August 19, 2025: Iranian-backed groups, such as the Houthis in Yemen, use Western cellphones to track merchant ships in the Red Sea by pinging them for their GPS locations. Even on warships, where communications are encrypted, sailors’ phones are not. This vulnerability allows ships to be tracked and attacked with drone speedboats armed with explosives, anti-ship missiles, or naval mines.

This is not the first instance of such tactics. Thirteen years ago, American and Israeli officials confirmed that industrial-grade cyberwar weapons like Stuxnet, Duqu, and Flame, used against Iran in previous years, were joint U.S.-Israel operations. No further details were released, though many rumors circulated. The U.S. and Israel were long suspected of developing these weapons-grade computer worms, as both nations had the motive, means, and opportunity to deploy these powerful cyberwar tools against Iran and other terrorism-supporting entities.

The U.S. military has repeatedly sought permission to go on the offensive with cyberwar weapons. The U.S. government, however, has consistently declined to retaliate publicly against persistent attacks from China, primarily due to fears of legal repercussions and the risk that such weapons could spiral out of control, causing unintended damage to innocent parties.

Iran presented a different case. Although not a significant cyberwar threat to the United States, Iran was pursuing nuclear weapons, and Israel had reportedly explored using cyberwar tools to disrupt this effort. Given the nature of these weapons, which are most effective when the target is unaware of their existence, few details about this cyberwar program have been disclosed. What is known is that the cyberwar weapons used against Iran were designed to target specific objectives. So far, only three known weapons have been deployed. Stuxnet was engineered to damage a specific facility—the plant where Iran produced nuclear fuel for power plants and atomic weapons—and it succeeded. The other two, Duqu and Flame, were intelligence-collection programs that remained hidden for years, gathering vast amounts of valuable data.

In 2012, the latest of these cyberwar superweapons, Flame, was uncovered. Designed to stay hidden and collect information from infected computers, Flame operated undetected for up to five years or more in Iran, Lebanon, the Palestinian West Bank, and, to a lesser extent, other Muslim countries in the region. Like Stuxnet (2009) and Duqu (2011), Flame exhibited characteristics of being designed and created by professional programmers and software engineers. Unlike most malware, which is often crafted by talented but undisciplined amateurs and lacks organization, professional programmers create more capable and reliable software. This describes Stuxnet, Duqu, and Flame. The U.S. and Israel invested significant resources to develop these cyberwar weapons and deliver them to their targets, leveraging access to top-tier programming talent and organizations capable of managing highly secretive software development.

As researchers studied these three programs, they uncovered increasingly sophisticated features. Until Flame’s discovery, Stuxnet was considered the most formidable cyberwar weapon. A computer worm that continuously attempts to replicate itself across systems, Stuxnet appeared two years before Flame and was designed to damage Iran’s nuclear weapons manufacturing facilities. It succeeded. A year after Stuxnet’s discovery in 2010, security experts identified Duqu, which was collecting data on large computer networks, likely preparing for broader attacks on industrial targets.

Stuxnet and Duqu were believed to be two of five or more cyberwar weapons developed up to five years earlier from the same platform. Flame, however, appears unrelated to Stuxnet and Duqu. The Flame platform was built to accept numerous additional software modules, enabling each variant to have different capabilities. Some modules utilized specific computer features, such as microphones, wireless communication, or cameras. Flame spreads via USB memory sticks or the Internet, distinct from Stuxnet and Duqu’s propagation methods.

Some infected PCs contained numerous Flame modules, totaling up to 20 megabytes of code and data. Flame concealed its presence effectively and included a robust self-destruct feature that erased all evidence of its existence. Over its five-year operation, Flame infected a few thousand PCs and collected vast amounts of data.

In contrast, Duqu probed industrial computer systems, sending back information about their structure and operations. When Duqu was discovered, the server receiving its data was traced to India and disabled. Duqu appeared to cease operation after a few months, possibly because it completed its mission or due to increased scrutiny. Flame, however, continued operating.

