Tag Archives: cyberwar

The Nightmare of Keeping the Lights On

Some 330 million Americans rely on the nation’s critical infrastructure to keep the country humming. Disruptions to electrical grids, communications systems, and supply chains can be catastrophic, yet all of these are vulnerable to cyberattack. According to the government’s 2019 World Wide Threats Hearing, certain adversaries are capable of launching cyberattacks that can disrupt the nation’s critical infrastructure – including electrical distribution networks.

In recognition of the disruptions cyberattacks can cause, DARPA in 2016 established the Rapid Attack Detection, Isolation and Characterization Systems (RADICS) program. The goal of RADICS has been to enable black-start recovery during a cyberattack. Black start is the process of restoring power to an electric substation or part of the grid that has experienced a total or partial shutdown without relying on an external power transmission network to get things back online…

“Cyberattacks on the grid can essentially do two things – make the grid not tell you the truth, and make the grid operate in an unexpected way,” said Walter Weiss, the program manager responsible for RADICS. “For example, the grid could show you that a substation has power when in reality it does not. This could unintentionally prevent power restoration to an entire area since no one thinks there is a need to bring power back online. The technologies developed under RADICS help provide ground truth around grid status, giving responders the ability to quickly detect anomalies and then chart a path towards recovery.”…

 The RADICS testbed is comprised of miniaturized substations that were designed to operate as they do in the real world, but with safeguards to protect the system and those operating the substations. The substations are connected via power lines, forming a multi-utility crank path. With a crank path, power is generated to black start one utility that then powers the next utility and the next until the grid is fully restored.

DARPA substation, Plum island NY

Technologies to Rapidly Restore the Electrical Grid after Cyberattack Come Online, DARPA Website, Feb. 23, 2021

Who is the Boss? Cyber-War

A new National Cyber Power Index by the Belfer Centre at Harvard University ranks 30 countries on their level of ambition and capability…That America stands at the top of the list is not surprising. Its cyber-security budget for fiscal year 2020 stood at over $17bn and the National Security Agency (NSA) probably gets well over $10bn. The awesome scale of America’s digital espionage was laid bare in leaks by Edward Snowden, a former NSA contractor, in 2013, which showed the agency hoovering up vast amounts of the world’s internet traffic and trying to weaken encryption standards.

China, in second place, has demonstrated a voracious appetite for commercial cyber-espionage abroad and an iron grip on the internet at home. Britain, whose National Cyber Security Centre has parried over 1,800 cyber-attacks since its creation in 2016, is third. Russia, whose spies interfered with America’s last election, is in fourth place. The big surprise is the Netherlands in fifth place, ahead of France, Germany and Canada. Dutch expertise in analyzing malware is particularly sharp…

Many countries outsource the dirtiest work to deniable proxies, like “hacktivists” and criminals….But while stealing things and disrupting networks is important, what matters most over the longer term is control of digital infrastructure, such as the hardware that runs mobile telecommunications and key apps. Dominance there will be crucial to economic strength and national security.

Excerpt from Digital dominance: A new global ranking of cyber-power throws up some surprises, Economist, Sept. 19, 2020

The Brutal Kangaroos

On June 22nd 2017, WikiLeaks published documents from the Brutal Kangaroo project of the CIA. Brutal Kangaroo is a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives…

The documents describe how a CIA operation can infiltrate a closed network (or a single air-gapped computer) within an organization or enterprise without direct access. It first infects a Internet-connected computer within the organization (referred to as “primary host”) and installs the BrutalKangaroo malware on it. When a user is using the primary host and inserts a USB stick into it, the thumbdrive itself is infected with a separate malware. If this thumbdrive is used to copy data between the closed network and the LAN/WAN, the user will sooner or later plug the USB disk into a computer on the closed network. By browsing the USB drive with Windows Explorer on such a protected computer, it also gets infected with exfiltration/survey malware. If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange. Although not explicitly stated in the documents, this method of compromising closed networks is very similar to how Stuxnet worked.

Excerpts from Brutal Kangaroo Press Release Wikileaks, June 22, 2017

Firing Back with Vengeance: the NSA Weapons

The strike on IDT, a conglomerate,… was similar to WannaCry in one way: Hackers locked up IDT data and demanded a ransom to unlock it.  But the ransom demand was just a smoke screen for a far more invasive attack that stole employee credentials. With those credentials in hand, hackers could have run free through the company’s computer network, taking confidential information or destroying machines….Were it not for a digital black box that recorded everything on IDT’s network, …the attack might have gone unnoticed.

