure they are not selling code to anyone else, and especially not to a criminal group or unfriendly government.

More than half of exploits sold are now bought from bona fide firms rather than from freelance hackers, says Roy Lindelauf, a researcher at the Netherlands Defence Academy. He declines to say if Dutch army or intelligence agencies buy exploits, noting that his government is still figuring out “what we’re allowed to do offensively”.Laws to ban the trade in exploits are being mooted. Marietje Schaake, a Dutch member of the European Parliament, is spearheading an effort to pass export-control laws for exploits. It is gathering support, she says, because they can be used as “digital weapons” by despotic regimes. For example, they could be used to monitor traffic on a dissident’s smartphone. However, for a handful of reasons, new laws are unlikely to be effective.

Exploits are a form of knowledge, expressed in computer code. Attempting to stop people from generating and spreading knowledge is futile, says Dave Aitel, a former computer scientist at America’s National Security Agency (NSA) who went on to found Immunity, a computer-security firm in Florida. He says that legal systems would not even agree on which code is good and which is bad. Many legal experts say code should be protected by free-speech laws—it is, after all, language expressed as strings of zeros and ones.

Moreover, tracking down exploits is hard. Hackers keep them secret so that the intended victim doesn’t identify and fix the vulnerability, thereby rendering the exploit worthless. As a French exploit developer puts it, those liable to be rapidly detected are about as useful as a “disposable gun” that can be fired just once. Secrecy surrounding the design, sale and use of exploits makes protecting computer networks from them akin to finding “unknown unknowns”, says Kenneth Geers, a cyber-security specialist at America’s Naval Criminal Investigative Service.

Several governments want firms to develop exploits. In 2010 a computer worm called Stuxnet was revealed to have attacked Iran’s nuclear kit. It used four main exploits to get in; at least one appears to have been bought rather than developed in-house by the government that launched the attack (presumably America or Israel), says David Lindahl, an IT expert at the Swedish Defence Research Agency, a government body in Stockholm. An unprecedented weapon, Stuxnet remained undetected for years by quietly erasing its tracks after “planting sabotage charges at exactly the right place” in Iran’s uranium-enrichment centrifuges, Mr Lindahl says.

Nearly all well-financed intelligence agencies buy exploits, says Eric Filiol, a lieutenant-colonel in computer intelligence for France’s army until 2009. Computer experts who years ago would reveal software vulnerabilities for mere prestige have realised that they were treating “diamonds as pebbles”, says Mr Filiol, now head of the Operational Cryptography and Computer Virology Lab in Laval. His lab is partly financed by France’s defence ministry to provide it with exploits.

The price of exploits has risen more than fivefold since 2004, Mr Filiol says, referring to a confidential document. They vary greatly, depending on three main factors: how hard the exploit is to develop; the number of computers to which it provides access; and the value of those computers. An exploit that can stealthily provide administrator privileges to a distant computer running Windows XP, a no-longer-fashionable operating system, costs only about $40,000. An exploit for Internet Explorer, a popular browser, can cost as much as $500,000 (see chart).

Software firms also buy exploits to identify and repair vulnerabilities in their products before others take advantage of them. A small Vancouver firm called Tarsnap, for example, has paid 30 people who pointed out flaws in its encryption software for online PC backups. To develop better defences for its clients’ computer systems, HP, an American giant, has spent more than $7m since 2005 buying hundreds of “zero days”, as undiscovered exploits are also known in hacker slang. (Once discovered, an exploit’s days are numbered, literally: it becomes a “one day”, then a “two day”, and so on until the vulnerability it exploits is patched.)

Such “bug bounty” schemes, however, will struggle to compete with buyers who want to exploit rather than seal vulnerabilities. Tarsnap’s biggest payout was just $500. Last year Google offered Vupen, a French firm, $60,000 for an exploit that burrowed into its Chrome browser. Vupen’s boss, Chaouki Bekrar, balked, noting that he could get more elsewhere.

