How Military Cyber Weapons Actually Work: From Zero-Day Exploits to Industrial Sabotage

In June 2010, a Belarusian antivirus company called VirusBlokAda received a malware sample from a client in Iran. The analyst who examined it, Sergey Ulasen, found something unusual: a Windows rootkit that spread via USB drives using a previously unknown vulnerability in how Windows processes .LNK shortcut files. The exploit was elegant. Simply browsing to a directory containing the malicious .LNK file was sufficient to trigger code execution; the user did not need to click on anything. That alone would have been noteworthy. What made it historically significant was everything that came after.

The malware contained not one zero-day exploit but four. It carried a digital certificate stolen from Realtek Semiconductor, later replaced with one from JMicron Technology, both companies located in the same office park in Hsinchu, Taiwan. It targeted a specific model of Siemens programmable logic controller. And its payload did not steal credit card numbers or send spam. It manipulated the rotational speed of uranium enrichment centrifuges at a nuclear facility in Natanz, Iran, while replaying recorded telemetry to the operators so they would see nothing wrong.

This was Stuxnet: the first cyber weapon whose existence, targeting, and effects have been publicly documented in detail. It remains the most thoroughly analysed example of what a state-sponsored offensive cyber operation looks like when engineering resources are unconstrained. Understanding how it worked, and how the weapons that followed it work, requires understanding the entire stack: from the vulnerability research that produces zero-day exploits to the industrial control system protocols that govern physical processes.

1. What Makes a Cyber Weapon Different from Criminal Malware

The distinction between criminal malware and a cyber weapon is not one of technique alone. The same exploitation primitives appear in both contexts: buffer overflows, use-after-free vulnerabilities, return-oriented programming, process injection. The difference lies in resourcing, targeting precision, operational security, and integration with broader intelligence objectives.

Resources. A criminal malware operation operates on economics. The authors invest the minimum development effort required to achieve a return, whether through ransomware payments, banking fraud, or selling access to compromised systems. A state-sponsored cyber weapon programme operates on strategic objectives. The development team may spend years building and testing a capability against a single target. Stuxnet's development is estimated to have required a team of 5 to 10 senior developers working for at least two years, with access to the exact Siemens S7-315 and S7-417 PLC hardware used at Natanz, the specific Vacon NX and Fararo Paya frequency converters that drive the centrifuges, and a test environment with actual IR-1 centrifuge cascades. That level of investment implies a programme budget in the tens of millions of euros.

Zero-day stockpiling. Criminal groups occasionally use zero-day exploits, but they are expensive and tend to be burned quickly once deployed. State actors maintain inventories of zero-day vulnerabilities, discovered through internal research programmes, purchased from contractors and brokers, or acquired through intelligence liaison relationships. The US National Security Agency's Tailored Access Operations (TAO) group, Israel's Unit 8200, and the UK's GCHQ all maintain such stockpiles. A single operation might consume several zero-days simultaneously, as Stuxnet did. The willingness to burn four zero-days in a single weapon reflects a calculation that the strategic value of delaying Iran's nuclear programme exceeded the intelligence value of keeping those vulnerabilities in reserve.

Targeting precision. Criminal malware is generally promiscuous; it infects as many systems as possible to maximise revenue. A cyber weapon is designed to affect one specific target, or a narrow class of targets, while avoiding collateral effects that would reveal the operation prematurely. Stuxnet checked for the presence of specific Siemens STEP 7 software, specific PLC models, and specific frequency converter configurations before activating its payload. On any system that did not match the target profile, it propagated silently but did nothing destructive. This is the equivalent of a precision-guided munition versus an unguided bomb.

Operational security. The development process for a cyber weapon involves compartmentalisation, testing on replica systems, code review for operational security (ensuring the malware does not phone home to attributable infrastructure), and careful control of the deployment mechanism. Stuxnet's authors built in a counter that limited the number of machines each infected USB drive could compromise (three), and included a termination date (June 24, 2012) after which the malware would stop spreading. These are operational constraints imposed by an organisation that thinks in terms of mission parameters, not a criminal group maximising infection rates.

Integration with intelligence operations. A cyber weapon does not exist in isolation. Deploying Stuxnet required human intelligence to understand the Natanz facility layout, to determine which PLC models and frequency converters were in use, to identify the air-gapped network topology, and to get the initial USB drive into the facility. The operation, codenamed Olympic Games according to reporting by David Sanger of the New York Times, was a joint US-Israeli effort that combined NSA and Unit 8200 cyber capabilities with CIA and Mossad human intelligence.

2. Zero-Day Vulnerabilities: Discovery, Markets, and Strategic Stockpiles

A zero-day vulnerability is a software flaw that is unknown to the vendor and for which no patch exists. The name refers to the fact that the vendor has had zero days to fix the problem. From an attacker's perspective, a zero-day is the most valuable class of vulnerability because no defensive measure, no signature, no patch, can block an exploit that targets it.

How Zero-Days Are Discovered

There are three primary methods of zero-day discovery, and all of them require significant technical skill.

Fuzzing is the automated generation of malformed or unexpected input designed to trigger crashes, memory corruption, or other unexpected behaviour in a target application. A fuzzer generates millions or billions of test cases, feeds them to the target (a PDF reader, a web browser, an operating system kernel interface), and monitors for crashes. Each crash is a potential vulnerability. Modern fuzzers like AFL (American Fuzzy Lop), libFuzzer, and Honggfuzz use coverage-guided techniques: they instrument the target binary to track which code paths each input exercises, then mutate successful inputs to explore new paths. Google's OSS-Fuzz project has found over 10,000 vulnerabilities in open-source software using continuous fuzzing. The same techniques, applied to closed-source software through binary instrumentation, are used by vulnerability researchers at intelligence agencies and private companies alike.