Scans for the two hacking tools used against IDT indicate that the company is not alone. In fact, tens of thousands of computer systems all over the world have been “backdoored” by the same N.S.A. weapons. Mr. Ben-Oni and other security researchers worry that many of those other infected computers are connected to transportation networks, hospitals, water treatment plants and other utilities…

Both WannaCry and the IDT attack used a hacking tool the agency had code-named EternalBlue. The tool took advantage of unpatched Microsoft servers to automatically spread malware from one server to another, so that within 24 hours… hackers had spread their ransomware to more than 200,000 servers around the globe. The attack on IDT went a step further with another stolen N.S.A. cyberweapon, called DoublePulsar. The N.S.A. used DoublePulsar to penetrate computer systems without tripping security alarms. It allowed N.S.A. spies to inject their tools into the nerve center of a target’s computer system, called the kernel, which manages communications between a computer’s hardware and its software.

In the pecking order of a computer system, the kernel is at the very top, allowing anyone with secret access to it to take full control of a machine. It is also a dangerous blind spot for most security software, allowing attackers to do what they want and go unnoticed. In IDT’s case, attackers used DoublePulsar to steal an IDT contractor’s credentials. Then they deployed ransomware in what appears to be a cover for their real motive: broader access to IDT’s businesses…

But the attack struck Mr. Ben-Oni as unique. For one thing, it was timed perfectly to the Sabbath. Attackers entered IDT’s network at 6 p.m. on Saturday on the dot, two and a half hours before the Sabbath would end and when most of IDT’s employees — 40 percent of whom identify as Orthodox Jews — would be off the clock. For another, the attackers compromised the contractor’s computer through her home modem — strange.

The black box of sorts, a network recording device made by the Israeli security company Secdo, shows that the ransomware was installed after the attackers had made off with the contractor’s credentials. And they managed to bypass every major security detection mechanism along the way. Finally, before they left, they encrypted her computer with ransomware, demanding $130 to unlock it, to cover up the more invasive attack on her computer.

A month earlier, Microsoft had issued a software patch to defend against the N.S.A. hacking tools — suggesting that the agency tipped the company off to what was coming. Microsoft regularly credits those who point out vulnerabilities in its products, but in this case the company made no mention of the tipster. Later, when the WannaCry attack hit hundreds of thousands of Microsoft customers, Microsoft’s president, Brad Smith, slammed the government in a blog post for hoarding and stockpiling security vulnerabilities.  For his part, Mr. Ben-Oni said he had rolled out Microsoft’s patches as soon as they became available, but attackers still managed to get in through the IDT contractor’s home modem.

There are now YouTube videos showing criminals how to attack systems using the very same N.S.A. tools used against IDT, and Metasploit, an automated hacking tool, now allows anyone to carry out these attacks with the click of a button….

“Once DoublePulsar is on the machine, there’s nothing stopping anyone else from coming along and using the back door,” Mr. Dillon said.More distressing, Mr. Dillon tested all the major antivirus products against the DoublePulsar infection and a demoralizing 99 percent failed to detect it.  “We’ve seen the same computers infected with DoublePulsar for two months and there is no telling how much malware is on those systems,” Mr. Dillon said. “Right now we have no idea what’s gotten into these organizations.”..

Could that attack be coming? The Shadow Brokers resurfaced last month, promising a fresh load of N.S.A. attack tools, even offering to supply them for monthly paying subscribers — like a wine-of-the-month club for cyberweapon enthusiasts.

Excerpts from NICOLE PERLROTHJUNE, A Cyberattack ‘the World Isn’t Ready For’,  New York Times, June 20, 2017

Iran Wants to Be North Korea: nuclear weapons

The US tried to deploy a version of the Stuxnet computer virus to attack North Korea’s nuclear weapons programme five years  (2010) ago but ultimately failed, according to people familiar with the covert campaign.  The operation began in tandem with the now-famous Stuxnet attack that sabotaged Iran’s nuclear programme in 2009 and 2010 by destroying a thousand or more centrifuges that were enriching uraniumc. Reuters and others have reported that the Iran attack was a joint effort by US and Israeli forces.

According to one US intelligence source, Stuxnet’s developers produced a related virus that would be activated when it encountered Korean-language settings on an infected machine…But the National Security Agency-led campaign was stymied by North Korea’s utter secrecy, as well as the extreme isolation of its communications systems...North Korea has some of the most isolated communications networks in the world. Just owning a computer requires police permission, and the open internet is unknown except to a tiny elite. The country has one main conduit for internet connections to the outside world, through China.  In contrast, Iranians surfed the net broadly and had interactions with companies from around the globe.

The US has launched many cyber espionage campaigns, but North Korea is only the second country, after Iran, that the NSA is now known to have targeted with software designed to destroy equipment.

