Firemen search for survivors at the scene of an explosion at the Sina At'har health center north of Tehran on June 30, 2020. Photo: Amir Kholousi / ISNA / AFP

Five recent explosions in Iran may have been caused by computer viruses similar to the Stuxnet virus that disabled Iranian centrifuges in 2010.

Two of the blasts took place at power plants, one at a missile research, development and production site, one at a new uranium enrichment centrifuge center, and the last (if it can be considered part of the attacks) in downtown Tehran at a medical facility that could have been a cover for nuclear operations such as a hidden command center.

Iran says that the Shiraz Power Plant facility was hit by a cyberattack, which poses the question: were the blasts caused by “the son of Stuxnet?” Stuxnet was a computer virus used to attack Iranian centrifuges at the Natanz nuclear facility in September 2010. 

Specifically, it is a type of computer worm that can destroy or change the Windows operating system, attack a particular industrial controller (the Siemens PCS 7, Step 7 controller) and alter the performance of programmable control systems, all of which make up the Supervisory Control and Data Acquisition System (SCADA). 

A large centrifuge facility must have industrial controllers to regulate individual centrifuges. The object of the attack, attributed to Israel and the United States was to overspin Iranian centrifuges so they broke down and caused enough damage to render them permanently inoperable.

A new section of the same Natanz centrifuge uranium enrichment facility was hit by an explosion last week. It caused a significant fire and appears to have destroyed the latest addition to the centrifuge project.

The Atomic Energy Organization of Iran shows centrifuge machines at the Natanz uranium enrichment facility in central Iran on November 5, 2019. Photo: Atomic Energy Organization of Iran

Unlike Stuxnet, which was designed to be non-lethal, all the recent attacks caused large explosions. However, outside of Tehran – where 18 people died – no other loss of life has been reported.

Stuxnet was a joint Israeli and US project, but its main development was probably in Israel. Researchers have found indications in the computer code related to two important Jewish matters.

One is a reference reported by the security firm Symantec where the name “Myrtus” appears in the Stuxnet code. Symantec said that Myrtus “could refer to the biblical Jewish Queen Esther, also known as Hadassah, who saved Persian Jews from destruction after telling King Ahasuerus of a plot to massacre them. Hadassah means myrtle in Hebrew.”  

Another item, also pointed out by Symantec, referred to an unusual pointer number in the code. “One marker Stuxnet uses to determine if it should halt [spinning the centrifuges] has the value 19790509. Researchers suggest this refers to a date – May 9, 1979 – that marks the day Habib Elghanian, a Persian Jew, was executed in Tehran and [which then] prompted a mass exodus of Jews from that Islamic country.”

But the clear difference between what may be the Son of Stuxnet and the original Stuxnet is that the new version can be lethal. The US government has generally been opposed to cyberattacks that can cause harm to people, which might rule out US involvement in this new attack.

There is much speculation whether the latest attacks have been carried out by local groups, or even whether the Israeli Air force used its new F-35 stealth jets to bomb Iranian targets.

David Wurmser, a leading American Middle East expert who was a top adviser to former US Vice-President Dick Chaney and is now with the Center for Security Policy in Washington, makes the case that these attacks were highly professional, used expert targeting and probably did not involve the use of locals. 

While Iran has complained they were hit by a cyberattack, they have so far shied from directly blaming anyone, although Iranian officials did say they were issuing warnings to Israel and the US. Meanwhile, the Israeli press is reporting that Israel is preparing for an Iranian response, which means that the cycle of attacks may be far from over.

On April 24 and April 25, Iran launched a series of attacks on six Israeli water facilities. The incidents damaged Israel’s water supply and wastewater management. A particularly clever trick used by the Iranians, also potentially lethal to the population, was to release large amounts of chlorine into the water supply. 

Iran successfully hacked into the controllers that ran the water pumps including the chlorine tanks that control the addition of chlorine to Israeli water distribution pipes and reservoirs.

Chlorine is a disinfecting agent if used in small quantities and most city water supply systems use the chemical, as do swimming pools. In large concentrations, however, chlorine is a dangerous poison. Syria has been using chlorine-filled barrel bombs against rebels and civilians.

Israel claimed that the Iranian attacks crossed a red line. A senior Israeli official said: “This is an attack which defies all [ethical] codes, even in war. Even from the Iranians, we did not expect such a thing. This is an attack which it’s forbidden to conduct.”

The first Israeli response to the water supply attack was an alleged Israeli cyberattack on the Shahid Rajaee terminal in Bandar Abbas.  That attack caused minor disruption and was criticized as a weak reaction to a dangerous move by Iran. The Iranians crowed that the attack on the shipping terminal was a failure.

Son of Stuxnet, if that is what the cyberattacks were, represents a concerted attack on Iran’s nuclear weapons development centers including a missile facility that could have been building a nuclear delivery system for Iran’s rockets. 

There are also targets that still are not understood such as the Shiraz and Ahvaz power plants. After all, why would an attack be launched against a power plant? One answer is that an attack on a power plant is an attack on critical infrastructure, and could be Israel’s response to Iran’s water facilities attack.

There is another deeper and perhaps more likely possibility: Any nation urgently trying to build nuclear weapons tries as many different ways possible to manufacture enough fissionable material for their bombs.

Centrifuges can produce enriched uranium but the process is rather slow. There are a number of alternatives for enriching uranium.

The aftermath of the July 2 incident at the Natanz facility. Photo: Agencies

One way is to use a Calutron, which is what the US used in World War II and Iraq used under Saddam. A Calutron is a mass spectrometer originally designed and used for separating the isotopes of uranium.

It was developed by Ernest Lawrence during the Manhattan Project. During World War II, Japan had at least five Calutrons in Tokyo, maybe more. It is likely Calutrons were also at work in Korea, then under Japanese occupation.  Japan had at least two atomic weapons programs, one run by the Army and the other (mainly in Korea) under Navy control.

A Calutron requires vast amounts of electricity, which is why Japan had part of its atomic weapons program in Korea where there was an abundance of hydroelectric power and fewer allied airstrikes. It is why the US World War II Calutron project was located at Oak Ridge which housed a major power generating capability (and still does). 

If Iran was trying alternate ways to enrich uranium, Calutrons are a viable option. These facilities would have to be near, or even under, power plants.

Iraq learned how to build calutrons from CERN, the European Organization for Nuclear Research. (See “The origin of Iraq’s nuclear weapons program: Technical reality and Western hypocrisy” by Suren Erkman, Andre Gsponer, Jean-Pierre Hurni, and Stephan Klement Independent Scientific Research Institute, Switzerland 2008). It is likely Iran got it from the same place.

No one can yet say whether all the Iranian facilities that blew up were the result of cyberattacks. But without any other explanation, including the lack of any evidence of commando teams operating in Iran, the lack of any arrests and the lack of evidence about “exotic” weapons platforms such as the F-35, the Son of Stuxnet appears to represent a reasonable explanation.