Reverse engineering involves disassembling compiled binaries to understand their logic and identify flaws. Tools like IDA Pro, Ghidra (released by the NSA as open source in 2019), and Binary Ninja allow analysts to reconstruct the control flow, data structures, and function behaviour of compiled code. A skilled reverse engineer can identify memory management errors, type confusion vulnerabilities, integer overflows, and logic flaws by reading disassembled code. This is painstaking work. Analysing a single complex binary, such as the Windows kernel or a PDF parsing library, can take weeks or months.

Source code audit is the most direct method. When source code is available (open-source software, leaked proprietary code, or code obtained through intelligence collection), a researcher can read through it looking for common vulnerability patterns. Buffer overflows in C/C++ code, SQL injection in web applications, authentication bypasses in network services. Source code audit is how many vulnerabilities in the Linux kernel, OpenSSL, and other widely used open-source components are found.

The Zero-Day Market

Zero-day vulnerabilities have a market value that varies dramatically based on the target and the exploit quality. The market has three tiers.

The white market consists of vendor bug bounty programmes and coordinated disclosure. Apple pays up to €200,000 for certain iOS kernel vulnerabilities through its Security Bounty programme. Google pays up to around €150,000 for Chrome full-chain exploits. Microsoft's programmes offer similar figures. These payouts are modest relative to what the same vulnerabilities fetch elsewhere.

The grey market consists of brokers who purchase exploits and resell them to government clients. The most publicly visible of these is Zerodium, founded by Chaouki Bekrar (formerly of VUPEN Security, a French company). Zerodium's published price list offers up to roughly €2.3 million for a full-chain, zero-click Android exploit. A full iOS chain with persistence is listed at up to approximately €1.85 million. A Windows zero-click RCE is worth up to roughly €920,000. These prices reflect what government buyers are willing to pay. Other brokers operating in this space include Crowdfense (based in the UAE) and various unnamed intermediaries.

The black market consists of direct sales to intelligence agencies, military organisations, and in some cases criminal groups. Prices here are opaque, but they are generally higher than the grey market because the buyer gets exclusivity: the vulnerability will not be resold to other clients or disclosed to the vendor.

The Stockpiling Dilemma

Governments face a strategic tension between stockpiling vulnerabilities for offensive use and disclosing them to vendors to protect their own citizens. In the United States, this is managed through the Vulnerabilities Equities Process (VEP), a framework established in 2008 and revised in 2017 that convenes representatives from NSA, CIA, FBI, DHS, and other agencies to decide whether a given vulnerability should be retained for intelligence purposes or disclosed. The European Union does not have a publicly documented equivalent process, though individual member states (notably France's ANSSI and Germany's BSI) have acknowledged the tension.

The argument for stockpiling is that zero-days provide intelligence access that saves lives and advances national security. The argument for disclosure is that if one intelligence service has found the vulnerability, others may have found it too, and leaving it unpatched exposes everyone. This tension became acutely visible in 2017 when a cache of NSA exploits, including EternalBlue (a Windows SMB vulnerability), was leaked by a group calling itself the Shadow Brokers. EternalBlue was subsequently used in the WannaCry ransomware attack that disrupted the UK's National Health Service, Telefonica in Spain, Deutsche Bahn in Germany, and thousands of other organisations worldwide.

3. Stuxnet: Anatomy of a Cyber Weapon

Stuxnet remains the single most thoroughly documented cyber weapon. Its technical details have been reconstructed by researchers at Symantec, Kaspersky, Langner Communications (Ralph Langner's ICS security firm in Hamburg), and through investigative journalism. What follows is a technical walkthrough of how the weapon worked, from initial infection to physical destruction of centrifuges.

The Four Zero-Day Exploits

Stuxnet used four distinct zero-day vulnerabilities in Microsoft Windows, each serving a different purpose in the infection chain.

CVE-2010-2568: The .LNK vulnerability. Windows Shell in Windows XP, Vista, Server 2003, Server 2008, and Windows 7 did not properly handle .LNK (shortcut) files. A specially crafted .LNK file could cause Windows Explorer to execute arbitrary code when the user simply browsed to the directory containing the file, without clicking on it. The vulnerability existed in the way Explorer loaded icons for shortcut files: the .LNK file specified a Control Panel item (.CPL file, which is a DLL), and Explorer loaded the DLL to extract its icon, executing the DllMain function in the process. Stuxnet placed malicious .LNK files and accompanying DLLs on USB drives. When the USB drive was inserted and the user opened it in Explorer (or even when autoplay displayed the directory contents), the exploit triggered.

CVE-2010-2729: The Print Spooler vulnerability. The Windows Print Spooler service did not correctly validate print requests, allowing remote code execution. Stuxnet used this to spread across local networks by sending specially crafted print requests to the spooler service on remote machines.

CVE-2008-4250: The Windows Server Service vulnerability. This was actually a previously known vulnerability (patched in October 2008 via MS08-067), not a true zero-day at the time Stuxnet was deployed. It is the same vulnerability exploited by the Conficker worm. Stuxnet included it as a secondary propagation mechanism, exploiting machines that had not applied the patch.