Experts in nuclear programmes said there were similarities between North Korea and Iran’s operations, and the two countries continue to collaborate on military technology. Both countries use a system with P-2 centrifuges, obtained by Pakistani nuclear scientist AQ Khan, who is regarded as the father of Islamabad’s nuclear bomb, they said. Like Iran, North Korea probably directs its centrifuges with control software developed by Siemens AG that runs on Microsoft Corp’s Windows operating system, the experts said. Stuxnet took advantage of vulnerabilities in both the Siemens and Microsoft programmes…

Despite modest differences between the programmes, “Stuxnet can deal with both of them. But you still need to get it in,” said Olli Heinonen, senior fellow at Harvard University’s Belfer Center for Science and International Affairs and former deputy director general of the International Atomic Energy Agency…

The Stuxnet campaign against Iran, code-named Olympic Games, was discovered in 2010. It remains unclear how the virus was introduced to the Iranian nuclear facility in Natanz, which was not connected to the Internet.,,,According to cybersecurity experts, Stuxnet was found inside industrial companies in Iran that were tied to the nuclear effort. As for how Stuxnet got there, a leading theory is that it was deposited by a sophisticated espionage programme developed by a team closely allied to Stuxnet’s authors, dubbed the Equation Group by researchers at Kaspersky Lab…

In addition, North Korea likely has plutonium, which does not require a cumbersome enrichment process depending on the cascading centrifuges that were a fat target for Stuxnet, they said.

Excerpts from NSA tried Stuxnet cyber-attack on North Korea five years ago but failed, Reuters, May 29, 2015

Cyber-Attacks on South Korea 2009-2013

The massive cyber attacks on South Korean banks and broadcasters earlier this year were part of a broad campaign of cyber espionage which dates back at least to 2009, a US security firm has concluded. The study by the firm McAfee  (Dissecting Operation Troy: Cyberespionage in South Korea) stopped short of blaming specific entities for the March 20 onslaught but said it found a pattern of sophisticated attacks, including efforts to wipe away traces that could lead to detection.  “The level of sophistication would indicate it is above and beyond your average individual or run-of-the mill hacktivism group,” said James Walter, a McAfee researcher and co-author of the study.

An official South Korean investigation in April determined North Korea’s military intelligence agency was responsible for the attacks which shut down the networks of TV broadcasters KBS, MBC and YTN, halted financial services and crippled operations at three banks….

But McAfee said the attacks represented only a small portion of the cyber campaign being carried out since 2009.  “One of the primary activities going on here is theft of intellectual property, data exfiltration, essentially stealing of secrets,” Walter said.  The report said the attacks, known first as Dark Seoul and now as Operation Troy were “more than cybervandalism… South Korean targets were actually the conclusion of a covert espionage campaign.”  McAfee concluded that two groups claiming responsibility for the attack were not credible.  “The clues left behind confirm that the two groups claiming responsibility were a fabrication to throw investigators off the trail and to mask the true source,” the report said.

Walter said that it is possible that with the campaign nearing detection, the hackers launched these attacks to distract the public and then sought to blame them on little-known entities, the NewRomanic Cyber Army Team, and the Whois Hacking Team.  He added that up to now, the cyber espionage effort “has been very successful in being under the radar” and that “what we see now was a more visible activity that is coupled with a distraction campaign.”

McAfee concluded that the remote-access Trojan was compiled January 26, and a component to wipe the records of numerous systems was compiled January 31.”The attackers who conducted the operation remained hidden for a number of years prior to the March 20 incident by using a variety of custom tools,” the report said.  “Our investigation into Dark Seoul has found a long-term domestic spying operation underway since at least 2009… We call this Operation Troy, based on the frequent use of the word ‘Troy’ in the compile path strings in the malware.”  McAfee carried out the study as part of its research into cybersecurity issues, Walter said.

The attack came days after North Korea had accused South Korea and the United States of being behind a “persistent and intensive” hacking assault that temporarily took a number of its official websites offline.  It also coincided with heightened military tensions on the Korean peninsula, following Pyongyang’s nuclear test in February.

South Korean cyber attacks tip of the iceberg: McAfee, Associated Press, Agence France Press, July 10, 2013

The Secret Bugs: Exploits

Packets of computer code, known as “exploits”, allow hackers to infiltrate or even control computers running software in which a design flaw, called a “vulnerability”, has been discovered. Criminal and, to a lesser extent, terror groups purchase exploits on more than two dozen illicit online forums or through at least a dozen clandestine brokers, says Venkatramana Subrahmanian, a University of Maryland expert in these black markets. He likens the transactions to “selling a gun to a criminal”.

Just a dozen years ago the buying and selling of illicit exploits was so rare that India’s Central Bureau of Investigation had not yet identified any criminal syndicates involved in the trade, says R.K. Raghavan, a former director of the bureau. Underground markets are now widespread, he says. Exploits empower criminals to steal data and money. Worse still, they provide cyber-firepower to hostile governments that would otherwise lack the expertise to attack an advanced country’s computer systems, worries Colonel John Adams, head of the Marine Corps’ Intelligence Integration Division in Quantico, Virginia.

