VIENNA - In an underground chamber near the Iranian city of Natanz, a network of surveillance cameras offers the outside world a rare glimpse into Iran's largest nuclear facility. The cameras were installed by U.N. inspectors to keep tabs on Iran's nuclear progress, but last year they recorded something unexpected: workers hauling away crate after crate of broken equipment.
In a six-month period between late 2009 and last spring, U.N. officials watched in amazement as Iran dismantled more than 10 percent of the Natanz plant's 9,000 centrifuge machines used to enrich uranium. Then, just as remarkably, hundreds of new machines arrived at the plant to replace the ones that were lost.
The story told by the video footage is a shorthand recounting of the most significant cyberattack to date on a nuclear installation. Records of the International Atomic Energy Agency (IAEA), the U.N. nuclear watchdog, show Iran struggling to cope with a major equipment failure just at the time its main uranium enrichment plant was under attack by a computer worm known as Stuxnet, according to Europe-based diplomats familiar with the records.
But the IAEA's files also show a feverish - and apparently successful - effort by Iranian scientists to contain the damage and replace broken parts, even while constrained by international sanctions banning Iran from purchasing nuclear equipment. An IAEA report due for release this month is expected to show steady or even slightly elevated production rates at the Natanz enrichment plant over the past year.
"They have been able to quickly replace broken machines," said a Western diplomat with access to confidential IAEA reports. Despite the setbacks, "the Iranians appeared to be working hard to maintain a constant, stable output" of low-enriched uranium, said the official, who like other diplomats interviewed for this article insisted on anonymity to discuss the results of the U.N. watchdog's data collection.
The IAEA's findings, combined with new analysis of the Stuxnet worm by independent experts, offer a mixed portrait of the mysterious cyberattack that briefly shut down parts of Iran's nuclear infrastructure last year. The new reports shed light on the design of the worm and how it spread through a string of Iranian companies before invading the control systems of Iran's most sensitive nuclear installations.
But they also put a spotlight on the effectiveness of the attack in curbing Iran's nuclear ambitions. A draft report by Washington-based nuclear experts concludes that the net impact was relatively minor.
"While it has delayed the Iranian centrifuge program at the Natanz plant in 2010 and contributed to slowing its expansion, it did not stop it or even delay the continued buildup of low-enriched uranium," the Institute for Science and International Security (ISIS) said in the draft, a copy of which was provided to The Washington Post.
The ISIS report acknowledges that the worm may have undercut Iran's nuclear program in ways that cannot be easily quantified. While scientists were able to replace the broken centrifuge machines this time, Iran is thought to have finite supplies of certain kinds of high-tech metals needed to make the machines, ISIS concluded. In addition, the worm almost certainly exacted a psychological toll, as Iran's leaders discovered that their most sensitive nuclear facility had been penetrated by a computer worm whose designers possessed highly detailed knowledge of Natanz's centrifuges and how they are interconnected, said David Albright, a co-author of the report.
"If nothing else, it hit their confidence," said Albright, ISIS's president, "and it will make them feel more vulnerable in the future."
The creator of the Stuxnet computer malware remains unknown. Many computer security experts suspect that U.S. and Israeli intelligence operatives were behind the cyberattack, but government officials in the United States and Israel have acknowledged only that Iran's nuclear program appears to have suffered technical setbacks in recent months.
While Israel's government has previously said Iran was on the brink of acquiring a bomb, the country's outgoing intelligence chief estimated last month that the Islamic republic could not have a bomb before 2015. Other intelligence agencies have said Iran could obtain nuclear weapons in less than a year if it kicks out U.N. inspectors and launches a crash program. Iran denies it is seeking to build a nuclear weapon.
Stuxnet was discovered this summer by computer security companies that eventually documented its spread to tens of thousands of computers on three continents. While the worm appears to spread easily, an analysis of its coding revealed that it was harmless to most systems.
The computer security firm Symantec, which authored several detailed studies of the malware, found that Stuxnet was designed to target types of computers known as programmable logic controllers, or PLCs, used in certain kinds of industrial processes.
Moreover, the worm activates itself only when it detects the precise array of equipment that exists in Iran's uranium-enrichment plant at Natanz. The underground plant contains thousands of centrifuges, machines that spin at supersonic speeds to create low-enriched uranium, which is used to make fuel for nuclear power plants. With further processing, the machines can produce the highly enriched uranium used in nuclear bombs.
Stuxnet followed a circuitous route to Natanz, according to an analysis by Symantec. Initially it targeted computer systems at five Iranian companies with no direct ties to Iran's nuclear program. Then it spread, computer to computer, until it landed in the centrifuge plant.
Once inside the enrichment plant, Stuxnet essentially hijacked the plant's control system, causing the centrifuges to spin so rapidly that they began to break. At the same time, the malware fed false signals to the plant's computer system so the operators thought the machines were working normally, Symantec's experts found.
ISIS and Symantec analysts concluded that the Natanz facility was attacked twice by the worm, once in late 2009 and again in the spring. By autumn, when Iranian officials confirmed the attack, the damage was so severe that the plant had to be briefly shut down.
"An electronic war has been launched against Iran," said Mahmoud Liaii, director of the Information Technology Council of the Ministry of Industries and Mines.
As the attack was underway, IAEA inspectors were able to gauge its effectiveness by counting the carcasses of damaged centrifuges being hauled out of the facility. Under an agreement with the Tehran government, the watchdog agency is allowed to operate a network of surveillance cameras aimed at each of the plant's portals, to guard against possible nuclear cheating by Iran. Any equipment that passes through the doors is captured on video, and IAEA inspectors arrive later to eyeball each item.
Iran's centrifuges are notoriously unreliable, but over a few months last year the flow of broken machines leaving the plant spiked, far beyond normal levels. Two European diplomats with access to the agency's files put the number at 900 to 1,000.
IAEA inspectors who examined the machines could not ascertain why the centrifuges had failed. Iranian officials told the agency they were replacing machines that had been idled for several months and needed refurbishing. Whatever the reason, the plant's managers worked frantically to replace each piece of equipment they removed, the two European diplomats confirmed.
"They were determined that the IAEA's reports would not show any drop in production," one of the diplomats said.
While U.S. officials declined to comment on the major equipment failure at Natanz, the speed of Iran's apparent recovery from its technical setbacks did not go unnoticed. "They have overcome some of the obstacles, in some cases through sheer application of resources," said U.S. Ambassador Glyn Davies, Washington's representative to the IAEA in Vienna. "There's clearly a very substantial political commitment."
Still far from clear is whether Iran has truly beaten the malware. Iranian President Mahmoud Ahmadinejad, in a November statement acknowledging the attack, said the worm had been quickly contained and eliminated. But independent analysts are not as sure.
Albright and other nuclear experts discounted news reports suggesting that the worm posed a serious safety threat to Iran's Bushehr nuclear power plant. But the ISIS and Symantec reports noted that parts of the malware's operating code appeared to be unfinished, and Stuxnet has been updated with new instructions at least once since its release.
IAEA inspectors were unable to determine whether Iran's efforts to erase the worm from its equipment had succeeded, raising the possibility of subsequent attacks.
Albright said it was possible that the Natanz facility could become infected a second time, since so many computers in Iran - an estimated 60,000 or more - are known to have been affected. But he questioned whether the worm's limited success so far justifies the use of a tactic that will probably provoke retaliation.
"Stuxnet is now a model code for all to copy and modify to attack other industrial facilities," Albright wrote in the ISIS report. "Its discovery likely increased the risk of similar cyberattacks against the United States and its allies."