CVE-2010-3338 and CVE-2010-3888: Privilege escalation vulnerabilities. Two local privilege escalation vulnerabilities in the Windows Task Scheduler and the kernel allowed Stuxnet to escalate from user-level to SYSTEM privileges, ensuring it could install its rootkit components and access protected system resources.

The combination of these exploits gave Stuxnet multiple independent infection vectors: USB drives (via the .LNK exploit), network shares (via the SMB vulnerability), print spooler (via the spooler vulnerability), and STEP 7 project files (Stuxnet also infected Siemens STEP 7 project files so that opening an infected project on a clean machine would install the malware). The redundancy was deliberate. An air-gapped network cannot be reached via the network, but it can be reached via USB drives carried in by engineers, and via STEP 7 project files transferred on removable media.

Air-Gap Traversal

The Natanz uranium enrichment facility's control systems were air-gapped: not connected to the internet or to any external network. This is a standard security measure for critical infrastructure. Stuxnet was designed from the outset to cross this gap.

The primary traversal mechanism was USB drives. Stuxnet infected Windows machines connected to the internet through the network propagation exploits. When an engineer at a contractor company, working on Siemens STEP 7 projects related to Natanz, inserted a USB drive into an infected machine, Stuxnet copied itself onto the drive along with the .LNK exploit files. When that USB drive was later connected to a machine inside the air-gapped network, the .LNK exploit triggered, and Stuxnet was inside.

The three-infection limit per USB drive was an operational constraint designed to reduce the chance of the malware spreading widely and being discovered. Each infected USB drive maintained a counter, and after three infections the .LNK exploit files were removed. This reflects a careful balancing of propagation speed against operational security.

Stuxnet also infected Siemens STEP 7 project files (.S7P and .MCP files) by hooking the STEP 7 DLL s7otbxdx.dll, which handles communication between the STEP 7 programming environment and the PLC. This meant that project files created or opened on an infected machine could carry the infection to other machines where those project files were used. In an industrial environment where engineers routinely share project files, this was an effective secondary vector.

The PLC Payload

The real weapon was not the Windows worm. The Windows components were merely the delivery vehicle. The weapon was the code injected into the Siemens S7-315 and S7-417 programmable logic controllers.

Stuxnet targeted two specific PLC configurations:

Sequence A (S7-315 targeting). This payload targeted the Siemens S7-315 PLC connected to frequency converters manufactured by Vacon (a Finnish company, producing the Vacon NX series) and Fararo Paya (an Iranian company). The frequency converters controlled the rotational speed of the IR-1 centrifuge motors. Under normal operation, these centrifuges spin at approximately 63,000 RPM, which corresponds to a drive frequency of 1,064 Hz.

Stuxnet's Sequence A payload modified the frequency commands sent to the converters. It would periodically change the output frequency from the normal 1,064 Hz to 1,410 Hz (overspeeding the centrifuges to approximately 84,600 RPM), hold that for 15 minutes, then drop to 2 Hz (nearly stopping the centrifuges), then return to 1,064 Hz. The cycle repeated roughly every 27 days. The mechanical stress of repeated overspeeding and abrupt deceleration caused the aluminium centrifuge rotors to fail. The IR-1 centrifuge, a Pakistani design derived from the Dutch URENCO centrifuge, is a subcritical rotor design, meaning it operates below its first resonant frequency. Overspeeding pushes it closer to resonance, where vibration amplitudes increase dramatically and mechanical failure follows.

Sequence B (S7-417 targeting). This payload targeted the S7-417 PLC that controlled the cascade protection system, which manages the valves and pressure regulation for a cascade of 164 centrifuges. Sequence B manipulated valve states to disrupt the flow of UF6 (uranium hexafluoride) gas through the cascade, causing enrichment process failures.

The Man-in-the-Middle on the PLC

The most technically sophisticated aspect of Stuxnet was how it concealed the attack from the operators.

Siemens S7 PLCs execute user code in a cyclic manner. The main programme cycle is controlled by Organisation Block 1 (OB1), which runs continuously. Time-critical operations are handled by OB35, a cyclic interrupt block that executes at a fixed interval (typically every 100 milliseconds in the Natanz configuration). OB35 is where the process monitoring code runs: reading sensor values, checking that centrifuge speeds and pressures are within acceptable ranges, and updating the operator displays via the SCADA (Supervisory Control and Data Acquisition) system.

Stuxnet's PLC payload replaced the original OB1 and OB35 code blocks with its own versions. The replacement OB35 block implemented a recording and replay attack:

1. During normal operation (before and between attack sequences), Stuxnet's OB35 recorded the legitimate sensor values, centrifuge speeds, pressure readings, and valve states.
2. When an attack sequence began (modifying frequency converter commands to overspeed or stop centrifuges), Stuxnet's OB35 stopped reading actual sensor values and instead replayed the previously recorded "normal" values to the SCADA system.
3. The operators, watching their screens in the Natanz control room, saw steady centrifuge speeds, normal pressures, and green status indicators, even as the centrifuges were being physically destroyed.

This is a man-in-the-middle attack on the physical process itself. The PLC payload was written in STL (Statement List), the Siemens assembler-level PLC programming language. The injected code blocks were stored in data blocks (DB890 in the analysis by Langner Communications) and executed by the modified OB1 and OB35. The rootkit component on the Windows side, which hooked the s7otbxdx.dll, ensured that when an engineer connected STEP 7 to the PLC to read its programme, the original (unmodified) code blocks were returned instead of the actual running code. This dual concealment, hiding the attack from both the operators via replay and from the engineers via the DLL hook, required intimate knowledge of both the Windows STEP 7 software and the PLC runtime architecture.