Exploits themselves are generally legal. Several legitimate businesses sell them. A Massachusetts firm called Netragard last year sold more than 50 exploits to businesses and government agencies in America for prices ranging from $20,000 to more than $250,000. Adriel Desautels, Netragard’s founder, describes some of the exploits sold as “weaponised”. The firm buys a lot from three dozen independent hackers who, like clients, are carefully screened to make sure they are not selling code to anyone else, and especially not to a criminal group or unfriendly government.

More than half of exploits sold are now bought from bona fide firms rather than from freelance hackers, says Roy Lindelauf, a researcher at the Netherlands Defence Academy. He declines to say if Dutch army or intelligence agencies buy exploits, noting that his government is still figuring out “what we’re allowed to do offensively”.Laws to ban the trade in exploits are being mooted. Marietje Schaake, a Dutch member of the European Parliament, is spearheading an effort to pass export-control laws for exploits. It is gathering support, she says, because they can be used as “digital weapons” by despotic regimes. For example, they could be used to monitor traffic on a dissident’s smartphone. However, for a handful of reasons, new laws are unlikely to be effective.

Exploits are a form of knowledge, expressed in computer code. Attempting to stop people from generating and spreading knowledge is futile, says Dave Aitel, a former computer scientist at America’s National Security Agency (NSA) who went on to found Immunity, a computer-security firm in Florida. He says that legal systems would not even agree on which code is good and which is bad. Many legal experts say code should be protected by free-speech laws—it is, after all, language expressed as strings of zeros and ones.

Moreover, tracking down exploits is hard. Hackers keep them secret so that the intended victim doesn’t identify and fix the vulnerability, thereby rendering the exploit worthless. As a French exploit developer puts it, those liable to be rapidly detected are about as useful as a “disposable gun” that can be fired just once. Secrecy surrounding the design, sale and use of exploits makes protecting computer networks from them akin to finding “unknown unknowns”, says Kenneth Geers, a cyber-security specialist at America’s Naval Criminal Investigative Service.

Several governments want firms to develop exploits. In 2010 a computer worm called Stuxnet was revealed to have attacked Iran’s nuclear kit. It used four main exploits to get in; at least one appears to have been bought rather than developed in-house by the government that launched the attack (presumably America or Israel), says David Lindahl, an IT expert at the Swedish Defence Research Agency, a government body in Stockholm. An unprecedented weapon, Stuxnet remained undetected for years by quietly erasing its tracks after “planting sabotage charges at exactly the right place” in Iran’s uranium-enrichment centrifuges, Mr Lindahl says.

Nearly all well-financed intelligence agencies buy exploits, says Eric Filiol, a lieutenant-colonel in computer intelligence for France’s army until 2009. Computer experts who years ago would reveal software vulnerabilities for mere prestige have realised that they were treating “diamonds as pebbles”, says Mr Filiol, now head of the Operational Cryptography and Computer Virology Lab in Laval. His lab is partly financed by France’s defence ministry to provide it with exploits.

The price of exploits has risen more than fivefold since 2004, Mr Filiol says, referring to a confidential document. They vary greatly, depending on three main factors: how hard the exploit is to develop; the number of computers to which it provides access; and the value of those computers. An exploit that can stealthily provide administrator privileges to a distant computer running Windows XP, a no-longer-fashionable operating system, costs only about $40,000. An exploit for Internet Explorer, a popular browser, can cost as much as $500,000 (see chart).

Software firms also buy exploits to identify and repair vulnerabilities in their products before others take advantage of them. A small Vancouver firm called Tarsnap, for example, has paid 30 people who pointed out flaws in its encryption software for online PC backups. To develop better defences for its clients’ computer systems, HP, an American giant, has spent more than $7m since 2005 buying hundreds of “zero days”, as undiscovered exploits are also known in hacker slang. (Once discovered, an exploit’s days are numbered, literally: it becomes a “one day”, then a “two day”, and so on until the vulnerability it exploits is patched.)

Such “bug bounty” schemes, however, will struggle to compete with buyers who want to exploit rather than seal vulnerabilities. Tarsnap’s biggest payout was just $500. Last year Google offered Vupen, a French firm, $60,000 for an exploit that burrowed into its Chrome browser. Vupen’s boss, Chaouki Bekrar, balked, noting that he could get more elsewhere.

Other reputable customers, such as Western intelligence agencies, often pay higher prices. Mr Lindelauf reckons that America’s spies spend the most on exploits. Vupen and other exploit vendors decline to name their clients. However, brisk sales are partly driven by demand from defence contractors that see cyberspace as a “new battle domain”, says Matt Georgy, head of technology at Endgame, a Maryland firm that sells most of its best exploits for between $100,000 and $200,000. He laments a rise in sales by unscrupulous vendors to dangerous groups.

