Sometime around late 2009, centrifuges inside Iran’s heavily guarded Natanz uranium enrichment plant began failing at an unusual rate. The machines, delicate aluminum tubes spinning uranium hexafluoride gas at supersonic speeds, were tearing themselves apart. Iranian engineers replaced them and restarted cascades, only to watch more break down. What they did not know, according to a detailed 2012 New York Times investigation by David Sanger, was that a piece of malware called Stuxnet, built jointly by the United States and Israel, had burrowed into the facility’s industrial control systems and was quietly commanding the centrifuges to destroy themselves.
The operation, code-named “Olympic Games,” began under President George W. Bush around 2006 and was expanded under President Barack Obama. It remains, as of May 2026, the most thoroughly documented case of a cyberweapon causing physical destruction to another nation’s infrastructure.
What inspectors saw on the ground
The first independent confirmation that something had gone wrong at Natanz came from the International Atomic Energy Agency. IAEA inspectors stationed at the facility documented an operational interruption that involved centrifuges being taken offline and uranium hexafluoride feed being halted, according to contemporaneous reporting by the Washington Post based on IAEA safeguards data. The agency’s quarterly reports showed that Iran had pulled roughly 1,000 IR-1 centrifuges out of operation at Natanz during 2009 and 2010, a figure later highlighted by the Washington-based Institute for Science and International Security in its own analysis of the IAEA data.
The IAEA itself did not attribute the disruptions to any specific cause. Its mandate covers nuclear safeguards, not cyber forensics. But the timing and pattern of failures caught the attention of outside researchers who were, by mid-2010, already pulling apart a mysterious piece of malware that had surfaced on computers worldwide.
How the malware worked
Stuxnet was first identified in June 2010 by VirusBlokAda, a small Belarusian antivirus firm, after it appeared on a client’s machine. Within months, researchers at Symantec published a 79-page technical dossier detailing the worm’s architecture. German industrial-control-systems researcher Ralph Langner, working independently, was among the first to conclude that Stuxnet had been engineered to target a specific configuration of Siemens S7-300 and S7-400 series programmable logic controllers, the hardware governing centrifuge motor speeds at Natanz.
The attack had two distinct payloads, according to Langner’s analysis and the Symantec dossier. One targeted the frequency converters driving centrifuge rotors, periodically pushing them far above their rated speed and then dropping them back down. The other manipulated the pressure inside centrifuge cascades. Both payloads included a critical deception layer: while the malware altered physical operations, it recorded normal telemetry data and replayed it to the facility’s monitoring screens, so operators saw nothing amiss.
The result was mechanical fatigue. IR-1 centrifuges, a design derived from older European models and already considered fragile, could not withstand repeated speed surges. Bearings failed. Rotors cracked. Entire cascades had to be pulled offline and replaced.
The covert program behind the code
Sanger’s New York Times reporting, based on interviews with current and former American, European, and Israeli officials, described “Olympic Games” as a joint operation run by the National Security Agency and Israel’s Unit 8200. The program reportedly began with intelligence-gathering intrusions into Natanz’s networks and evolved into the deployment of increasingly sophisticated versions of Stuxnet.
According to those accounts, Obama was briefed on the operation shortly after taking office in January 2009 and chose to accelerate it. The decision, officials told Sanger, was driven by a desire to slow Iran’s enrichment progress without resorting to airstrikes, an option Israeli leaders were openly pressing. The malware was introduced into Natanz’s air-gapped network through infected USB drives, the officials said, exploiting the human link in a system deliberately disconnected from the internet.
Neither the U.S. nor Israeli government has officially confirmed the operation. The most direct public acknowledgment came obliquely: in 2011, then-retiring CIA director Michael Hayden told CBS News that Stuxnet was “a good idea,” without claiming credit. No declassified after-action report or court filing has surfaced as of May 2026.
What remains uncertain
Several significant gaps persist. The precise number of centrifuges Stuxnet destroyed is still debated. The Institute for Science and International Security estimated that roughly 1,000 IR-1 machines were decommissioned during the relevant period, but whether all of those failures were caused by the malware, as opposed to Iran’s own manufacturing and quality-control problems, is not definitively settled.
How far the operation actually set back Iran’s nuclear timeline is also contested. Some analysts have argued the delay amounted to only a year or two, noting that Iran accelerated centrifuge production after discovering the sabotage. Others contend the disruption bought several additional years of diplomatic space, contributing to conditions that led to the 2015 Joint Comprehensive Plan of Action.
Iran acknowledged publicly that its enrichment program experienced setbacks but has never provided a full technical accounting of the damage at Natanz. Tehran has, however, cited the attack in justifying its own investments in offensive and defensive cyber capabilities.
Perhaps the most consequential open question involves Stuxnet’s unintended spread. The worm escaped Natanz, likely carried out on a laptop, and propagated across the internet, infecting tens of thousands of computers in Iran, Indonesia, India, and elsewhere. Whether that spread was anticipated by the operation’s planners has never been publicly addressed by either government. The incident demonstrated a fundamental tension in cyber operations: code precise enough to target a single facility can still behave unpredictably once it leaves that environment.
Why Stuxnet still matters in 2026
More than 15 years after its discovery, Stuxnet remains the benchmark case in debates over offensive cyber operations. It proved that software could cross the boundary between the digital and physical worlds, causing tangible, kinetic-scale damage to critical infrastructure. That precedent has shaped military doctrine, intelligence budgets, and international negotiations over cyber norms ever since.
Supporters of the operation, as reflected in the anonymous accounts given to Sanger and others, viewed it as a precise alternative to bombing. Critics counter that it set a dangerous precedent: if the United States and Israel could covertly sabotage another country’s industrial systems, other states and non-state actors could claim the same justification against targets like power grids, water treatment plants, or financial networks.
The operation also exposed the limits of secrecy. Stuxnet was designed to remain hidden, but its escape into the wild allowed the global cybersecurity community to reverse-engineer it in detail, effectively publishing the blueprint for a new class of weapon. Langner, in a widely cited 2013 analysis, warned that the techniques Stuxnet pioneered could be adapted by less scrupulous actors with far less precision and far less restraint.
For policymakers and the public alike, the Stuxnet story is a reminder that the most consequential cyber operations may never be officially acknowledged by the governments that carry them out. The public record on “Olympic Games” is built from overlapping fragments: IAEA inspection reports, independent technical forensics, and the testimony of officials who spoke on condition of anonymity. Taken together, those fragments form a coherent and broadly accepted account. But no single declassified document ties every thread into a definitive narrative, and as of May 2026, none appears forthcoming.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
