:

October 9, 2025: Iranian-backed groups like the Houthis in Yemen use Western cellphones to track merchant ships in the Red Sea. They do this by pinging ships for their GPS locations. Even on warships, where communications are encrypted, sailors’ phones are not. This allows ships to be tracked and attacked with drone speedboats armed with explosives, anti-ship missiles, or naval mines.

This wasn’t the first time this sort of thing happened. Thirteen years ago, American and Israeli officials confirmed that industrial-grade cyberwar weapons like Stuxnet, Duqu, and Flame, used against Iran in recent years, were joint U.S.-Israel operations. No further details were released, though many rumors circulated. The U.S. and Israel were long suspected of creating these weapons-grade computer worms. Both nations had the motive, means, and opportunity to unleash these powerful cyberwar weapons against Iran and other terrorism supporters.

The American military has repeatedly requested permission to go on the offensive with cyberwar weapons. The U.S. government regularly and publicly declines to retaliate against constant attacks from China, mainly due to fears of legal repercussions and the risk that these weapons could spiral out of control, causing significant harm to innocent parties.

Iran was a different case. Though not a serious cyberwar threat to the United States, Iran was developing nuclear weapons, and Israel had reportedly been exploring cyberwar weapons to disrupt that effort. Given the nature of these weapons, which work best when the enemy is unaware of their existence, few details about this cyberwar program are likely to be released. What is known is that the cyberwar weapons used against Iran were designed to target specific systems. So far, only three known weapons have been deployed. Stuxnet was designed to damage a specific facility—the plant where Iran produced nuclear fuel for power plants and atomic weapons—and it succeeded. Duqu and Flame were intelligence-collection programs that remained hidden for years, gathering vast amounts of valuable data.

In 2012, the latest of these cyberwar superweapons, Flame, was uncovered. Designed to stay hidden and collect information from infected computers, Flame operated undetected for up to five years or more in Iran, Lebanon, the Palestinian West Bank, and, to a lesser extent, other Muslim countries in the region. Like Stuxnet (2009) and Duqu (2011), Flame bore the hallmarks of professional programmers and software engineers. Most malware is created by talented but undisciplined amateurs who lack organization. Professional programmers, however, produce more capable and reliable software, as seen in Stuxnet, Duqu, and Flame. The U.S. and Israel invested heavily in these cyberwar weapons, leveraging top-tier programming talent and organizations capable of managing highly secretive software development.

As researchers studied these three programs, they uncovered increasingly surprising features. Until Flame’s discovery, Stuxnet was the most formidable cyberwar weapon, a computer worm that continuously replicated itself and appeared two years earlier. Designed to sabotage Iran’s nuclear weapons manufacturing, it succeeded. A year after Stuxnet was detected in 2010, security experts discovered Duqu, which collected information on large computer networks, likely preparing for broader attacks on industrial targets.

Stuxnet and Duqu were likely two of five or more cyberwar weapons developed from the same platform up to five years earlier. Flame, however, appeared unrelated to Stuxnet and Duqu. Its platform was built to accept numerous additional software modules, giving each variant unique capabilities. Some modules utilized specific computer features, like microphones, wireless communication, or cameras. Unlike Stuxnet and Duqu, Flame also spread via USB memory sticks or the internet.

Some infected PCs contained numerous Flame modules, totaling up to 20 megabytes of code and data. Flame was highly effective at concealing itself and included a robust self-destruct feature that erased all evidence of its presence. Over its five-year run, it infected a few thousand PCs and collected vast amounts of data.

In contrast, Duqu was used to probe industrial computer systems and transmit details about their structure and operation. When Duqu was discovered, the server it sent data to was traced to India and disabled. Duqu appeared to shut down after a few months, possibly because it completed its task or due to increased scrutiny. Flame, however, continued operating.

For over two years, hundreds of skilled programmers have dissected Stuxnet and Duqu, openly discussing their findings. Though these programs are government property, once released, they become public domain. Online discussions provided valuable critiques of their construction, often detailing how flaws could be fixed or features enhanced. Even without explicit suggestions, programmers analyzing these programs typically noted the tools or techniques needed to improve the code.

This public analysis, however, made the software’s inner workings and potential improvements accessible to everyone. On the upside, security professionals gained a clearer understanding of how these weapons function, making future attacks with similar tools more challenging.

Flame was larger and more complex than Stuxnet or Duqu and will keep researchers occupied for years. With three professionally crafted cyberwar weapons emerging over the past 15 years, more are likely to appear.

Cyberwar weapons like Stuxnet and Duqu aren’t new. For nearly a decade, hackers—both criminal and state-sponsored—have planted malware in corporate and government networks. These programs, known as Trojan horses or zombies, remain under the control of their creators and can steal, modify, or destroy data, or shut down infected systems. New PCs are infected by exploiting freshly discovered software vulnerabilities, called Zero Day Exploits (ZDEs), which allow hackers to infiltrate networks. Flame likely used high-quality, expensive ZDEs and may have received new ones over time.

Stuxnet contained four ZDEs, two previously unknown, indicating significant resources behind its creation. ZDEs are hard to find and can fetch over $250,000 on the black market. Stuxnet’s design to sabotage an industrial facility highlighted the growing vulnerability of such sites. Developers of systems control software were warned about increasing attempts to breach their defenses. Beyond terrorists, criminals could exploit compromised systems to extort money from utilities or factories or sell vulnerability data to cyberwar organizations. In Stuxnet’s case, the target was Iran’s nuclear weapons program, though its dissection could enable hackers to create software for blackmail schemes.

Stuxnet was designed to disrupt key components of Iran’s nuclear weapons program, including damaging gas centrifuges used to enrich uranium to weapons-grade material. Iran later admitted this damage occurred, and Western estimates of when Iran might develop a nuclear weapon were extended by several years.

Duqu built on Stuxnet’s success, spreading to numerous industrial sites to gather detailed data for potential future attacks, possibly for a “Stuxnet 2.0.” Multiple versions of Duqu were found, programmed to self-destruct after 36 days in a system.

Stuxnet, likely released in late 2009, infected thousands of computers as it sought its Iranian target. Initial analysis revealed it was designed to disrupt control software in industrial and utility plants. Further examination showed it subtly interfered with gas centrifuge operations.

Stuxnet hid within industrial control software, making it difficult to ensure all malware was removed. This was the most alarming aspect for Iranian officials, who feared other undetected Stuxnet-like attacks. Though Iran admitted Stuxnet caused damage, it withheld details on when it reached the centrifuges or how long it operated before detection. This accounted for unexplained delays in Iran’s centrifuge operations. Stuxnet’s creators likely knew the extent of the damage, as it included a “call home” feature.

The U.S. and Israel have a history of successful software attacks, though these are rarely reported in mainstream media due to their technical nature and lack of visuals. These attacks, especially Stuxnet, Duqu, and Flame, spread in a controlled manner, sometimes via agents using infected USB sticks. Even if some copies reached internet-connected PCs, they didn’t spread widely, unlike worms and viruses that can infect millions of PCs globally within hours.

Despite the secrecy, these cyberwar weapons are very real, and professionals are impressed by Stuxnet, Duqu, and Flame, even if the public remains largely unaware. Their capabilities mark a new era in internet-based warfare. The amateur era is over, and major players are now dominant. The U.S. and Israel’s cyberwar offensive has likely been ongoing for years, using stealth to remain hidden. More such programs are probably in use, and most will remain undisclosed until discovered and publicized.