On March 12th the head of the Pentagon’s Cyber Command, General Keith Alexander, warned the Senate Armed Services Committee that state-sponsored groups are stepping up efforts to steal and destroy data using “cybertools” purchased in illicit online markets. As an American military-intelligence official points out, governments that buy exploits are “building the black market”, thereby bankrolling dangerous R&D. For this reason, governments appear increasingly keen to develop exploits in-house. Paulo Shakarian, a cyberwar expert at West Point, an American military academy, says China appears to be moving in this direction.

Developing exploits in-house reduces the risk that a double-dealing vendor will resell code meant to be exclusive. Even so, the trade isn’t likely to fade away. When developers work out a trick that gives them control over the targeted software, they like to yell out a celebratory “who’s your daddy?” notes Pierre Roberge, boss of Arc4dia, a Quebec firm that sells exploits to spy agencies. Exploit trading will continue as long as people pay big money for the opportunity to utter the same joke—this time at the expense of a victim who has been hacked.

Cyber-security: The digital arms trade, Economist, Mar. 30, 2013, at 65.

Cyberwar: Attacking the Pipelines

The vast U.S. network of natural gas and hazardous liquid pipelines is integral to U.S. energy supply and has vital links to other critical infrastructure. While an efficient and fundamentally safe means of transport, this network is vulnerable to cyber attacks. In particular, cyberinfiltration of supervisory control and data acquisition (SCADA) systems could allow successful “hackers” to disrupt pipeline service and cause spills, explosions, or fires—all from remote locations.

In March 2012, the Department of Homeland Security (DHS) reported ongoing cyber intrusions among U.S. natural gas pipeline operators. These intrusions have heightened congressional concern about cybersecurity in the U.S. pipelines sector. The Transportation Security Administration (TSA) is authorized by federal statute to promulgate pipeline physical security and cybersecurity regulations, if necessary, but the agency has not issued such regulations. TSA officials assert that security regulations could be counterproductive because they could establish a general standard below the level of security already in place for many pipelines…. While the pipelines sector has many cybersecurity issues in common with other critical infrastructure sectors, it is somewhat distinct in several ways:

• Pipelines in the United States have been the target of several confirmed terrorist plots and attempted physical attacks since September 11, 2001.

• Changes to pipeline computer networks over the past 20 years, more sophisticated hackers, and the emergence of specialized malicious software have made pipeline SCADA operations increasingly vulnerable to cyber attacks.

• There recently has been a coordinated series of cyber intrusions specifically targeting U.S. pipeline computer systems.

• TSA already has statutory authority to issue cybersecurity regulations for pipelines if the agency chooses to do so, but it may not have the resources to develop, implement, and enforce such regulations if they are mandated….

In March 2012, the Department of Homeland Security (DHS) reported ongoing cyber intrusions among U.S. natural gas pipeline operators. The incidents drew new attention to an Al Qaeda video obtained in 2011 by the Federal Bureau of Investigation (FBI) reportedly calling for “electronic jihad” against U.S. critical infrastructure.  These cybersecurity events coupled with serious consequences from recent pipeline accidents have heightened congressional concern about cybersecurity measures in the U.S. pipelines sector.

Excerpt, Paul W. Parfomak, Pipeline Cybersecurity: Federal Policy, CRS Report for Congress, Aug. 16, 2012

US Cyberattacks against Enemies: Afghanistan

The U.S. military has been launching cyberattacks against its opponents in Afghanistan, a senior officer says, making an unusually explicit acknowledgment of the oft-hidden world of electronic warfare.  Marine Lt. Gen. Richard P. Mills’ comments came last week at a conference in Baltimore during which he explained how U.S. commanders considered cyber weapons an important part of their arsenal.  “I can tell you that as a commander in Afghanistan in the year 2010, I was able to use my cyber operations against my adversary with great impact,” Mills said. “I was able to get inside his nets, infect his command-and-control, and in fact defend myself against his almost constant incursions to get inside my wire, to affect my operations.”

Mills, now a deputy commandant with the Marine Corps, was in charge of international forces in southwestern Afghanistan between 2010 and 2011, according to his official biography. He didn’t go into any further detail as to the nature or scope of his forces’ attacks, but experts said that such a public admission that they were being carried out was itself striking.  “This is news,” said James Lewis, a cyber-security analyst with the Washington-based Center for Strategic and International Studies. He said that while it was generally known in defense circles that cyberattacks had been carried out by U.S. forces in Afghanistan, he had never seen a senior officer take credit for them in such a way.  “It’s not secret,” Lewis said in a telephone interview, but he added: “I haven’t seen as explicit a statement on this as the one” Mills made.  The Pentagon did not immediately respond to an email seeking comment on Mills’ speech.

