Stuxnet: How a USB Drive Destroyed 1,000 Nuclear Centrifuges — A Technical Deep Dive
In 2010, the world discovered that a piece of software had done something previously considered impossible: it caused real, physical destruction to industrial machinery — without anyone in the target facility knowing it was happening.
This is the story of Stuxnet. Not the headlines version. The technical one.
Background: The Target
Iran's Natanz Fuel Enrichment Plant operated roughly 9,000 IR-1 centrifuges spinning at ~63,000 RPM to enrich uranium hexafluoride (UF₆). The facility was air-gapped — completely isolated from the internet. No external network connection. No remote access. Seemingly impenetrable.
The objective of Operation Olympic Games (a joint US-NSA / Israeli Unit 8200 effort) was to destroy as many of those centrifuges as possible, without Iran knowing why they were failing.
Phase 1 — Infiltration: Breaking the Air Gap
Vector 1: The USB Zero-Day (CVE-2010-2568)
Stuxnet's first and most elegant trick was a Windows Shell vulnerability that required zero user interaction.
When a user opened a folder containing an infected USB drive in Windows Explorer, the OS attempted to render .LNK shortcut icons. This called LoadLibrary() — which loaded Stuxnet's DLL and executed it automatically.
// No autorun. No click. Just opening the folder.
Windows Explorer renders .LNK icon
→ LoadLibrary("~WTR4132.tmp")
→ Stuxnet DLL executes
→ injects into csrss.exe
→ copies itself to all inserted USB drives (limit: 3)
This was the first zero-day exploit ever found that executed code purely through icon rendering. It crossed the air gap physically — carried in by engineers and technicians with infected USB drives.
Vector 2: Network Propagation
Once inside, Stuxnet used three additional zero-days to spread across the internal network:
- CVE-2010-2729 — Windows Print Spooler: spread via shared printers, no interaction required
- CVE-2010-2743 — Windows Kernel: escalated privileges to SYSTEM on every machine
-
Siemens STEP 7 hardcoded password (
2WSXcder): gave direct access to every PLC configuration database
Staying Hidden: Stolen Certificates
All Stuxnet drivers were signed with legitimate certificates stolen from two Taiwanese companies — Realtek Semiconductor and JMicron Technology. Windows and antivirus products treated them as trusted hardware drivers.
Phase 2 — Stealth & Reconnaissance: 30 Days of Silence
After infection, Stuxnet did nothing visible for approximately 30 days.
Code 397: The Target Fingerprint
Stuxnet would only activate if it found an extremely specific environment:
if siemens_step7.found() AND
plc_model IN [S7-315, S7-417] AND
drive_manufacturer IN [0x9500, 0x2C79] # Fararo Paya (Iran) or Vacon (Finland)
drive_frequency BETWEEN 807 AND 1210 Hz:
ACTIVATE()
else:
remain_dormant() # not the target — do nothing
This internal check (Code 397) is why Stuxnet infected 200,000+ computers worldwide without damaging any of them. It was looking for one specific configuration.
The Learning Phase
During dormancy, Stuxnet recorded everything:
- Centrifuge rotor speed (~1,064 Hz nominal)
- Internal gas temperature (~34°C)
- UF₆ pressure (~2.1 kPa)
- Vibration signatures (0.03 mm/s)
These recordings became the fake "normal" data played back to operators during the attack.
Phase 3 — Attack: Invisible Destruction
Man-in-the-Middle on the S7-400 Bus
Stuxnet replaced the Siemens communication DLL (s7otbxdx.dll) with its own hooked version — sitting between the STEP 7 software and the PLC:
[STEP 7 Software]
↓ "Set speed = 1,064 Hz" ← operator command
[Stuxnet Hook]
↓ "Set speed = 1,410 Hz" ← what PLC actually receives
↑ "Speed = 1,064 Hz" ← fake reading sent back to screen
[Siemens S7-315 PLC → Centrifuges destroying]
The operator sent one command. The PLC received another. The screen showed a third.
Destruction Method 1: Overspeed
Normal: ~1,064 Hz (~63,800 RPM)
Stuxnet: 1,410 Hz (~84,600 RPM) — 33% above maximum rated speed
Sudden acceleration followed by a crash to near-zero. Repeated mechanical shocks cracked aluminium rotors and caused structural failure.
Destruction Method 2: Overpressure
Stuxnet closed UF₆ exhaust valves via PLC commands. Gas pressure built far beyond structural limits — the centrifuge imploded from within, releasing toxic uranium hexafluoride into cascade halls.
The Deadliest Component: Operator Deception
While centrifuges were physically failing, Stuxnet replayed the 30 days of recorded normal sensor data to every screen in the control room:
| What operators saw | Reality |
|---|---|
| Speed: 1,064 Hz ✓ | Speed: 1,410 Hz — rotor cracking |
| Temperature: 34.2°C ✓ | Temperature: 88–112°C |
| Pressure: 2.1 kPa ✓ | Pressure: 18–28 kPa — vessel failing |
| Status: ALL NOMINAL | Centrifuges failing one by one |
This deception ran for 27 months. Engineers replaced broken centrifuges with new ones — which Stuxnet then destroyed again. Some technicians lost their jobs. The cause was unknown until public discovery in June 2010.
Confirmed Damage
| Metric | Value |
|---|---|
| Centrifuges destroyed | ~1,000 of ~9,000 |
| Capacity lost | ~11% |
| Time undetected | 27 months |
| Nuclear program setback | 2–5 years |
| Countries infected (unintended) | 110+ |
| Computers infected globally | ~200,000 |
Why This Still Matters
- Cyber attacks can cause physical destruction — the line between digital and kinetic warfare was permanently erased.
- Air gaps are not sufficient — physical isolation alone is not a solution.
- It opened Pandora's box — Industroyer (2016 Ukrainian power grid), Triton (2017 Saudi petrochemical), and PIPEDREAM (2022 US infrastructure) are Stuxnet's direct descendants.
- The human layer is always the weakest point — a Dutch engineer with an infected water pump crossed the most sophisticated air gap in the world.
Summary: Five Layers of a Precision Weapon
1. BREAK → Air gap crossed via USB + human infiltration
2. HIDE → Signed with stolen certs, dormant 30 days
3. IDENTIFY → Code 397 — only activates on exact target hardware
4. RECORD → 30 days of normal behaviour captured for fake replay
5. DESTROY → MitM PLC + overspeed + overpressure + operator deception
Stuxnet was not a virus. It was a multi-stage, precision-guided weapon made of code.
🎬 Want to See the Full Attack Simulated?
CAISD has built a step-by-step interactive simulation of all three phases — the USB infection, the 30-day silent reconnaissance, the MitM PLC takeover, centrifuge destruction in real-time, and the operator deception — visualised with live diagrams, console logs, and animated network topology.
📺 Watch the full walkthrough on YouTube:
👉 youtube.com/@CAISD_Official
You can watch the entire attack unfold frame by frame — exactly how it happened inside Natanz.
Written by CAISD — Cyberscope Advanced Intelligence & Security Directorate
📺 youtube.com/@CAISD_Official*
United States
NORTH AMERICA
Related News
What Does "Building in Public" Actually Mean in 2026?
19h ago
The Agentic Headless Backend: What Vibe Coders Still Need After the UI Is Done
19h ago
Why I’m Still Learning to Code Even With AI
21h ago
I gave Claude a persistent memory for $0/month using Cloudflare
1d ago
NYT: 'Meta's Embrace of AI Is Making Its Employees Miserable'
1d ago