As the United States marks its 250th anniversary, WTOP presents “250 Years of America,” a multipart series examining the innovations, breakthroughs and pivotal moments that have shaped the nation since 1776.
HII is proud to partner with WTOP to bring you this series.
In the history of cyberattacks, one stands out above the rest.
“Stuxnet was a digital weapon designed to sabotage Iran’s nuclear program by targeting industrial control systems at its uranium enrichment plant, Natanz,” journalist and Georgetown University professor Kim Zetter said in testimony to the House Subcommittee on Cybersecurity and Infrastructure Protection last year.
The hearing marked 15 years since the discovery of the Stuxnet virus, and Zetter’s testimony made clear the threat it represents hasn’t faded with time.
What made Stuxnet unlike anything seen before wasn’t just its sophistication. It was what it targeted.
“Stuxnet was a first-of-its-kind attack,” Zetter said, calling it “the first known case of malicious code designed to leap from the digital world to the physical realm to cause disruption and destruction not of the computers it infected, but of equipment and processes these computers controlled.”
In this case, those were the centrifuges at Natanz — the spinning machines at the heart of Iran’s uranium enrichment operation. The virus didn’t just crash a network or steal data. It quietly manipulated the centrifuges, causing them to tear themselves apart while the systems monitoring them showed everything was running normally.
That gap between what was real and what the screens showed is part of what made Stuxnet so alarming to cybersecurity experts. It proved that a piece of code could reach through a screen and break something in the physical world — something that spins, something that moves, something that people depend on.
And that’s exactly why Zetter’s testimony came with a warning that extends well beyond Iran’s nuclear program.
“The same techniques Stuxnet used can be used against critical infrastructure in the U.S. to disrupt services the public, government and military rely on, or to damage equipment that can also cause death, either directly by causing passenger trains to collide or indirectly by preventing patients from being treated at hospitals because the electricity is out,” Zetter said.
That’s not a hypothetical drawn from imagination. It’s a direct line from what Stuxnet already proved was possible.
Think about the systems that keep daily life running: power grids, water treatment plants, hospital networks, rail systems. Many of them rely on the same category of industrial control systems that Stuxnet was built to exploit. The virus essentially served as a proof of concept: if you can do this to centrifuges in Iran, you can do it to infrastructure anywhere.
No government or entity has openly claimed responsibility for the Stuxnet attack. It is widely believed, however, that the U.S. and Israel were behind it.
More than 15 years later, the code that changed the rules of cyberwarfare is still being studied, still being debated — and according to Zetter’s testimony before Congress, still serving as a blueprint that bad actors could follow.
Get breaking news and daily headlines delivered to your email inbox by signing up here.
© 2026 WTOP. All Rights Reserved. This website is not intended for users located within the European Economic Area.