U.S. defense planners have spent the past few years wondering aloud about how and under what circumstances the Pentagon would launch a cyber attack against its enemies, but it’s only recently become apparent that a sophisticated program of U.S.-backed cyberattacks is already under way.  A book by The New York Times reporter David Sanger recently recounted how President Barack Obama ordered a wave of electronic incursions aimed at physically sabotaging Iran’s disputed atomic energy program. Subsequent reports have linked the program to a virus dubbed Flame, which prompted a temporary Internet blackout across Iran’s oil industry in April, and another virus called Gauss, which appeared to have been aimed at stealing information from customers of Lebanese banks. An earlier report alleged that U.S. forces in Iraq had hacked into a terrorist group’s computer there to lure its members into an ambush.

Herbert Lin, a cyber expert at the National Research Council, agreed that Mills’ comments were unusual in terms of the fact that they were made publicly. But Lin said that the United States was, little by little, opening up about the fact that its military was launching attacks across the Internet.  “The U.S. military is starting to talk more and more in terms of what it’s doing and how it’s doing it,” he said. “A couple of years ago it was hard to get them to acknowledge that they were doing offense at all — even as a matter of policy, let alone in specific theaters or specific operations.”

Mills’ brief comments about cyberattacks in Afghanistan were delivered to the TechNet Land Forces East conference in Baltimore on Aug. 15, but they did not appear to have attracted much attention at the time. Footage of the speech was only recently posted to the Internet by conference organizers

Marine General: We Launched Cyberattacks Against Afghanistan, CBS News, Aug. 24, 2012

United States, Iran and the Stuxnet Worm

From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons, according to participants in the program.  Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.  At a tense meeting in the White House Situation Room within days of the worm’s “escape,” Mr. Obama, Vice President Joseph R. Biden Jr. and the director of the Central Intelligence Agency at the time, Leon E. Panetta, considered whether America’s most ambitious attempt to slow the progress of Iran’s nuclear efforts had been fatally compromised.  “Should we shut this thing down?” Mr. Obama asked, according to members of the president’s national security team who were in the room.  Told it was unclear how much the Iranians knew about the code, and offered evidence that it was still causing havoc, Mr. Obama decided that the cyberattacks should proceed. In the following weeks, the Natanz plant was hit by a newer version of the computer worm, and then another after that. The last of that series of attacks, a few weeks after Stuxnet was detected around the world, temporarily took out nearly 1,000 of the 5,000 centrifuges Iran had spinning at the time to purify uranium.

This account of the American and Israeli effort to undermine the Iranian nuclear program is based on interviews over the past 18 months with current and former American, European and Israeli officials involved in the program, as well as a range of outside experts. None would allow their names to be used because the effort remains highly classified, and parts of it continue to this day.  These officials gave differing assessments of how successful the sabotage program was in slowing Iran’s progress toward developing the ability to build nuclear weapons. Internal Obama administration estimates say the effort was set back by 18 months to two years, but some experts inside and outside the government are more skeptical, noting that Iran’s enrichment levels have steadily recovered, giving the country enough fuel today for five or more weapons, with additional enrichment.

Whether Iran is still trying to design and build a weapon is in dispute. The most recent United States intelligence estimate concludes that Iran suspended major parts of its weaponization effort after 2003, though there is evidence that some remnants of it continue.

Iran initially denied that its enrichment facilities had been hit by Stuxnet, then said it had found the worm and contained it. Last year, the nation announced that it had begun its own military cyberunit, and Brig. Gen. Gholamreza Jalali, the head of Iran’s Passive Defense Organization, said that the Iranian military was prepared “to fight our enemies” in “cyberspace and Internet warfare.” But there has been scant evidence that it has begun to strike back.

The United States government only recently acknowledged developing cyberweapons, and it has never admitted using them. There have been reports of one-time attacks against personal computers used by members of Al Qaeda, and of contemplated attacks against the computers that run air defense systems, including during the NATO-led air attack on Libya last year. But Olympic Games was of an entirely different type and sophistication.

It appears to be the first time the United States has repeatedly used cyberweapons to cripple another country’s infrastructure, achieving, with computer code, what until then could be accomplished only by bombing a country or sending in agents to plant explosives. The code itself is 50 times as big as the typical computer worm, Carey Nachenberg, a vice president of Symantec, one of the many groups that have dissected the code, said at a symposium at Stanford University in April. Those forensic investigations into the inner workings of the code, while picking apart how it worked, came to no conclusions about who was responsible.

A similar process is now under way to figure out the origins of another cyberweapon called Flame that was recently discovered to have attacked the computers of Iranian officials, sweeping up information from those machines. But the computer code appears to be at least five years old, and American officials say that it was not part of Olympic Games. They have declined to say whether the United States was responsible for the Flame attack.