Discovery and Attribution

Stuxnet was eventually discovered because of a bug. A configuration error (or possibly a code defect introduced during an update to the malware) caused Stuxnet to crash and reboot Windows machines that did not match the target profile. The reboots drew attention. VirusBlokAda's discovery in June 2010 led to analysis by Symantec, Kaspersky, and others.

Attribution to the United States and Israel was not formally acknowledged by either government but was reported by multiple journalists with intelligence community sources. The operation name "Olympic Games" was revealed by David Sanger in the New York Times in 2012. The level of resources required, the intelligence needed about the Natanz facility, the use of two stolen digital certificates from Taiwanese companies, and the overall sophistication all point to a joint operation by NSA and Unit 8200.

The IAEA (International Atomic Energy Agency) reported that Iran decommissioned and replaced roughly 1,000 IR-1 centrifuges at Natanz between late 2009 and early 2010, consistent with the timeline of Stuxnet's operation. Whether the operation significantly delayed Iran's nuclear programme is debated; estimates range from several months to two years.

4. Post-Stuxnet Weapons: The Arsenal Grows

Stuxnet was not an isolated event. It was part of a broader family of tools, and its success inspired further development of offensive cyber capabilities by multiple nations.

Duqu (2011)

Discovered by the CrySyS Lab at the Budapest University of Technology and Economics, Duqu shared substantial code with Stuxnet (kernel drivers used the same compilation framework, and the authors clearly had access to Stuxnet's source code or a common codebase). Duqu was an intelligence collection tool, not a weapon. It targeted organisations in Europe, the Middle East, and Asia, including certificate authorities, to gather information that could support future operations. Its command-and-control infrastructure used compromised servers in Belgium, India, and Vietnam, communicating over HTTP with data steganographically embedded in JPEG image files. Duqu used a zero-day vulnerability in the Windows TrueType font parsing engine (CVE-2011-3402) for initial infection via malicious Word documents.

Flame (2012)

Flame (also known as Flamer or sKyWIper) was a massive espionage platform discovered by Kaspersky Lab and CrySyS Lab in 2012, though it had been active since at least 2010. At approximately 20 megabytes, it was enormous by malware standards. Flame could record audio through the infected computer's microphone, capture screenshots, log keystrokes, sniff network traffic, and exfiltrate data via Bluetooth to nearby devices.

Flame's most technically remarkable feature was a cryptographic attack on Microsoft's Windows Update mechanism. The malware performed an MD5 chosen-prefix collision attack against Microsoft's Terminal Server Licensing Service certificates, which used the MD5 hash algorithm. By generating a collision, the attackers created a fraudulent certificate that appeared to be signed by Microsoft. This certificate was used to sign Flame's components, allowing them to appear as legitimate Windows Update packages. The collision attack required substantial computational resources and deep expertise in cryptanalysis. Marc Stevens, the researcher who had published the foundational work on MD5 chosen-prefix collisions, confirmed that Flame used a previously unknown variant of the technique.

Shamoon (2012)

On 15 August 2012, Saudi Aramco, the world's largest oil company, lost approximately 35,000 workstations in a single attack. The Shamoon malware (also called Disttrack) was a destructive wiper: it overwrote the master boot record and file system data on infected machines with a fragment of an image of a burning American flag. The attack did not target industrial control systems; it targeted the corporate IT network. But the scale of destruction was unprecedented. Aramco reportedly had to purchase every available hard drive from manufacturers in Southeast Asia to rebuild its fleet. The attack was attributed to Iran, likely in retaliation for Stuxnet.

BlackEnergy and Industroyer (2015, 2016)

On 23 December 2015, three Ukrainian electricity distribution companies experienced coordinated cyberattacks that caused power outages affecting approximately 225,000 customers. The attackers, attributed to the Russian group Sandworm (a GRU unit), used the BlackEnergy malware to gain initial access, then manually operated SCADA systems to open circuit breakers. They simultaneously deployed a KillDisk wiper component to destroy the operators' workstations, making recovery more difficult. The attack combined initial compromise via spearphishing emails with Microsoft Office documents containing BlackEnergy macros.

In December 2016, a more sophisticated attack hit Ukrenergo, Ukraine's national transmission operator, causing a blackout in parts of Kyiv. This attack used Industroyer (also called CrashOverride), purpose-built malware that directly spoke industrial control system protocols. Industroyer had modules for IEC 60870-5-104 (a telecontrol protocol used in European power grids), IEC 61850 (a standard for substation automation), OPC Data Access (a Windows-based protocol for ICS communication), and a module targeting Siemens SIPROTEC protective relays via their configuration protocol. This was the first known malware since Stuxnet specifically designed to interact with industrial control system equipment at the protocol level.

NotPetya (2017)

On 27 June 2017, a software update for M.E.Doc, a Ukrainian tax accounting application used by nearly every company doing business in Ukraine, delivered a backdoored update to its users. The update contained what initially appeared to be ransomware: it encrypted files and displayed a ransom note demanding roughly €275 in Bitcoin. But the encryption was not reversible. The malware was a wiper disguised as ransomware, designed to cause maximum destruction.

NotPetya spread laterally using EternalBlue (the NSA exploit leaked by the Shadow Brokers) and Mimikatz (a credential harvesting tool). Once inside a network, it propagated with extraordinary speed. Maersk, the Danish shipping conglomerate, lost its entire IT infrastructure within hours. The company had approximately 49,000 laptops, 1,200 applications, and 3,500 servers across 600 sites in 130 countries. Nearly all were destroyed. Recovery required rebuilding from backup domain controllers, one of which survived only because a power outage in Accra, Ghana had taken that server offline before NotPetya reached it. Maersk estimated its losses at €230 to €275 million. Total global damage from NotPetya exceeded €9.2 billion. The attack was attributed to the Russian GRU's Sandworm group and is considered the most destructive cyberattack in history.