Other reputable customers, such as Western intelligence agencies, often pay higher prices. Mr Lindelauf reckons that America’s spies spend the most on exploits. Vupen and other exploit vendors decline to name their clients. However, brisk sales are partly driven by demand from defence contractors that see cyberspace as a “new battle domain”, says Matt Georgy, head of technology at Endgame, a Maryland firm that sells most of its best exploits for between $100,000 and $200,000. He laments a rise in sales by unscrupulous vendors to dangerous groups.

On March 12th the head of the Pentagon’s Cyber Command, General Keith Alexander, warned the Senate Armed Services Committee that state-sponsored groups are stepping up efforts to steal and destroy data using “cybertools” purchased in illicit online markets. As an American military-intelligence official points out, governments that buy exploits are “building the black market”, thereby bankrolling dangerous R&D. For this reason, governments appear increasingly keen to develop exploits in-house. Paulo Shakarian, a cyberwar expert at West Point, an American military academy, says China appears to be moving in this direction.

Developing exploits in-house reduces the risk that a double-dealing vendor will resell code meant to be exclusive. Even so, the trade isn’t likely to fade away. When developers work out a trick that gives them control over the targeted software, they like to yell out a celebratory “who’s your daddy?” notes Pierre Roberge, boss of Arc4dia, a Quebec firm that sells exploits to spy agencies. Exploit trading will continue as long as people pay big money for the opportunity to utter the same joke—this time at the expense of a victim who has been hacked.

Cyber-security: The digital arms trade, Economist, Mar. 30, 2013, at 65.

How to Tell a Secret and Keep it: United States, Iran and the Stuxnet Worm

From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons, according to participants in the program.  Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.  At a tense meeting in the White House Situation Room within days of the worm’s “escape,” Mr. Obama, Vice President Joseph R. Biden Jr. and the director of the Central Intelligence Agency at the time, Leon E. Panetta, considered whether America’s most ambitious attempt to slow the progress of Iran’s nuclear efforts had been fatally compromised.  “Should we shut this thing down?” Mr. Obama asked, according to members of the president’s national security team who were in the room.  Told it was unclear how much the Iranians knew about the code, and offered evidence that it was still causing havoc, Mr. Obama decided that the cyberattacks should proceed. In the following weeks, the Natanz plant was hit by a newer version of the computer worm, and then another after that. The last of that series of attacks, a few weeks after Stuxnet was detected around the world, temporarily took out nearly 1,000 of the 5,000 centrifuges Iran had spinning at the time to purify uranium.

This account of the American and Israeli effort to undermine the Iranian nuclear program is based on interviews over the past 18 months with current and former American, European and Israeli officials involved in the program, as well as a range of outside experts. None would allow their names to be used because the effort remains highly classified, and parts of it continue to this day.  These officials gave differing assessments of how successful the sabotage program was in slowing Iran’s progress toward developing the ability to build nuclear weapons. Internal Obama administration estimates say the effort was set back by 18 months to two years, but some experts inside and outside the government are more skeptical, noting that Iran’s enrichment levels have steadily recovered, giving the country enough fuel today for five or more weapons, with additional enrichment.

Whether Iran is still trying to design and build a weapon is in dispute. The most recent United States intelligence estimate concludes that Iran suspended major parts of its weaponization effort after 2003, though there is evidence that some remnants of it continue.

Iran initially denied that its enrichment facilities had been hit by Stuxnet, then said it had found the worm and contained it. Last year, the nation announced that it had begun its own military cyberunit, and Brig. Gen. Gholamreza Jalali, the head of Iran’s Passive Defense Organization, said that the Iranian military was prepared “to fight our enemies” in “cyberspace and Internet warfare.” But there has been scant evidence that it has begun to strike back.

The United States government only recently acknowledged developing cyberweapons, and it has never admitted using them. There have been reports of one-time attacks against personal computers used by members of Al Qaeda, and of contemplated attacks against the computers that run air defense systems, including during the NATO-led air attack on Libya last year. But Olympic Games was of an entirely different type and sophistication.

It appears to be the first time the United States has repeatedly used cyberweapons to cripple another country’s infrastructure, achieving, with computer code, what until then could be accomplished only by bombing a country or sending in agents to plant explosives. The code itself is 50 times as big as the typical computer worm, Carey Nachenberg, a vice president of Symantec, one of the many groups that have dissected the code, said at a symposium at Stanford University in April. Those forensic investigations into the inner workings of the code, while picking apart how it worked, came to no conclusions about who was responsible.