For over two years, hundreds of skilled programmers have analyzed Stuxnet and Duqu, openly discussing their findings. Although these programs are government property, once released, they become accessible to everyone. Public discussions on the Internet provided valuable critiques of their construction, often detailing how flaws could be addressed or features enhanced. Even when specific improvements were not outlined, programmers analyzing these programs typically identified the tools or techniques needed to make the code more effective.

However, this public dissection made the software’s inner workings and improvements available to anyone. On the positive side, security professionals gained a clearer understanding of how such weapons function, which could make future similar attacks more difficult to execute.

Flame, larger and more complex than Stuxnet or Duqu, will keep researchers occupied for years. With three professionally crafted cyberwar weapons emerging in the past 15 years, more are likely to appear.

Weapons like Stuxnet and Duqu are not new. For nearly a decade, cyberwar operatives and criminal hackers have planted malware, such as Trojan horses or zombies, in corporate or government networks. These programs, controlled by their creators, can steal, modify, or destroy data or shut down infected systems. New PCs are infected by exploiting recently discovered software vulnerabilities on the Internet, known as Zero Day Exploits (ZDEs). In skilled hands, these flaws enable criminals to execute large-scale online heists or maintain covert control over systems. Flame likely used high-quality, expensive ZDEs and may have received new ones over time.

Stuxnet contained four ZDEs, two of which were previously unknown, indicating significant resources behind its development. ZDEs are challenging to discover and can fetch over $250,000 on the black market. Stuxnet’s design to sabotage an industrial facility highlighted another growing issue: the vulnerability of industrial systems. Developers of systems control software were warned about increasing attempts to breach their defenses. Beyond terrorists, criminals could exploit compromised systems to extort money from utilities or factories or sell vulnerability data to cyberwar organizations. In Stuxnet’s case, the target was Iran’s nuclear weapons program, though hackers analyzing Stuxnet could potentially develop software for blackmail schemes.

Stuxnet was designed to disrupt key components of Iran’s nuclear weapons program, including damaging gas centrifuges used to enrich uranium to weapons-grade material. Iran eventually acknowledged this damage, and Western estimates of when Iran could develop a nuclear weapon were extended by several years.

Duqu capitalized on Stuxnet’s success by spreading to numerous industrial sites, gathering details about their operations and sending data to those planning a potential “Stuxnet 2.0.” Multiple versions of Duqu have been identified, all programmed to erase themselves after 36 days in a system.

Stuxnet was likely released in late 2009, infecting thousands of computers as it sought its Iranian target. Initial analysis revealed it was designed to disrupt control software in industrial facilities, such as power, water, sanitation, and other plants. Further examination showed Stuxnet specifically targeted gas centrifuges, subtly disrupting their operation.

Stuxnet was engineered to hide within industrial control software, making it difficult to ensure all malware was removed. This was the most alarming aspect of Stuxnet, causing Iranian officials to worry about other undetected Stuxnet-like attacks. Although Iran admitted Stuxnet caused damage, it withheld details about when the malware reached the centrifuges or how long it operated before detection and removal. This explains the unexplained slowdown in Iran’s centrifuge operations. Stuxnet’s creators likely knew the extent of the damage, as the malware included a “call home” feature.

The U.S. and Israel have a history of successful software attacks, though these incidents receive little mainstream media coverage due to their technical complexity and lack of visuals. Earlier attacks, particularly Stuxnet, Duqu, and Flame, spread in a controlled manner, often via agents who introduced infected USB memory sticks into target facilities. Even if some copies reached Internet-connected PCs, they did not spread widely, unlike worms and viruses designed for rapid global propagation, which can infect millions of PCs within hours.

Despite the secrecy, these cyberwar weapons are very real, and professionals are impressed by Stuxnet, Duqu, and Flame, even if the public remains largely unaware. Their demonstrated capabilities mark a new era in Internet-based warfare. The amateur era is over, and major players are now dominant. The U.S. and Israel’s cyberwar offensive has likely been active for years, using stealth to remain undetected. There are probably more than three such covert cyberwar programs in use, and most will remain undisclosed until, or if, they are discovered and publicized.