Triton/TRISIS (2017)

In August 2017, a petrochemical facility in Saudi Arabia experienced an unexpected shutdown. Investigation revealed that the Triconex safety instrumented system (SIS), manufactured by Schneider Electric, had been compromised. The SIS is the last line of defence in an industrial process: if temperatures, pressures, or other parameters exceed safe limits, the SIS triggers an emergency shutdown to prevent explosions, toxic releases, or other catastrophic outcomes. It is independent from the main process control system precisely so that a failure in the control system cannot prevent a safety shutdown.

The Triton malware (also called TRISIS) targeted the Schneider Electric Triconex Model 3008 safety controller. The malware was injected into the SIS engineering workstation, then uploaded to the Triconex controller via its proprietary TriStation protocol (which, like many ICS protocols, lacks authentication). Triton's payload modified the SIS logic to allow the attacker to either disable the safety system entirely or to trigger a false shutdown. The attacker's apparent goal was to disable safety protections while simultaneously attacking the process control system to cause a dangerous physical condition, potentially an explosion.

The attack failed because Triton's code contained a bug that caused the Triconex controller to enter a safe shutdown state, which triggered the investigation. If the bug had not been present, the attack could have caused a physical disaster with potential loss of life. Triton was attributed to a Russian government research institution, the Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) in Moscow, by the US government in 2020.

5. The Exploit Chain: From Phishing Email to Physical Destruction

A cyber weapon does not rely on a single vulnerability. It chains multiple exploits and techniques together, each one providing the conditions required for the next. The chain must be reliable end-to-end, and every link must be stealthy. A failure at any stage, not just a failure to execute, but a detectable failure, can expose the entire operation.

Initial access. The entry point varies by target. Against a corporate network, spearphishing emails with weaponised document attachments (PDF, Word, Excel) remain effective. The document exploit triggers code execution, which downloads and installs a first-stage implant. Against an air-gapped network, the initial access requires a physical vector: a USB drive, a compromised contractor laptop, or a supply chain compromise of hardware or software delivered to the target.

Persistence. Once inside, the implant establishes persistence, ensuring it survives reboots, user logouts, and routine security scans. Techniques include registry run keys, scheduled tasks, DLL search order hijacking, and more advanced methods like bootkit installation or firmware modification.

Privilege escalation. The initial infection typically runs with the privileges of the user who triggered the exploit. Reaching the PLC or SCADA system usually requires administrator or SYSTEM level access. Local privilege escalation exploits, often zero-days, provide this.

Lateral movement. The compromised machine is rarely the target. The attacker must move from the initial foothold to the target system, often through multiple network segments. Pass-the-hash, Kerberos ticket manipulation (golden tickets, silver tickets), exploitation of administrative tools like PsExec or WMI, and the abuse of trust relationships between domains all facilitate this movement.

Payload delivery. The final stage is reaching the target, whether it is a PLC, a SCADA server, a safety system, or a file server. The payload must be specifically engineered for the target: compiled for the right PLC model, speaking the right protocol, and designed to achieve the desired physical or logical effect.

The Stuxnet chain is instructive: .LNK exploit on USB drive (initial access) to Windows privilege escalation (local zero-days) to network propagation (SMB and print spooler exploits) to STEP 7 DLL hooking (accessing the PLC programming interface) to PLC code injection (payload delivery). Each step depended on the one before it, and each step was engineered to avoid detection.

6. Supply Chain Attacks: Compromising the Update Pipeline

Supply chain attacks represent a shift from targeting the victim directly to targeting a trusted third party whose software, hardware, or services the victim uses. The attacker compromises the supplier, then rides the trusted relationship into the victim's network.

SolarWinds (2020)

The canonical modern example is the compromise of SolarWinds Orion, a network management platform used by approximately 18,000 organisations worldwide, including multiple US government agencies, NATO, the European Parliament, and major corporations. The attacker (attributed to Russia's SVR, the foreign intelligence service) compromised SolarWinds' build server and inserted a backdoor, called SUNBURST, into the Orion software update. The backdoored update was digitally signed by SolarWinds, distributed through their normal update channel, and installed by customers who had no reason to question a signed update from their vendor.

SUNBURST was carefully designed to evade detection. It remained dormant for approximately two weeks after installation before contacting its command-and-control server. The C2 domain names were generated algorithmically and resolved through legitimate DNS infrastructure. The malware checked for the presence of security tools (antivirus, EDR products, forensic tools) and would not activate if certain products were detected. Once active, it provided the attackers with the ability to move laterally within the victim network, access email, and exfiltrate data.

The SolarWinds compromise was discovered by FireEye (now Mandiant) in December 2020, approximately nine months after the backdoor was first distributed. The scale was staggering: 18,000 organisations installed the backdoored update, though the attackers selectively targeted a smaller subset for active exploitation, estimated at around 100 organisations.