A similar process is now under way to figure out the origins of another cyberweapon called Flame that was recently discovered to have attacked the computers of Iranian officials, sweeping up information from those machines. But the computer code appears to be at least five years old, and American officials say that it was not part of Olympic Games. They have declined to say whether the United States was responsible for the Flame attack.

Mr. Obama, according to participants in the many Situation Room meetings on Olympic Games, was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade. He repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons — even under the most careful and limited circumstances — could enable other countries, terrorists or hackers to justify their own attacks.

“We discussed the irony, more than once,” one of his aides said. Another said that the administration was resistant to developing a “grand theory for a weapon whose possibilities they were still discovering.” Yet Mr. Obama concluded that when it came to stopping Iran, the United States had no other choice.If Olympic Games failed, he told aides, there would be no time for sanctions and diplomacy with Iran to work. Israel could carry out a conventional military attack, prompting a conflict that could spread throughout the region.

The impetus for Olympic Games dates from 2006, when President George W. Bush saw few good options in dealing with Iran. At the time, America’s European allies were divided about the cost that imposing sanctions on Iran would have on their own economies. Having falsely accused Saddam Hussein of reconstituting his nuclear program in Iraq, Mr. Bush had little credibility in publicly discussing another nation’s nuclear ambitions. The Iranians seemed to sense his vulnerability, and, frustrated by negotiations, they resumed enriching uranium at an underground site at Natanz, one whose existence had been exposed just three years before.

Iran’s president, Mahmoud Ahmadinejad, took reporters on a tour of the plant and described grand ambitions to install upward of 50,000 centrifuges. For a country with only one nuclear power reactor — whose fuel comes from Russia — to say that it needed fuel for its civilian nuclear program seemed dubious to Bush administration officials. They feared that the fuel could be used in another way besides providing power: to create a stockpile that could later be enriched to bomb-grade material if the Iranians made a political decision to do so.  Hawks in the Bush administration like Vice President Dick Cheney urged Mr. Bush to consider a military strike against the Iranian nuclear facilities before they could produce fuel suitable for a weapon. Several times, the administration reviewed military options and concluded that they would only further inflame a region already at war, and would have uncertain results.

For years the C.I.A. had introduced faulty parts and designs into Iran’s systems — even tinkering with imported power supplies so that they would blow up — but the sabotage had had relatively little effect. General James E. Cartwright, who had established a small cyberoperation inside the United States Strategic Command, which is responsible for many of America’s nuclear forces, joined intelligence officials in presenting a radical new idea to Mr. Bush and his national security team. It involved a far more sophisticated cyberweapon than the United States had designed before.

The goal was to gain access to the Natanz plant’s industrial computer controls. That required leaping the electronic moat that cut the Natanz plant off from the Internet — called the air gap, because it physically separates the facility from the outside world. The computer code would invade the specialized computers that command the centrifuges.  The first stage in the effort was to develop a bit of computer code called a beacon that could be inserted into the computers, which were made by the German company Siemens and an Iranian manufacturer, to map their operations. The idea was to draw the equivalent of an electrical blueprint of the Natanz plant, to understand how the computers control the giant silvery centrifuges that spin at tremendous speeds. The connections were complex, and unless every circuit was understood, efforts to seize control of the centrifuges could fail.

Eventually the beacon would have to “phone home” — literally send a message back to the headquarters of the National Security Agency that would describe the structure and daily rhythms of the enrichment plant. Expectations for the plan were low; one participant said the goal was simply to “throw a little sand in the gears” and buy some time. Mr. Bush was skeptical, but lacking other options, he authorized the effort.  It took months for the beacons to do their work and report home, complete with maps of the electronic directories of the controllers and what amounted to blueprints of how they were connected to the centrifuges deep underground.  Then the N.S.A. and a secret Israeli unit respected by American intelligence officials for its cyberskills set to work developing the enormously complex computer worm that would become the attacker from within.  The unusually tight collaboration with Israel was driven by two imperatives. Israel’s Unit 8200, a part of its military, had technical expertise that rivaled the N.S.A.’s, and the Israelis had deep intelligence about operations at Natanz that would be vital to making the cyberattack a success. But American officials had another interest, to dissuade the Israelis from carrying out their own pre-emptive strike against the Iranian nuclear facilities. To do that, the Israelis would have to be convinced that the new line of attack was working. The only way to convince them, several officials said in interviews, was to have them deeply involved in every aspect of the program.