Mr. Obama, according to participants in the many Situation Room meetings on Olympic Games, was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade. He repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons — even under the most careful and limited circumstances — could enable other countries, terrorists or hackers to justify their own attacks.

“We discussed the irony, more than once,” one of his aides said. Another said that the administration was resistant to developing a “grand theory for a weapon whose possibilities they were still discovering.” Yet Mr. Obama concluded that when it came to stopping Iran, the United States had no other choice.If Olympic Games failed, he told aides, there would be no time for sanctions and diplomacy with Iran to work. Israel could carry out a conventional military attack, prompting a conflict that could spread throughout the region.

The impetus for Olympic Games dates from 2006, when President George W. Bush saw few good options in dealing with Iran. At the time, America’s European allies were divided about the cost that imposing sanctions on Iran would have on their own economies. Having falsely accused Saddam Hussein of reconstituting his nuclear program in Iraq, Mr. Bush had little credibility in publicly discussing another nation’s nuclear ambitions. The Iranians seemed to sense his vulnerability, and, frustrated by negotiations, they resumed enriching uranium at an underground site at Natanz, one whose existence had been exposed just three years before.

Iran’s president, Mahmoud Ahmadinejad, took reporters on a tour of the plant and described grand ambitions to install upward of 50,000 centrifuges. For a country with only one nuclear power reactor — whose fuel comes from Russia — to say that it needed fuel for its civilian nuclear program seemed dubious to Bush administration officials. They feared that the fuel could be used in another way besides providing power: to create a stockpile that could later be enriched to bomb-grade material if the Iranians made a political decision to do so.  Hawks in the Bush administration like Vice President Dick Cheney urged Mr. Bush to consider a military strike against the Iranian nuclear facilities before they could produce fuel suitable for a weapon. Several times, the administration reviewed military options and concluded that they would only further inflame a region already at war, and would have uncertain results.

For years the C.I.A. had introduced faulty parts and designs into Iran’s systems — even tinkering with imported power supplies so that they would blow up — but the sabotage had had relatively little effect. General James E. Cartwright, who had established a small cyberoperation inside the United States Strategic Command, which is responsible for many of America’s nuclear forces, joined intelligence officials in presenting a radical new idea to Mr. Bush and his national security team. It involved a far more sophisticated cyberweapon than the United States had designed before.

The goal was to gain access to the Natanz plant’s industrial computer controls. That required leaping the electronic moat that cut the Natanz plant off from the Internet — called the air gap, because it physically separates the facility from the outside world. The computer code would invade the specialized computers that command the centrifuges.  The first stage in the effort was to develop a bit of computer code called a beacon that could be inserted into the computers, which were made by the German company Siemens and an Iranian manufacturer, to map their operations. The idea was to draw the equivalent of an electrical blueprint of the Natanz plant, to understand how the computers control the giant silvery centrifuges that spin at tremendous speeds. The connections were complex, and unless every circuit was understood, efforts to seize control of the centrifuges could fail.

Eventually the beacon would have to “phone home” — literally send a message back to the headquarters of the National Security Agency that would describe the structure and daily rhythms of the enrichment plant. Expectations for the plan were low; one participant said the goal was simply to “throw a little sand in the gears” and buy some time. Mr. Bush was skeptical, but lacking other options, he authorized the effort.  It took months for the beacons to do their work and report home, complete with maps of the electronic directories of the controllers and what amounted to blueprints of how they were connected to the centrifuges deep underground.  Then the N.S.A. and a secret Israeli unit respected by American intelligence officials for its cyberskills set to work developing the enormously complex computer worm that would become the attacker from within.  The unusually tight collaboration with Israel was driven by two imperatives. Israel’s Unit 8200, a part of its military, had technical expertise that rivaled the N.S.A.’s, and the Israelis had deep intelligence about operations at Natanz that would be vital to making the cyberattack a success. But American officials had another interest, to dissuade the Israelis from carrying out their own pre-emptive strike against the Iranian nuclear facilities. To do that, the Israelis would have to be convinced that the new line of attack was working. The only way to convince them, several officials said in interviews, was to have them deeply involved in every aspect of the program.

Soon the two countries had developed a complex worm that the Americans called “the bug.” But the bug needed to be tested. So, under enormous secrecy, the United States began building replicas of Iran’s P-1 centrifuges, an aging, unreliable design that Iran purchased from Abdul Qadeer Khan, the Pakistani nuclear chief who had begun selling fuel-making technology on the black market. Fortunately for the United States, it already owned some P-1s, thanks to the Libyan dictator, Col. Muammar el-Qaddafi.  When Colonel Qaddafi gave up his nuclear weapons program in 2003, he turned over the centrifuges he had bought from the Pakistani nuclear ring, and they were placed in storage at a weapons laboratory in Tennessee. The military and intelligence officials overseeing Olympic Games borrowed some for what they termed “destructive testing,” essentially building a virtual replica of Natanz, but spreading the test over several of the Energy Department’s national laboratories to keep even the most trusted nuclear workers from figuring out what was afoot.