The Broader Pattern

SolarWinds was not an isolated incident. The M.E.Doc compromise that delivered NotPetya was a supply chain attack. The CCleaner compromise in 2017 (attributed to a Chinese group) distributed a backdoored version of the popular system utility to 2.27 million users. The ASUS Live Update compromise in 2019 (Operation ShadowHammer) pushed malicious updates to an estimated 500,000 ASUS laptops, but the payload only activated on machines with specific MAC addresses, indicating precise targeting. The Codecov compromise in 2021 altered a bash uploader script used in CI/CD pipelines to exfiltrate environment variables (often containing secrets and credentials) from customers' build environments.

The common thread is that supply chain attacks exploit trust. Code signing, update mechanisms, and vendor relationships are all mechanisms designed to establish trust. When those mechanisms are subverted, the malicious payload arrives wearing the disguise of legitimacy.

7. Industrial Control System Targeting: From IT to OT

Attacking an industrial control system requires understanding a different computing paradigm entirely. IT systems (business networks, email, web servers) and OT (operational technology) systems (PLCs, SCADA, DCS, safety systems) have different architectures, different protocols, different lifecycles, and different security models.

The Purdue Model

Industrial network architecture is traditionally described using the Purdue Enterprise Reference Architecture, which defines five levels:

Level 0: The Physical Process. Sensors and actuators directly connected to the physical process. Temperature probes, pressure transducers, flow meters, motor drives, valves.

Level 1: Basic Control. PLCs and remote terminal units (RTUs) that execute real-time control logic. These devices read sensors, execute control algorithms, and command actuators. Response times are measured in milliseconds.

Level 2: Area Supervisory Control. SCADA servers, human-machine interfaces (HMIs), and engineering workstations. This is where operators monitor the process and where engineers programme the PLCs.

Level 3: Site Operations. Historians, production scheduling, operations management. The boundary between OT and IT.

Level 3.5: DMZ. The demilitarised zone between the OT and IT networks. Firewalls, data diodes, and jump servers control traffic between the two domains.

Level 4/5: Enterprise. The corporate IT network: Active Directory, email, ERP systems, internet access.

An attacker targeting a PLC at Level 1 must traverse from Level 4/5 (where the initial compromise typically occurs via spearphishing or supply chain) down through each level. Each boundary crossing requires different techniques and different knowledge. Moving from Level 3 to Level 2 often requires understanding proprietary SCADA protocols. Moving from Level 2 to Level 1 requires understanding PLC programming environments and the specific industrial protocols in use.

Legacy Protocols Without Authentication

The protocols used at Levels 0 through 2 were designed in an era when security meant physical access control: if you were connected to the network, you were authorised to be there. The result is a set of protocols with no authentication, no encryption, and no integrity checking.

Modbus, originally developed by Modicon (now Schneider Electric) in 1979, is a serial protocol still widely used in industrial environments. Modbus RTU (serial) and Modbus TCP (Ethernet) allow a master device to read and write registers on slave devices. There is no authentication mechanism. Any device that can send a correctly formatted Modbus TCP packet to port 502 can read sensor values, write setpoints, and command actuators. An attacker on the OT network can issue Modbus commands to a PLC with no credentials required.

DNP3 (Distributed Network Protocol), used extensively in electric utility SCADA systems, was designed for reliability over noisy serial links. It has optional Secure Authentication extensions (defined in IEEE 1815-2012), but the majority of deployed DNP3 implementations do not use them. An attacker who can inject DNP3 packets can manipulate breaker states, transformer tap positions, and other critical power grid parameters.

OPC (originally OLE for Process Control, now the foundation of OPC UA) provides a standardised interface for SCADA software to communicate with diverse PLC and sensor hardware. The classic OPC DA (Data Access) specification is built on Microsoft's DCOM (Distributed Component Object Model), which brings all the security challenges of DCOM: complex authentication, broad attack surface, and frequent misconfiguration. OPC UA (Unified Architecture) was designed with security in mind, but adoption has been slow, and many installations still run OPC DA.

IEC 60870-5-104, used throughout European power grids for telecontrol (remote control of substations), runs over TCP/IP and has no native authentication. This is the protocol that Industroyer targeted to open circuit breakers in the Ukrainian power grid.

The patching challenge compounds the problem. IT systems are patched monthly or more frequently. OT systems may go years between patches because patching requires taking the controlled process offline, which is operationally unacceptable for systems that run 24/7 (power plants, water treatment, chemical processing). Many OT systems run operating systems that are no longer supported: Windows XP, Windows Server 2003, and even Windows NT are still found in operational environments.

8. Offensive Cyber Capabilities by Nation

Offensive cyber capability is inherently difficult to assess because the most capable actors are also the most secretive. What follows is based on public reporting, leaked documents, attribution of specific operations, and assessments by cybersecurity companies.

United States: NSA Tailored Access Operations (TAO). TAO, now officially known as Computer Network Operations, is the NSA's offensive hacking unit. Documents leaked by Edward Snowden in 2013 revealed the scale of NSA operations: thousands of implants on networks worldwide, catalogue tools (the ANT catalogue) for compromising routers, firewalls, servers, and mobile devices, and a global infrastructure for command and control. TAO is believed to be the largest and best-resourced offensive cyber organisation in the world. The US Cyber Command, established in 2009, provides the military operational framework.

Israel: Unit 8200. Part of the Israel Defence Forces' Military Intelligence Directorate, Unit 8200 is Israel's SIGINT and cyber operations unit. It is one of the largest units in the IDF, with personnel numbering in the thousands. Unit 8200 is credited as the co-developer (with NSA) of Stuxnet, Duqu, and Flame. The unit has produced an outsized number of alumni who go on to found cybersecurity companies: Check Point, CyberArk, Wiz, and dozens of others were founded by Unit 8200 veterans. Israel's offensive cyber capability is generally regarded as second only to the United States.

