Threat Intelligence Tarot
wands · 5
USA / Israel (joint NSA–Unit 8200)
★★★★★
risk 5/5
✦ The Saboteur ✦
Stuxnet Operators
OLYMPIC GAMES operators · Unit 8200 / NSA joint operation
Iran Natanz nuclear facilitySiemens PLCsUranium enrichment centrifuges
Active ~2005–2010 · Iranian nuclear program disruption, Physical infrastructure sabotage, Covert warfare
The Saboteur crossed the air gap on a USB drive, found its target inside the most protected nuclear facility in Iran, spun enrichment centrifuges to destruction while reporting normal operation to monitoring systems, and set back the Iranian nuclear program by years. It was not malware. It was a weapon.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆Natanz centrifuge destruction - 1,000+ centrifuges damaged (2009–2010)
- ◆First confirmed cyberweapon to cause physical destruction
- ◆Four Windows zero-days used simultaneously
- ◆Air-gap crossing via infected USB drives
Defenses
- ▸USB and removable media controls on critical infrastructureICS-CERT guidance ↗
- ▸OT/ICS anomaly detection for PLC behaviorNIST SP 800-82 ↗
- ▸Air-gapped network procedures and physical securityICS-CERT guidance ↗
- ▸Siemens and industrial control system patch managementISA/IEC 62443
Reversed: Their Weakness
When Stuxnet escaped Natanz and spread across the internet, its discovery became inevitable. The most sophisticated cyberweapon ever deployed was exposed because its air-gap-crossing mechanism worked too well - it left the intended target and spread to the world.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.