ThinkableWhat is this?

Cybersecurity & Digital Warfare

The Weapon That Couldn't Stop Spreading

In 2010, a piece of code designed to sabotage a single Iranian nuclear facility quietly escaped and infected computers across the globe — because its creators forgot that the internet doesn't respect borders.

The Idea

State-sponsored hacking is not really about hacking in the Hollywood sense — lone geniuses typing furiously in dark rooms. It is closer to a covert military operation, except the weapons are software, the battlefield is shared global infrastructure, and the collateral damage is almost impossible to contain. The defining feature of cyber weapons is that they are inherently replicable and leaky. A missile stays where it lands. Code copies itself, travels through networks, and can be reverse-engineered and repurposed by anyone who finds it. This makes state-sponsored hacking uniquely destabilising: nations are deploying weapons they cannot fully control in an environment they do not own. Most sophisticated state attacks follow a pattern called an APT — an Advanced Persistent Threat. Rather than smashing through a door, an APT quietly picks the lock, enters, and then lives inside a system for months or years, watching, mapping, and waiting. The goal is rarely immediate destruction. It is intelligence, leverage, and positioning — the digital equivalent of placing a sleeper agent inside an adversary's government. What makes this genuinely unsettling is the attribution problem. When a nation-state launches a cyberattack, proving it did so — in a way that satisfies international law, let alone public opinion — is extraordinarily difficult. This ambiguity is not a bug; for the attacker, it is the entire point. You can cause significant damage while maintaining plausible deniability, which is a temptation no conventional weapon offers.

In the World

The clearest illustration of how badly this can go wrong is Stuxnet — the malware discovered in 2010 that is widely attributed to a joint US-Israeli operation codenamed Olympic Games, aimed at sabotaging Iran's uranium enrichment centrifuges at the Natanz facility. Stuxnet was, by any technical measure, extraordinary. It targeted a hyper-specific configuration of Siemens industrial controllers running at Natanz, and when it found them, it instructed the centrifuges to spin at destructive speeds while reporting normal readings back to the operators. It is estimated to have physically destroyed around one-fifth of Iran's centrifuges — a meaningful setback, achieved without a single bomb dropped or soldier deployed. But Stuxnet was also designed with a critical assumption: that the Natanz systems were air-gapped, meaning physically isolated from the internet. They were — but a contractor's laptop bridged that gap, and the worm spread. By the time security researchers at VirusBlokAda in Belarus stumbled across it on an unrelated machine in June 2010, Stuxnet had infected over 100,000 computers across Iran, Indonesia, India, and beyond. When the security firm Symantec reverse-engineered it and published their findings, the weapon was effectively public. Any sufficiently resourced group could now study it. The techniques Stuxnet pioneered — exploiting four separate zero-day vulnerabilities simultaneously, targeting physical infrastructure via software — became a template. A weapon designed for one room had become a masterclass, available to anyone.

Why It Matters

Understanding state-sponsored hacking changes how you read the news. When a hospital's systems go down in a ransomware attack, or a country's power grid flickers, or a government database is quietly exfiltrated — these are not random acts of digital vandalism. They are often moves in a slow, mostly invisible geopolitical contest being conducted through infrastructure you use every day. It also reframes what security means at a civilisational level. The debate around cyberweapons is in roughly the same place as nuclear weapons debates were in the early 1950s — before arms control treaties, before norms, before any real international framework. Nations are developing and deploying these capabilities faster than diplomacy or law can respond. For you, personally, the insight is this: the devices and networks you rely on are also the terrain of this conflict. You are not a bystander. Critical infrastructure — energy, healthcare, finance, water — runs on software, and that software exists in the same contested space. The question of how nations behave in cyberspace is not an abstract policy question. It is a question about the stability of the systems your life quietly depends on.

A Question to Ponder

If a cyberweapon causes physical damage — destroying machinery, cutting power to hospitals — should that legally constitute an act of war, and who gets to decide?

Get a new one of these every morning.

Start learning with Thinkable
One topic like this, every day.Start free