Konstantinos Fouzas
Taking inspiration from recent US bombings on Iran’s nuclear sites, I remembered the early days of cyberwarfare in the region. You all know Stuxnet and how the US and Israel in a coordinated effort tried to end Iran’s nuclear program once and for all. Spoiler alert, they didn’t. To be fair, Stuxnet managed to successfully destroy roughly one-fifth of Iran’s nuclear centrifuges. But what if it had failed? Or what if Israel didn’t like the outcome and decided to strike the Iranian nuclear sites? Iran would respond probably with full-scale military operations, resulting in yet another war in the Middle East. So, the US had to ensure victory (beforehand of course!). And as such, Operation “Nitro Zeus” was born!
An anonymous National Security Agency source speaking in the documentary film “Zero Days”, stated that Stuxnet was a back-alley operation in comparison to Nitro Zeus. But first, let’s analyze the geopolitical situation during that period. Iran’s nuclear program was initiated in the 50s, by the US, as a part of the “Atoms for Peace” program. It was expanded during the 70s and presumably led to a halt in 1979, because of the Iranian Revolution. But it was secretly resumed during the Iran-Iraq in the 1980s, with assistance from China, Russia and Pakistan. From 2003 to 2009, some of these sites were exposed and became public. Western leaders opposed Iran and confidence in the country’s transparency further eroded. In 2010, Israel, as reported by many journalistic sources, was ready to unravel a full-scale military operation, since its doctrine states that any existential threat to Israel must be eliminated before it can operate. But then Stuxnet happened. A computer worm, that infected 30.000 computers across 14 nuclear or nuclear-related facilities – installed via USB thumb drives – stalled and delayed the nuclear program of Iran for months. That incident, prevented Israel from launching a kinetic attack against Iran at the time, mitigating an all-out war situation in the area.
Stuxnet was presented by western media as a huge success, even though 2 years later it was evident, that Iran could produce bomb-grade uranium for a weapon in just a few months. But if Stuxnet failed, the US would possibly have to deal with a war. Benjamin Netanyahu would attack Iran and retaliation actions would follow. So, what the US did, was to create another operation in case Operation “Olympic Games” failed. Yes, Stuxnet was codenamed Operation Olympic Games. Now you know! You’re welcome!
President Obama wanted to have alternatives. Operation Nitro Zeus was an even bigger operation than Stuxnet. In military terms, it would be a strategic level operation, opposed to Stuxnet, which was an operational level one. To trigger this operation there had to be two prerequisites met. The first one was Stuxnet to fail and the second for diplomatic efforts with Iran to fail.
Operation Nitro Zeus was a coordinated attack effort. The cyber part consisted of backdoor implants, placed in Iranian systems. These hosts were part of air defense complexes, transportation systems and communications systems. Thousands of insiders would be used to place these malicious executable files inside computers, preparing the battlefield. The end goal was the US to take control of the Iranian Command and Control systems through exploiting these implanted backdoors right after the war would begin. The US Cyber Command would then disable Iran’s air defense systems and fighter jets could easily destroy their targets. Civilians would also be affected since this was a cross-sector cyber-attack. This operation was never executed. It was thoroughly planned, but in the end shelved.
Many cybersecurity experts believe this was a bit overblown, while others are speaking of the most devastating cyber operation in history. The truth is that cyber operations of this scale are not easily carried out. In the paper called “Cyber in War: Assessing the Strategic, Tactical and Operational Utility of Military Cyber Operations”, presented in the 12th International Conference on Cyber Conflict, it is explained why the strategic utility of military cyber operations is limited. The first issue is that they are target dependent. Malware living in the infected hosts must be untraceable and tailored to the specific system’s configuration. And of course, not deleted by any new updates while waiting to be triggered (in many cases, after years). Also, the logistical effort required in such operations is huge. Keeping track of critical infrastructure and C2 systems is vital. In addition, the main tactic used for initial foothold in a network is social engineering, which can be time-consuming and most of the times not effective since OT networks are often air gapped. And finally, the damage caused by cyber-attacks is not permanent. In most cases, it is temporary and reversible. Thus, additional resources need to be spent in a continuous manner, to shut down a nation permanently.
Even though this plan was never executed and war never broke out, Iran slowed its uranium enrichment activities during nuclear negotiations in late 2010 – early 2011. It is frightening to consider how far the US could have gone in its cyberwarfare efforts to limit Iran’s nuclear capabilities. Fourteen years later though, as we know, the US Air Force used “bunker buster” bombs carried by B-2 Stealth bombers to inflict damage to the Fordow Uranium Enrichment Plant, the Natanz Nuclear Facility and the Isfahan Nuclear Technology Center, in an attempt to stop Iran’s nuclear program once again. So as far as I’m concerned, we’ve not yet seen the bottom of the barrel yet.
References
Cyber in War: Assessing the Strategic, Tactical and Operational Utility of Military Cyber Operations, 12th International Conference on Cyber Conflict, 2020, NATO CCDCOE
The US could have destroyed Iran’s entire infrastructure without dropping a single bomb, Business Insider, 2016
U.S. Had Cyberattack plan if Iran Nuclear Dispute Led to Conflict, The New York Times, 2016
Warning about US attempts to Attack Iran via Cyberspace, Middle East Institute, 2017
Zero Days, Documentary, Alex Gibney
