Christopher Dickey, R. M. Schneiderman, Babak Dehghanpisheh / NEWSWEEK Magazine – 2010-12-16 00:26:34
The Shadow War
Someone is killing Iran’s nuclear scientists
but a computer worm may be the scarier threat
Christopher Dickey, R. M. Schneiderman, Babak Dehghanpisheh / NEWSWEEK
(December 13, 2010) — The covert operations that target Iran’s nuclear program suddenly came to light with explosive violence and stunning implications for the future of warfare on Nov. 29.
On that Monday morning, dawn had just broken over a bustling Tehran so deeply shrouded in smog that many commuters wore face masks to protect against the fumes and dust in the air.
On Artesh Street, among rows of new and half-finished apartment blocks, the nuclear physicist Majid Shahriari was working his way through rush-hour traffic with his wife and bodyguard in his Peugeot sedan. A motorcycle pulled up beside the scientist’s car. Nothing extraordinary about that.
But then the man on the bike stuck something to the outside of the door and sped away. When the magnetically attached bomb went off, its focused explosion killed Shahriari instantly. It wounded the others in the car but spared their lives. A clean hit.
Only a few minutes later and a few miles away, in a leafy neighborhood in the foothills of the Alborz Mountains, again a motorcycle pulled alongside the car of another scientist, Fereydoun Abbasi Davani. A longtime member of Iran’s Revolutionary Guards, Abbasi Davani was named specifically in a United Nations sanctions resolution as “involved in nuclear or ballistic missile activities.” Sensing what was about to happen, he stopped the car, jumped out, and managed to pull his wife to safety before the bomb went off.
That same morning, in Israel, where many see Iran’s nuclear program as a threat to the very existence of the Jewish state, nobody celebrated the Tehran attacks publicly. Nobody claimed responsibility. But nobody denied it, either.
And as it happened, that was the morning Prime Minister Benjamin Netanyahu announced that Meir Dagan would be stepping down after eight years directing the Mossad and its secret operations against Iran. Under a photograph of Shahriari’s thoroughly perforated Peugeot, one of Israel’s tabloids ran the headline LAST SHOT FOR DAGAN?
This longest day in a dark war was not over yet, however. In Tehran that Monday afternoon, at a press conference that had been delayed for two hours, Iranian President Mahmoud Ahmadinejad told reporters there was “no doubt the hand of the Zionist regime and the Western governments” had been involved in the attacks on the scientists. Then, for the first time, Ahmadinejad admitted something that his government had tried to deny until that moment: the high-speed centrifuges used to enrich uranium for use as nuclear fuel in reactors, or possibly for weapons, had been damaged by a cyberattack.
Iran’s enemies — he didn’t specify which ones — had been “successful in making problems for a limited number of our centrifuges with software they installed in electronic devices.” Ahmadinejad assured the press that the problem was now taken care of. “They are unable to repeat these acts,” he claimed. Yet only a few days before, top Iranian officials had declared there was no problem at all.
Rarely has a covert war been so obvious, and rarely have the underlying facts been so murky. Conspiracy theory hangs as heavy in Tehran these days as the smog: a number of Iranian reformists opposed to Ahmadinejad have suggested the two scientists targeted in November, as well as another one, Masoud Ali Mohammadi, killed by an exploding motorcycle in January, were attacked by the regime itself because their loyalties were suspect.
All reportedly sympathized to some extent with the opposition Green Movement. Both Mohammadi and Shahriari had attended at least one meeting of SESAME, a UN-linked research organization based in Jordan, where Israelis as well as Arabs and Iranians were present.
“In the eyes of the Revolutionary Guards, everybody’s a potential spy,” says a former Iranian intelligence officer, who asked not to be named because of likely retributions inside Iran. “You are either 100 percent dedicated to the system or you are an enemy.”
So, who done it? The speculation itself is part of the psychological game played by various governments against Iran and to some extent against each other. In what Cold War spies would have called “a wilderness of mirrors,” different intelligence services may take credit, with a wink and a nod, for things they did not do, while denying they did what they actually did do. Enemies of Iran can take pleasure, for now at least, in the fear stirred up by uncertainty.
What we can deduce from the limited evidence that has emerged so far, according to former White House counterterrorism and cyberwarfare adviser Richard Clarke, is that at least two countries conducted operations against Iran simultaneously and not necessarily in close coordination. One likely carried out the hits; the other created and somehow infiltrated the highly sophisticated Stuxnet worm into computers of the Iranian nuclear program.
In an interview, Clarke, who now runs a security-consulting business, strongly suggested Israel and the United States are the likely sources of the attacks. Other analysts suggest that France, Britain, and especially Germany, home of Siemens, which made the software and some of the hardware attacked by the Stuxnet worm, might also be involved. (A spokesman for Siemens says the company no longer does business with Iran.)