Soon the two countries had developed a complex worm that the Americans called “the bug.” But the bug needed to be tested. So, under enormous secrecy, the United States began building replicas of Iran’s P-1 centrifuges, an aging, unreliable design that Iran purchased from Abdul Qadeer Khan, the Pakistani nuclear chief who had begun selling fuel-making technology on the black market. Fortunately for the United States, it already owned some P-1s, thanks to the Libyan dictator, Col. Muammar el-Qaddafi.  When Colonel Qaddafi gave up his nuclear weapons program in 2003, he turned over the centrifuges he had bought from the Pakistani nuclear ring, and they were placed in storage at a weapons laboratory in Tennessee. The military and intelligence officials overseeing Olympic Games borrowed some for what they termed “destructive testing,” essentially building a virtual replica of Natanz, but spreading the test over several of the Energy Department’s national laboratories to keep even the most trusted nuclear workers from figuring out what was afoot.

Those first small-scale tests were surprisingly successful: the bug invaded the computers, lurking for days or weeks, before sending instructions to speed them up or slow them down so suddenly that their delicate parts, spinning at supersonic speeds, self-destructed. After several false starts, it worked. One day, toward the end of Mr. Bush’s term, the rubble of a centrifuge was spread out on the conference table in the Situation Room, proof of the potential power of a cyberweapon. The worm was declared ready to test against the real target: Iran’s underground enrichment plant.

“Previous cyberattacks had effects limited to other computers,” Michael V. Hayden, the former chief of the C.I.A., said, declining to describe what he knew of these attacks when he was in office. “This is the first attack of a major nature in which a cyberattack was used to effect physical destruction,” rather than just slow another computer, or hack into it to steal data…  Getting the worm into Natanz, however, was no easy trick. The United States and Israel would have to rely on engineers, maintenance workers and others — both spies and unwitting accomplices — with physical access to the plant. “That was our holy grail,” one of the architects of the plan said. “It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand.”

In fact, thumb drives turned out to be critical in spreading the first variants of the computer worm; later, more sophisticated methods were developed to deliver the malicious code.  The first attacks were small, and when the centrifuges began spinning out of control in 2008, the Iranians were mystified about the cause, according to intercepts that the United States later picked up. “The thinking was that the Iranians would blame bad parts, or bad engineering, or just incompetence,” one of the architects of the early attack said.  The Iranians were confused partly because no two attacks were exactly alike. Moreover, the code would lurk inside the plant for weeks, recording normal operations; when it attacked, it sent signals to the Natanz control room indicating that everything downstairs was operating normally. “This may have been the most brilliant part of the code,” one American official said.

Later, word circulated through the International Atomic Energy Agency, the Vienna-based nuclear watchdog, that the Iranians had grown so distrustful of their own instruments that they had assigned people to sit in the plant and radio back what they saw.  “The intent was that the failures should make them feel they were stupid, which is what happened,” the participant in the attacks said. When a few centrifuges failed, the Iranians would close down whole “stands” that linked 164 machines, looking for signs of sabotage in all of them. “They overreacted,” one official said. “We soon discovered they fired people.”

Imagery recovered by nuclear inspectors from cameras at Natanz — which the nuclear agency uses to keep track of what happens between visits — showed the results. There was some evidence of wreckage, but it was clear that the Iranians had also carted away centrifuges that had previously appeared to be working well.  But by the time Mr. Bush left office, no wholesale destruction had been accomplished. Meeting with Mr. Obama in the White House days before his inauguration, Mr. Bush urged him to preserve two classified programs, Olympic Games and the drone program in Pakistan. Mr. Obama took Mr. Bush’s advice….

