Operation Stuxnet: the cyber attack that changed warfare forever

In 2007, the Americans developed a daring plan to sabotage Iran's nuclear program with the cyber weapon Stuxnet. A Dutch AIVD agent, engineer Erik van Sabben, managed to gain access to the heavily secured nuclear complex to install the program. In doing so, the Netherlands played a role in Operation Stuxnet. “It is mostly seen as the first successful cyber operation, “ said Wouter Scherpenisse, a doctoral student in rule of law and cybersecurity at Erasmus University Rotterdam.

Iran's nuclear program has always been a thorn in the side of many Western countries, including the United States. Therefore, the U.S. decided to attack Iran with a new digital weapon called Stuxnet. This cyber weapon, developed by U.S. and Israeli intelligence agencies, was designed to sabotage and damage centrifuges without Iran discovering where the attack came from.

In 2019, the Volkskrant and the American news site Yahoo News revealed that the Americans and Israelis asked the Dutch AIVD for help for this risky operation. This help was eventually provided by Eric van Sabben, an engineer also recruited as an agent by the Dutch services. This was revealed early this year in a Volkskrant article . The Dutch engineer managed to enter the high-security nuclear complex in Natanz, located 300 kilometers south of Tehran. There he installed software that dealt a severe blow to Iran's nuclear program. Nearly a thousand ultracentrifuges, essential for enriching uranium, were eventually disabled.

Clever software

The Stuxnet operation consisted of at least two variants that worked in different ways, Scherpenisse explained. “The first variant was less obvious. This version required physical access, possibly by Van Sabben, to the complex in Natanz to smuggle, for example via a USB stick or possibly a water pump, the Stuxnet software inside. The goal was to sabotage Iran's gas centrifuges by causing minor damage. This was done by closing certain valves, which led to overpressure in the centrifuges.”

The second variant was much more powerful and had the capacity to spread itself, through unsuspecting suppliers to Natanz, for example, without the need for an agent to have physical access to the system at Natanz, Scherpenisse continued. “This 'worm' disrupted the rotational speed of the centrifuges, causing them to rotate slowly at irregular times and suddenly too fast, leading to damage.” Specifically, the worm caused damage through the Siemens Supervisory Control and Data Acquisition (SCADA) system used to control the centrifuges. But the system issued no warnings because data on the centrifuges' operation initially appeared normal.

Global impact

Stuxnet has had a huge impact on the way countries wage war with each other. The operation is commonly seen as the first major operation in which cyber technology was used as a weapon. Instead of conventional weapons, digital means were used to sabotage a specific target. “The digital domain is playing an increasing role in warfare, often in combination with other military and diplomatic means. This 'hybrid warfare' can be seen, for example, in Ukraine. Cyber operations are also used for influence campaigns, such as during 2016 elections in the United States. American research showed that ."

Trust in Dutch intelligence services

That the Netherlands was involved in a cyber operation of major proportions is not entirely surprising, the doctoral student believes. The AIVD and MIVD are highly regarded internationally. They have been actively participating in major operations for decades. “As former director of the MIVD Pieter Cobelens once remarked, the Netherlands aspires to play 'Champions League' in the field of intelligence.”

Operation Stuxnet can thus be seen as an important innovation in the cyber world. Moreover, the cyber weapon brought about a discussion: the degree of oversight of intelligence actions. Indeed, following the Volkskrant article from 2024, questions arose about this. Prime Minister Balkenende and the parliamentary Committee for the Intelligence and Security Services (CIVD), were not informed at the time. This led to political bewilderment.

Scherpenisse: “When the services use their powers without the necessary permission from the appropriate political leaders, such as the minister, that is problematic from a constitutional perspective. The core of the rule of law is precisely that the government adheres to the existing rules of the game, with subsequent accountability. The lack of political control can undermine confidence in the transparency and accountability of these services.”

However, it is unclear to what extent the Dutch services themselves were aware of the Stuxnet operation, as they may have played a limited role by recruiting an agent who was also used by foreign services. If specific powers were not used by the services, then there is no legal obligation to seek permission from the ministers involved. “If this operation was carried by the Americans and Israelis, the responsibility for carrying out the operation also lies there. For that matter, for the deployment of agents, a minister's permission should not always be sought unless there is a great political risk involved in the agent's deployment.”

But, it is important to approach the rule of law not only from an accountability perspective, but also from a trust perspective, Scherpenisse continued. “It is important for the rule of law that society has trust in the government and its institutions, including intelligence agencies, but also, for example, in science and journalism. When that trust is lost, it can threaten not only security but also prosperity and the social fabric of society. In short: a good system of oversight and control is essential to ensure that the intelligence services do their work in the best interests of society, but it is also important that society sees that the system of oversight of the services is currently strong and thus maintains confidence in the services: the services cannot just go about their business.” Think of this system of supervision as the CTIVD (Commissie van Toezicht op de Inlichtingen- en Veiligheidsdiensten), an independent regulator that closely monitors the activities of the AIVD and MIVD to ensure that they comply with the law. Or to the TIB (Toetsingscommissie Inzet Bevoegdheden), which reviews the legality of the deployment of special powers by the services in advance.

International agreements

When Stuxnet was launched, there were no international agreements or rules for the use of sabotage viruses. It was not until 2015 that the United Nations drew up legally non-binding standards for responsible behavior in the digital domain. According to the UN, attacking critical infrastructure is not allowed. Yet it seems that major powers such as Russia, Israel and the United States care little about such rules of conduct. In its annual report, the National Coordinator for Counterterrorism and Security (NCTV) warns of the growing threat of cyber attacks. Countries such as Russia and China are increasingly using a wider arsenal of cyber weapons. In addition, these countries are increasingly engaging companies and “hacktivists.

Stuxnet was the first but by no means the last digital tool to make a major impact worldwide. “One thing is certain: war is the continuation of politics by other means, according to military theorist Carl von Clausewitz, and within the assortment of those means, cyber weapons have taken an important place,” the doctoral student concludes.