Historically, Israel’s covert operations have been on the violent side. When it comes to strategic murders, the Mossad has established a record 50 years long of “targeted assassinations,” often taking out scientists who tried to help its enemies develop weapons of mass destruction. It has carried out hits all over the Middle East and Europe (see following story).
Iran knows this history well: Israeli intelligence sources, who decline to be named on the record, coyly suggest that the Iranian Revolutionary Guards are so convinced the Mossad directed the assassination plots that the Guards are taking extreme measures to protect the man considered next on the hit list: Mohsen Fakhrizadeh, a professor of nuclear physics whom the Israelis sometimes call “the Iranian Dr. Strangelove.” They believe he’s directing a secret nuclear-weapons program that is distinct from the public enrichment operations at Natanz and elsewhere, which are open to United Nations inspectors. (The official Iranian government position is that all its nuclear research and all its uranium enrichment are for purely peaceful purposes.)
The real damage to the Iranian nuclear program, however, was done by Stuxnet — the most sophisticated computer worm ever detected and analyzed, one targeting hardware as well as software, and a paradigm of covert cyberweapons to come. “Stuxnet is the start of a new era,” says Stewart Baker, former general counsel of the US National Security Agency. “It’s the first time weâ€™ve actually seen a weapon created by a state to achieve a goal that you would otherwise have used multiple cruise missiles to achieve.”
According to figures compiled by David Albright of the Institute for Science and International Security, a Washington think tank that follows the Iranian program closely, Tehran had major problems bringing new centrifuges online throughout 2009. The first 4,000 already installed at the Natanz facility continued to spin, but the next 5,000 were beset by delays. The worst problems came in an array of centrifuges known as A-26, which Iran began installing in late 2008 — around the time Stuxnet was sent on its mission.
In the late summer of 2009, half the functioning A-26 centrifuges had to be pulled out of service. At the turn of this year, Albright has learned, 1,000 more simply broke down. This may have been the “limited number” Ahmadinejad was talking about.
Not all of the breakdowns can be attributed to Stuxnet. Spies from Israel and probably elsewhere have long been involved in the sabotage of high-tech materials and components for the Iranian nuclear program that Tehran has had to acquire on the black market because of UN sanctions. As far back as April 2007, Eli Levite, then deputy director of the Israeli Atomic Energy Commission, told a closed forum that “our efforts gained time for us and have doubtlessly caused significant delays in the [Iranian nuclear] project.”
The threshold at which Iran can be deemed a real nuclear-weapons power — which is the point at which Israel might launch a military strike to neutralize the threat, even if that risked dragging the United States into a third Muslim-world war — is pushed back by these covert operations. And that gives diplomacy a chance even if, as happened in Geneva last week, talks with Iran appear to make little progress.
Some press reports suggest that Stuxnet, too, is an Israeli weapon. They point to Tel Aviv’s prowess in computer science, especially in highly secretive groups like Unit 8200, the Israeli military’s legendary cyber outfit. They point to some code in Stuxnet that might suggest the date on which a prominent Jewish businessman was executed in Tehran in 1979, or the name “Myrtus,” which could be construed as a reference to Esther, the biblical Jewish queen of Persia who stopped a genocide, and so on.
But Clarke cautions against such convoluted explanations. “The argument is that the Israelis are trying to subtly let the Iranians know it was themâ€”not so subtly that they claim it publicly, but enough so the Iranians get to know,” he says. “Stay away from all that.”
What’s clear, says Clarke, is that major resources went into Stuxnetâ€™s development. Microsoft estimates that building the virus likely took 10,000 man-days of labor by top-rank software engineers. Unlike most of the worms and viruses that wreak havoc on computers, this one was not designed to spread far and wide, doing damage wherever it landed.
It is structured to target a specific set of devices manufactured only in Finland and Iran that are used to determine the speed at which the centrifuges rotate. If that speed is not modulated perfectly, vibrations make the machines break down, as indeed they have.
According to Eric Chien of the antivirus firm Symantec, who has pulled Stuxnet apart like a strand of DNA, all that incredibly complex information was built into it before it ever infected the Iranian system. Clarke suggests that whoever developed Stuxnet probably had the same types of software and centrifuges on which to run tests. “That’s expensive,” he says. “That’s millions of dollars.”
Because the Iranian nuclear program’s computers are not connected to the Internet, the worm couldn’t have been introduced to them online. Itâ€™s presumed to have come from a USB thumb drive that the user may or may not have known was infected: Stuxnet was designed to do nothing to computers that didn’t connect with the control mechanisms it targeted. And then, depending on where it found itself, Stuxnet was supposed to self-destruct.
According to Chien, different components of the virus have different “time to live” mechanisms. A USB key inserted into a newly infected computer can’t carry the worm for more than 21 days. After that, it disappears. The worm is programmed to quit exploiting one particular weakness in Microsoft’s software after June 1, 2011, and the worm’s overall time to live runs out in June 2012.