United Kingdom: GCHQ. The Government Communications Headquarters in Cheltenham operates both SIGINT and cyber operations. The National Cyber Force (NCF), established in 2020 as a joint GCHQ and Ministry of Defence organisation headquartered in Samlesbury, Lancashire, is the UK's dedicated offensive cyber unit. Snowden documents revealed GCHQ programmes including TEMPORA (bulk interception of fibre-optic communications), KARMA POLICE (web browsing metadata collection), and various exploit development programmes conducted in partnership with the NSA.

Russia: GRU and FSB. Russia's offensive cyber capability is primarily associated with two intelligence services. The GRU (military intelligence) operates multiple cyber units, most notably Unit 26165 (APT28/Fancy Bear) and Unit 74455 (Sandworm). Sandworm is responsible for BlackEnergy, Industroyer, NotPetya, and the Olympic Destroyer attack on the 2018 PyeongChang Winter Olympics. The FSB (domestic security service) operates groups attributed as Turla and APT29 (Cozy Bear). APT29 is responsible for the SolarWinds compromise.

China: PLA and MSS. The People's Liberation Army Strategic Support Force (SSF) and the Ministry of State Security (MSS) conduct China's cyber operations. PLA Unit 61398, based in Shanghai, was the subject of a detailed Mandiant report in 2013 that documented systematic theft of intellectual property from Western companies. China's cyber operations are characterised by scale: thousands of operators conducting parallel campaigns against a broad range of targets. In 2024 and 2025, the Volt Typhoon and Salt Typhoon campaigns attributed to China targeted US and allied critical infrastructure, including telecommunications providers and water systems, with an apparent focus on pre-positioning for potential future conflict.

France: ANSSI and DGA. France's Agence Nationale de la Securite des Systemes d'Information (ANSSI) is primarily defensive, but France maintains offensive cyber capability within the Direction Generale de l'Armement (DGA) and the military intelligence directorate (DRM). France's 2019 Military Programming Law explicitly acknowledged offensive cyber operations as part of the national defence posture.

Germany: BND and ZITiS. Germany's Bundesnachrichtendienst (BND) conducts foreign intelligence, including cyber operations. The Zentrale Stelle fur Informationstechnik im Sicherheitsbereich (ZITiS), established in 2017, develops technical capabilities for German security agencies, including exploit development and lawful intercept tools. Germany has been more cautious publicly about offensive cyber than France or the UK, but the BND is known to have purchased capabilities from commercial exploit vendors.

The European Context

The European Union's Cyber Defence Policy, updated in 2022, explicitly recognises the need for member states to develop cyber defence capabilities, including "active defence" (a diplomatic euphemism that can encompass offensive operations). NATO's Cooperative Cyber Defence Centre of Excellence (CCDCOE), located in Tallinn, Estonia, serves as the alliance's primary research and training centre for cyber defence. Estonia's selection as the host was not coincidental: in 2007, Estonia experienced a wave of distributed denial-of-service attacks targeting government, banking, and media websites, attributed to Russia. The event was a catalyst for NATO's cyber defence posture.

The EU also established the Cyber Rapid Response Teams (CRRTs) under PESCO (Permanent Structured Cooperation), with Lithuania as the lead nation. These teams can be deployed to assist member states during major cyber incidents. However, the EU's offensive capability remains distributed among member states rather than centralised, and the level of capability varies significantly. France, the Netherlands, and Estonia are generally considered the most advanced in this area within the EU.

9. Defence Against Cyber Weapons

Defending against the class of threat described in this article, state-sponsored operations with zero-day exploits and purpose-built capabilities, is qualitatively different from defending against commodity malware. Signature-based antivirus is useless against a custom implant that has never been seen before. Perimeter firewalls cannot stop a USB drive carried through the front door.

Air-gapping is the most basic defensive measure for critical infrastructure, and Stuxnet demonstrated its limitations. An air gap reduces the attack surface but does not eliminate it. USB drives, contractor laptops, and corrupted firmware on replacement hardware can all cross the gap. Effective air-gapping requires strict policies on removable media (some facilities use USB port blockers or epoxy), controlled and audited data transfer processes, and security scanning of all media that enters the air-gapped environment.

Network segmentation beyond the simple IT/OT boundary is critical. The Purdue model's layers should be enforced with firewalls and data diodes (one-way communication devices that physically prevent data from flowing from a lower-trust zone to a higher-trust zone). Each level should have its own monitoring. Lateral movement from a compromised engineering workstation to a PLC should require crossing a monitored boundary.

ICS-specific monitoring is a growing field. Products from Claroty (founded in Tel Aviv, now headquartered in New York), Nozomi Networks (headquartered in San Francisco with significant European operations, including a lab in Mendrisio, Switzerland), and Dragos (founded by former NSA ICS analysts) provide deep packet inspection of industrial protocols. These systems baseline normal PLC behaviour, detecting anomalous Modbus writes, unexpected STEP 7 programme uploads, or changes to PLC configuration that were not initiated by an authorised engineering workstation. This kind of monitoring could, in principle, detect a Stuxnet-style PLC modification, though a sufficiently sophisticated attacker might attempt to mimic legitimate engineering operations.

Threat intelligence from organisations such as Mandiant, Recorded Future, and national CERTs (CERT-EU, BSI CERT-Bund in Germany, ANSSI CERT-FR in France) provides indicators of compromise, attack pattern descriptions, and early warning of campaigns targeting specific industries or regions. The MITRE ATT&CK framework, and its ICS-specific extension (ATT&CK for ICS), provides a taxonomy of adversary techniques that defenders can use to assess their detection coverage.