But the good luck did not last. In the summer of 2010, shortly after a new variant of the worm had been sent into Natanz, it became clear that the worm, which was never supposed to leave the Natanz machines, had broken free, like a zoo animal that found the keys to the cage. It fell to Mr. Panetta and two other crucial players in Olympic Games — General Cartwright, the vice chairman of the Joint Chiefs of Staff, and Michael J. Morell, the deputy director of the C.I.A. — to break the news to Mr. Obama and Mr. Biden.

“I don’t think we have enough information,” Mr. Obama told the group that day, according to the officials. But in the meantime, he ordered that the cyberattacks continue. They were his best hope of disrupting the Iranian nuclear program unless economic sanctions began to bite harder and reduced Iran’s oil revenues.

American cyberattacks are not limited to Iran, but the focus of attention, as one administration official put it, “has been overwhelmingly on one country.” There is no reason to believe that will remain the case for long. Some officials question why the same techniques have not been used more aggressively against North Korea. Others see chances to disrupt Chinese military plans, forces in Syria on the way to suppress the uprising there, and Qaeda operations around the world. “We’ve considered a lot more attacks than we have gone ahead with,” one former intelligence official said….

Mr. Obama has repeatedly told his aides that there are risks to using — and particularly to overusing — the weapon. In fact, no country’s infrastructure is more dependent on computer systems, and thus more vulnerable to attack, than that of the United States. It is only a matter of time, most experts believe, before it becomes the target of the same kind of weapon that the Americans have used, secretly, against Iran.

DAVID E. SANGER,Obama Order Sped Up Wave of Cyberattacks Against Iran, New York Times, June 1, 2012

Sabotaging Iran’s Nuclear Program, quiet, cyber, with few fingerprints

Iran’s star-crossed nuclear and energy programs have suffered a rash of setbacks, mishaps and catastrophes in the past two years.  Assassins killed three scientists with links to Iran’s nuclear programs. The Stuxnet computer worm that infected computers worldwide zeroed in on a single target in Iran, devices that can make weapons-usable uranium.  Dozens of unexplained explosions hit the country’s gas pipelines. Iran’s first nuclear power plant suffered major equipment failures as technicians struggle to bring it online.  Has Iran just been unlucky? Probably not.  The chief of Iran’s Atomic Energy Organization, Fereidoun Abbasi, told journalists at a meeting in Vienna last week that the United States was supporting an Israeli assassination campaign against his scientists. His comments came almost a year after motorcyclists attached a bomb to the door of his car in Tehran. He and his wife barely escaped.  As for the three slayings, Iranian President Ahmadinejad told The Associated Press that the killers had been caught and confessed to being “trained in the occupied lands by the Zionists.” He accused the International Atomic Energy Agency of being under U.S. control and said the watchdog agency had “illegally and unethically” released the names of Iran’s nuclear researchers, making them targets.  While Israel and Britain won’t discuss Iran’s charges, the U.S. has denied any role in the slayings.  “We condemn any assassination or attack on a person — on an innocent person,” State Department spokeswoman Victoria Nuland said after the latest killing in July. “We were not involved.”Former U.S. officials point out that assassinations are outlawed by the U.S., which condones drone strikes against terrorists as acts of war against combatants.  Yet there is little doubt that the Obama administration is pursuing a program of high-tech sabotage to disrupt Tehran’s suspected weapons-related nuclear efforts.

“I have no doubt that the U.S. and other countries were behind industrial sabotage aimed at the program of concern,” said Mark Fitzpatrick, a former State Department official who’s now at the International Institute for Strategic Studies in London.  [F] ormer officials said, the U.S. and its allies have ramped up covert actions aimed at slowing Iran’s nuclear progress toward a bomb.  Ex-officials said the U.S. has been careful to target only those facilities suspected of playing a role in weapons work.   One former senior intelligence official said that the U.S. considered a scheme to use a burst of electromagnetic energy to knock out power to one suspected Iranian weapons-related site but rejected the plan because of the risk of causing a widespread power outage. The former official would only speak about classified matters on condition of anonymity.