Those first small-scale tests were surprisingly successful: the bug invaded the computers, lurking for days or weeks, before sending instructions to speed them up or slow them down so suddenly that their delicate parts, spinning at supersonic speeds, self-destructed. After several false starts, it worked. One day, toward the end of Mr. Bush’s term, the rubble of a centrifuge was spread out on the conference table in the Situation Room, proof of the potential power of a cyberweapon. The worm was declared ready to test against the real target: Iran’s underground enrichment plant.

“Previous cyberattacks had effects limited to other computers,” Michael V. Hayden, the former chief of the C.I.A., said, declining to describe what he knew of these attacks when he was in office. “This is the first attack of a major nature in which a cyberattack was used to effect physical destruction,” rather than just slow another computer, or hack into it to steal data…  Getting the worm into Natanz, however, was no easy trick. The United States and Israel would have to rely on engineers, maintenance workers and others — both spies and unwitting accomplices — with physical access to the plant. “That was our holy grail,” one of the architects of the plan said. “It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand.”

In fact, thumb drives turned out to be critical in spreading the first variants of the computer worm; later, more sophisticated methods were developed to deliver the malicious code.  The first attacks were small, and when the centrifuges began spinning out of control in 2008, the Iranians were mystified about the cause, according to intercepts that the United States later picked up. “The thinking was that the Iranians would blame bad parts, or bad engineering, or just incompetence,” one of the architects of the early attack said.  The Iranians were confused partly because no two attacks were exactly alike. Moreover, the code would lurk inside the plant for weeks, recording normal operations; when it attacked, it sent signals to the Natanz control room indicating that everything downstairs was operating normally. “This may have been the most brilliant part of the code,” one American official said.

Later, word circulated through the International Atomic Energy Agency, the Vienna-based nuclear watchdog, that the Iranians had grown so distrustful of their own instruments that they had assigned people to sit in the plant and radio back what they saw.  “The intent was that the failures should make them feel they were stupid, which is what happened,” the participant in the attacks said. When a few centrifuges failed, the Iranians would close down whole “stands” that linked 164 machines, looking for signs of sabotage in all of them. “They overreacted,” one official said. “We soon discovered they fired people.”

Imagery recovered by nuclear inspectors from cameras at Natanz — which the nuclear agency uses to keep track of what happens between visits — showed the results. There was some evidence of wreckage, but it was clear that the Iranians had also carted away centrifuges that had previously appeared to be working well.  But by the time Mr. Bush left office, no wholesale destruction had been accomplished. Meeting with Mr. Obama in the White House days before his inauguration, Mr. Bush urged him to preserve two classified programs, Olympic Games and the drone program in Pakistan. Mr. Obama took Mr. Bush’s advice….

But the good luck did not last. In the summer of 2010, shortly after a new variant of the worm had been sent into Natanz, it became clear that the worm, which was never supposed to leave the Natanz machines, had broken free, like a zoo animal that found the keys to the cage. It fell to Mr. Panetta and two other crucial players in Olympic Games — General Cartwright, the vice chairman of the Joint Chiefs of Staff, and Michael J. Morell, the deputy director of the C.I.A. — to break the news to Mr. Obama and Mr. Biden.

“I don’t think we have enough information,” Mr. Obama told the group that day, according to the officials. But in the meantime, he ordered that the cyberattacks continue. They were his best hope of disrupting the Iranian nuclear program unless economic sanctions began to bite harder and reduced Iran’s oil revenues.

American cyberattacks are not limited to Iran, but the focus of attention, as one administration official put it, “has been overwhelmingly on one country.” There is no reason to believe that will remain the case for long. Some officials question why the same techniques have not been used more aggressively against North Korea. Others see chances to disrupt Chinese military plans, forces in Syria on the way to suppress the uprising there, and Qaeda operations around the world. “We’ve considered a lot more attacks than we have gone ahead with,” one former intelligence official said….

Mr. Obama has repeatedly told his aides that there are risks to using — and particularly to overusing — the weapon. In fact, no country’s infrastructure is more dependent on computer systems, and thus more vulnerable to attack, than that of the United States. It is only a matter of time, most experts believe, before it becomes the target of the same kind of weapon that the Americans have used, secretly, against Iran.

DAVID E. SANGER,Obama Order Sped Up Wave of Cyberattacks Against Iran, New York Times, June 1, 2012