Incident response for ICS environments requires specialised skills. Forensic analysis of a compromised PLC requires understanding the PLC's firmware, runtime environment, and programming language, not just Windows event logs. Restoring operations after an ICS compromise requires re-verification of all PLC logic, not just reimaging workstations. Organisations like the SANS Institute offer ICS-specific training (the GICSP certification), and national agencies like CISA (in the US) and ENISA (in the EU) publish ICS security guidelines.

Attribution remains one of the hardest problems. Determining who is responsible for a cyber attack requires correlating technical indicators (malware code similarities, infrastructure overlaps, operational patterns) with intelligence from other sources. False flags are possible: the Olympic Destroyer malware, which targeted the 2018 PyeongChang Olympics, included code deliberately designed to mimic North Korean and Chinese APT groups, but was eventually attributed to Russia's GRU. Attribution confidence ranges from low to high; it is rarely certain, and it is always contested by the accused party.

10. The Strategic Dimension: Cyber Weapons Below the Threshold

Cyber weapons occupy a unique position in the spectrum of state power. They are more damaging than diplomatic protest but fall below the threshold of armed conflict, at least as currently interpreted under international law. This ambiguity is a feature, not a bug, from the perspective of states that employ them.

The threshold question. When does a cyberattack constitute an "armed attack" under Article 51 of the UN Charter, triggering the right to self-defence? The Tallinn Manual on the International Law Applicable to Cyber Operations, produced by an international group of legal scholars at NATO CCDCOE, concluded that a cyberattack causing physical destruction or death could qualify as an armed attack. Stuxnet, which physically destroyed centrifuges, would likely meet this threshold. NotPetya, which caused billions in economic damage but no physical destruction, is less clear. A cyberattack that disabled a power grid during winter, causing deaths from cold exposure, would likely qualify. The lack of settled precedent creates operational ambiguity that attackers exploit.

Proportionality. International humanitarian law requires that military operations be proportionate: the expected military advantage must not be excessive in relation to anticipated civilian harm. Cyber weapons create unique proportionality challenges. NotPetya was designed to hit Ukraine but caused billions in damage to companies worldwide, including Maersk (Denmark), Merck (US/Germany), FedEx/TNT Express (Netherlands), Mondelez (US), and many others. The collateral damage was vastly disproportionate to any conceivable military objective. Whether this constitutes a violation of proportionality under international law is an open question, partly because the legal framework was designed for kinetic operations where the effects are more predictable.

Asymmetric capability. Cyber weapons are attractive to smaller or less wealthy nations because they provide a form of strategic power that does not require the massive investment of conventional military forces. Iran's cyber programme, which produced Shamoon and subsequent operations against US financial institutions (the Ababil DDoS campaigns of 2012 and 2013), was developed largely in response to Stuxnet. North Korea's Lazarus Group has conducted financially motivated operations (the Bangladesh Bank heist, which attempted to steal €880 million and succeeded in taking €72 million) alongside espionage and destructive attacks (the Sony Pictures attack of 2014). For nations that cannot field a blue-water navy or a fifth-generation air force, cyber capability provides a way to impose costs on much larger adversaries.

The normalisation problem. The proliferation of offensive cyber operations has created a situation where such operations are routine between states that are nominally at peace. China's systematic theft of intellectual property, Russia's interference in elections and attacks on critical infrastructure, Iran's destructive operations, and Western nations' own offensive programmes coexist in a space with no effective norms, no arms control treaties, and no enforcement mechanisms. The UN Group of Governmental Experts (GGE) has produced reports endorsing the applicability of international law to cyberspace, but the practical impact has been limited.

The European position. The EU has attempted to establish norms through the EU Cyber Diplomacy Toolbox (2017), which allows the Council to impose sanctions on individuals and entities responsible for cyberattacks. Sanctions have been imposed in response to WannaCry (targeting North Korean entities), NotPetya (targeting Russian GRU officers), and Operation Cloud Hopper (targeting Chinese MSS operatives). Whether sanctions constitute effective deterrence is debatable, but they represent the EU's primary coercive response mechanism short of military action.

The development of offensive cyber capabilities is now a standard element of national defence planning across Europe. France, the UK, the Netherlands, Sweden, Finland, and Estonia have all publicly acknowledged some form of offensive cyber posture. The days when cyberattacks were considered exotic or theoretical are over. They are a permanent feature of the strategic landscape, and defending against them, understanding how they work at the technical level, is no longer optional for anyone responsible for critical infrastructure.

Conclusion

The trajectory from Stuxnet to Triton, from a weapon that destroyed centrifuges to one that attempted to disable safety systems in a petrochemical plant, represents an escalation in both ambition and danger. Stuxnet destroyed equipment. Triton, had it succeeded without detection, could have killed people.

The technical sophistication required for these operations is real but not magical. Zero-day exploits are found through systematic research. PLC payloads are developed by engineers who understand industrial control systems. Air gaps are crossed through human factors and physical access. Supply chains are compromised through patient infiltration of trusted vendors. Each element is understandable, and each can be defended against, though not with perfect assurance.

For engineers working with industrial control systems, the practical lessons are concrete: segment your networks, monitor your ICS protocols, audit your PLC logic, control your USB ports, and assume that a sufficiently motivated adversary can and will find a way in. The question is not whether your systems are a target. The question is whether you will detect the intrusion before the payload executes.