The suspected sabotage campaign is widely seen as an alternative to military confrontation with Iran, which some experts say could have disastrous consequences for the Middle East.A 2010 U.S. diplomatic memorandum published by the anti-secrecy group WikiLeaks quoted a German government official as saying that a program of “covert sabotage” against Iran, including explosions, computer hacking and engineered accidents, “would be more effective than a military strike whose effects in the region could be devastating.”The memo did not cite any specifics.  While the fact is rarely discussed, the U.S. may be the world’s leader in high-tech industrial sabotage.

According to an official CIA history, the Reagan administration was convinced that the Soviet Union was engaged in the wholesale theft of Western technological secrets. It arranged for the shipment of doctored computer chips, turbines and blueprints to the USSR that disrupted production at chemical plants and a tractor factory. When the KGB obtained plans for NASA’s Space Shuttle, the CIA said it made certain it was for a rejected design.  Thomas C. Reed, a member of the National Security Council in the Reagan administration, wrote in his 2004 book that during the Cold War the CIA tampered with the computer code embedded in Canadian components of a new trans-Siberian gas pipeline system. In 1982, a surge in pressure caused a three-megaton blast in the Siberian forest that was visible from space.

Washington has accused Tehran of sponsoring terrorist groups in Iraq, Syria and Lebanon, of sending arms to the Taliban in Afghanistan and aiding al-Qaida’s leadership in Pakistan. The U.S.-supported Iran Human Rights Documentation Center has said that Iranian intelligence agents have killed more than 160 expatriate political activists abroad.  “We’ve been in a contest with the Iranians now for 30 years, and this is just one phase of it,” said James Lewis, a former State Department official and an expert on technology and security. “The Iranians do things that appeal to them, and they are noisy and physical and explosive.”  The U.S., he said, has preferred quieter methods that leave few fingerprints. “If I was Iran, I would wonder if my stuff would work,” Lewis said.

The U.S. and its allies have avoided discussing the suspected sabotage campaign publicly. At least until recently, Iran has seldom raised the issue and even then has provided few details.  For both sides, the most sensitive issue is the question of who is killing Iran’s nuclear scientists.  Reuel Marc Gerecht, a former CIA officer now at the Foundation for the Defense of Democracies think tank, said a faction within Iran’s government might have ordered the assassinations. He said one researcher supported Iran’s persecuted opposition, while the others may have been suspected of spying for the West.  Other former officials and diplomats said the killings appear to be an effort by Iran’s adversaries to disrupt its nuclear weapons-related work….”If the state and progress of the Iranian nuclear program depends on what is walking around inside the heads of one or two key officials, then we’ve got a lot less to worry about this program than most of the discourse would lead us to believe,” said Paul Pillar, a former CIA national intelligence officer for the Near East and South Asia.

Former officials and experts generally agree that the Stuxnet worm was an effort to sabotage Iran’s uranium enrichment centrifuges, which can be used to make fuel for reactors or weapons-usable material for atomic bombs. Western experts estimate that the malware destroyed 1,000 centrifuges at Iran’s Natanz plant last year.  Some former U.S. officials said that Israel’s Unit 8200, the Defense Force’s electronic intelligence service, probably led the development of Stuxnet, with the help of the U.S. and perhaps other nations. Others said they suspected the U.S. was the chief developer of what has been called the world’s first cyberweapon of mass destruction.

German Stuxnet expert Ralph Langner said in a speech this spring that such advanced software must have been created by what he called a cybersuperpower. “There is only one,” said Langner. “And that is the United States.”  Art Keller, a retired CIA officer who worked in the Middle East and South Asia, said Stuxnet’s self-destruct mechanism, its painstaking focus on a single target and other fail-safe features all suggest the program was screened by U.S. government lawyers concerned about limiting collateral damage.  “These are all the hallmarks of a U.S. covert action,” he said.

Insiders are divided on whether the West has conducted sabotage operations against Iran’s oil and gas pipeline networks.

DOUGLAS BIRCH, Iran’s nuclear setbacks: More than just bad luck?, Associated Press, Sept. 24, 2011