The 2020 Tokyo Olympic Games will start on July 23 albeit being delayed by a year due to the Covid-19 pandemic, still raging today with a mutated but more virulent Delta variant. There are already a few cases of athletes and officials testing positive for Covid-19 even before the Games has officially begun. Nonetheless, more than a decade ago, there was another Olympic Games that demonstrated to the world the potential use of cyber means in a real-world operation to conduct sabotage. Operation Olympic Games or more commonly known as the Stuxnet attack on the Iranian nuclear facility at Natanz was a cyber-sabotage operation that ran between 2009 to 2010, and the United States and Israel are believed to have conducted it.
Iran was suspected to be developing nuclear weapons at its uranium enrichment facility at Natanz, and Israel has been contemplating ways to destroy the facility. Israel had launched Operation Orchard in 2007 in which airstrikes supported by electronic warfare bombed and destroyed Syria’s nuclear research building at the Al-Kibar site. The airstrikes conducted by Israeli Air Force F-15I and F-16I fighter jets were supported by a combined electronic and cyber attack on Syrian air defense systems known as Suter, which included the disruption of the data link connecting Syrian radars with the screens of their radar operators (they would see blank screens). The United States may have been worried of more serious repercussions if the Israelis launched an airstrike at Natanz and allegedly pushed ahead with a cyber-sabotage program with the Israelis.
A sophisticated worm later known as Stuxnet was designed to infiltrate Iranian industrial computers (programmable logic controllers, PLCs) running Siemens Step 7 software (used at Natanz) via zero-day exploits. The worm was designed to infect only these selected computers as it was not intended to spread widely around the world. Stuxnet can copy files, observe computer screens and keystrokes, remotely control computer functions including turning on computers’ microphones and secretly record voices talking nearby, turning on Bluetooth and logging on to smartphones and other devices, and feeding false feedbacks to controllers (so that Iranian scientists watching the screens were not seeing the real results).
Stuxnet would infect the industrial computers and covertly sabotage the Supervisory Control and Data Acquisition (SCADA) systems by manipulating the control of the valves that pumped uranium gas into centrifuges in the reactors at Natanz. It sped up the gas volume and overloaded the spinning centrifuges, causing overheating and serious damage. For the Iranian scientists watching the computer screens, everything would look normal, and it was intended that the scientists will be blamed for the errors.
However, the Iranians knew about the risk of cyber-attacks and had taken the computers linked with the reactor offline, cutting its connection to the cyberspace, effectively creating an “air gap.” The malware, for all its sophisticated cyber infiltration capabilities, was incongruously inserted physically into the Iranian computers through a thumb drive by an unknown agent.
The malware did its intended job. It managed to destroy a quarter of the Iranian centrifuges and temporarily halted the nuclear program while the Iranians searched for an explanation. Inadvertently, Stuxnet started to infect some computers outside the Natanz facility, and it did not take long for anti-virus companies, Symantec and Kaspersky, to detect it.
The Iranian nuclear program was delayed temporarily, for between six to twelve months, according to different estimates. It was only the 2015 nuclear deal, the Joint Comprehensive Plan of Action (JCPOA), signed with sweet rewards, that got Iran to agree to dismantle most of its nuclear program. Yet progress was disrupted when the United States pulled out of the deal in 2018. Iran has resumed some of its nuclear program since last year.
Iran has also learned from the Olympic Games attack and developed its own cyber offensive activities. A malware similar to Stuxnet, later known as Shamoon, attacked the computers at Saudi-Aramco, a U.S.-Saudi Arabian oil company, and wiped out 30,000 of its hard drives. The Shamoon malware’s origins is commonly attributed to Iran.
More than a decade later, cyber means are commonly and widely used today for gathering intelligence, sabotage, and information operations by a large number of states and non-state actors, for criminal activities or strategic purposes, or both. The recent Colonial Pipeline ransomware incident and Microsoft Exchange cyber espionage continue to highlight the constantly evolving forms of cyber operations.
Operation Olympic Games has demonstrated the alluring potential of using cyber means to conduct sabotage and network exploitation tasks. Nevertheless, Olympic Games also illustrated vividly the paradox of strategy—that any new tactics or technology used will lose its element of surprise after first use. The opponent will learn, adapt, and develop ways and technology to counter it, and may even conduct their own sophisticated and more devastating counter-offensives. Just like in the athletic Olympic Games, sportspersons learn from their own and opponents’ strengths and weaknesses to develop their training regime to turn setbacks into triumph.
Adam Leong Kok Wey is associate professor in strategic studies, and the Deputy Director of Research in the Centre for Defence and International Security Studies (CDISS) at the National Defence University of Malaysia. His latest books are Eastern and Western Perspectives of Strategy and Special Operations published by NDUM Press (2021) and Killing the Enemy! Assassination Operations during World War II, published by Bloomsbury (2020).