Card of the Day

Friday, March 6, 2026

Threat Intelligence Tarot

wands · 5

USA / Israel (joint NSA–Unit 8200)

★★★★★

risk 5/5

✦ The Saboteur ✦

Stuxnet Operators

OLYMPIC GAMES operators · Unit 8200 / NSA joint operation

Iran Natanz nuclear facilitySiemens PLCsUranium enrichment centrifuges

Active ~2005–2010 · Iranian nuclear program disruption, Physical infrastructure sabotage, Covert warfare

The Saboteur crossed the air gap on a USB drive, found its target inside the most protected nuclear facility in Iran, spun enrichment centrifuges to destruction while reporting normal operation to monitoring systems, and set back the Iranian nuclear program by years. It was not malware. It was a weapon.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1200

Hardware Additions

Initial Access

T1542.001

System Firmware

Persistence

T1485

Data Destruction

Impact

T1070

Indicator Removal

Defense Evasion

T1600

Weaken Encryption

Defense Evasion

Notable Operations

◆Natanz centrifuge destruction - 1,000+ centrifuges damaged (2009–2010)
◆First confirmed cyberweapon to cause physical destruction
◆Four Windows zero-days used simultaneously
◆Air-gap crossing via infected USB drives

Defenses

▸
USB and removable media controls on critical infrastructure
ICS-CERT guidance ↗
▸
OT/ICS anomaly detection for PLC behavior
NIST SP 800-82 ↗
▸
Air-gapped network procedures and physical security
ICS-CERT guidance ↗
▸
Siemens and industrial control system patch management
ISA/IEC 62443

Reversed: Their Weakness

When Stuxnet escaped Natanz and spread across the internet, its discovery became inevitable. The most sophisticated cyberweapon ever deployed was exposed because its air-gap-crossing mechanism worked too well - it left the intended target and spread to the world.

Export for reports

YesterdayThe Invisible ChainUNC2452

TomorrowThe ThunderheadAnonymous Sudan

Data sourced from MITRE ATT&CK. For educational purposes.