Why bother with an expiration date at all? The answer supplied by Clarke is so very Washington-centric that it’s almost a dead giveaway. “All that suggests to me a nation-state actor with a series of lawyers involved in looking at the covert action,” says Clarke, whose latest book is Cyber War: The Next Threat to National Security and What to Do About It. “I’ve never seen or heard of a worm before that limited its spread.” One explanation, of course, is that the creators of the virus hoped it would self-destruct before it was discovered. Another, however, is that the creators and their government hoped to limit their liability if they were ever exposed.
A former senior intelligence official in the US government has doubts the CIA could have vetted such an attack. “The applicable presidential findings we had in this arena did not cover this kind of activity,” he says. If the United States were involved, he adds, it would have had to be a Defense Department operation.
Whoever was behind this seminal cyberattack, the next such worm, which might be adapted from the Stuxnet codes that are now widely circulated, may not be so punctilious. (Imagine what WikiLeaks-supporting anarchists might do with it. Or the Iranians.) Like other weapons that have transformed the battlefields of the last century only to become so widespread that they threaten their creators, this worm could turn.
With Maziar Bahari, Ronen Bergman, and John Barry
Killing the Killers
Israeli hit teams have a history of eliminating weapons scientists
Ronen Bergman / NEWSWEEK
(December 13, 2010) — During his years as Israel’s first prime minister, David Ben-Gurion was haunted by a recurring nightmare. In it, the Holocaust’s survivors had taken refuge in Israel only to become the targets of another Holocaust. The nightmare seemed to be coming true in July 1962, when Egypt’s then-president Gamal Abdel Nasser announced four successful tests of missiles capable of striking anywhere “south of Beirut” — that is, anywhere in Israel.
Israeli officials panicked. The Mossad had never guessed that Nasser was developing the means to destroy “the Zionist entity,” as he had repeatedly promised. Israel’s military intelligence quickly learned that Egypt had built a secret facility in the desert, known as Factory 333 and staffed by German scientists, builders of the V1 and V2 rockets that had devastated London.
Even the project’s security chief was a veteran of Hitler’s SS. The Egyptians’ plan was to build some 900 missiles, all of them presumably to be aimed at Israel.
But the program had a weakness, and the Mossad found it: the Egyptians still needed the German scientists’ help to start mass production of the missiles. At that moment Israel began a decades-long campaign to eliminate scientists working for its enemies on missiles and weapons of mass destruction. The Mossad called that first operation Damocles, invoking an image of impending doom from Greek myth.
The aim was to scare off the Germans at least as much as to kill them, so efforts to cover the assassins’ tracks were often minimal, only enough to protect the killers. In September 1962, Heinz Krug, head of a Factory 333 shell company called Intra, vanished in Munich. In November, two parcel bombs arrived at the office of the missile project’s director, Wolfgang Pilz, maiming his secretary and killing five Egyptian workers.
In February 1963 another Factory 333 scientist, Hans Kleinwachter, narrowly escaped an ambush in Switzerland. In April of that year, two Mossad agents in Basel accosted Heidi Goerke, the daughter of project manager Paul Goerke, and threatened to kill both him and her. The two agents were briefly jailed.
The anti-Egypt campaign was starting to upset Israel’s allies. To cool things down, intelligence on Factory 333 was shared with the West German government, which pressured its scientists to quit the project, offering them jobs in Germany instead. Nearly all the scientists accepted — perhaps in fear for their lives — and Egypt abandoned its plot.
A period of relative quiet ensued until the late 1970s, when Israeli intelligence found signs that Saddam Hussein was pursuing a secret nuclear-development program in Iraq, and agents began hunting a new set of weapons scientists. In June 1980 Mossad agents unexpectedly spotted Egyptian nuclear expert Yehia El Mashad at a Paris hotel. He was working for Saddam, and the Mossad agents had orders to kill him on sight.
Caught without their weapons, they improvised by breaking into his room and clubbing him to death. A prostitute told police she had heard what sounded like an argument from outside the room, but she died in a hit-and-run incident not long after her preliminary statement.
Iraq’s nuclear program was seriously damaged by Israel’s bombing of the Osirak reactor in June 1981, but Saddam did not give up his quest for powerful weapons. He soon signed up Gerald Bull, a Canadian-born, Belgium-based engineer and arms dealer who had invented what he called a supergun, an artillery piece with a range in the thousands of kilometers. As soon as Israeli weapons experts confirmed that Bull’s cannon was for real, he became a target.
In March 1990 a Mossad hit team knocked on the door of his Brussels apartment, burst in when he opened it, and fired two bullets into the back of his head and three into his back. One member of the team took close-up photos of the corpse. The pictures were sent to other European employees of the Iraqi project with a note: “If you don’t want a similar fate, donâ€™t go to work tomorrow.” Israel’s defense chiefs can only hope the message continues to resonate.
Bergman is a senior military and intelligence analyst for Yedioth Ahronot, an Israeli daily. He is currently working on a book about the Mossad and the art of assassination.
Posted in accordance with Title 17, Section 107, US Code, for noncommercial, educational purposes.