Little bit of spoilers here at the end, but much of this text is about the Severus and what it is, is ultimately pretty meaningless from the point of view of the story.

Black Bag is a Soderbergh joint, the second one I’ve seen in theaters this year (after Presence, which was released technically last year). It’s about a married couple played by Cate Blanchett and Michael Fassbender, who work in the intelligence services. The husband finds out that Severus has been stolen and needs to get it back. His wife is one of the suspects.

It’s a good movie. It’s not like a James Bond type thing. It’s more like Tinke Tailor Soldier Spy meets an Agatha Christie story. It’s intrigue in a very modern environment with a preset group of suspects who actually meet for a dinner at one point with our couple. It’s kind of clumsy in certain aspects (like we see certain scenes that maybe would have been better to learn about in other ways), but still definitely worth a watch.

We don’t find out what Severus is for much of the movie. It’s just a McGuffin. Something we know is dangerous and something that needs to be returned. Then, at one point, the word Stuxnet is uttered.

Okay, there is a group of people for whom this clocks immediately, but it isn’t that big. I teach IT and even most of my colleagues wouldn’t know. It’s a worm that was built specifically to target the Iranian nuclear program. There are a lot of open questions about it. There have been reports that is was developed by the US and Israel together and the project took years. Both of these are valid assumptions.

The interesting thing about Stuxnet is that it was built for a very specific situation. It targets a specific Siemens’ software running on Windows that is used to control specific kind of machinery. It would spread itself, but actually did it pretty conservatively, and it needed to jump the so-called airgap. Since the nuclear sites are not on the public Internet (for a good reason), the worm somehow needed to get there through other means. The likely way is an infected USB drive. Whether it was brought in intentionally is an open question.

When a computer is infected, it will try to find centrifuges from specific vendors spinning at specific frequencies. If it does, Stuxnet will change the frequency to higher, than much lower and then back to normal again and it will then do this over and over again. It will also mask this from the monitoring system. This might sound weird, but it does break the centrifuges after a while and it isn’t immediately obvious how, because the logs don’t show problems.

So, on to spoiler territory.

In the movie Severus has been stolen in order to get Russian domestic terrorists to use it to destroy a nuclear plant in Russia. Now, would this work? I don’t know neough of the details of the systems in Russian nuclear plants, but I doubt it and it’s designers wouldn’t want it to.

Kaspersky has actually claimed that Stuxnet has been found in a Russian nuclear plant and it didn’t blow up or anything. The thing is, many of the nuclear plants in Europe have been built by Russian companies, so it would be a huge risk if Stuxnet would just work on them. Also, you can’t exactly buy a nuclear sites off the shelf. They are individually designed and built (although this might change in the near future), so there are opportunities to target them very specifically and I would assume the people behind Stuxnet would do exactly that. After all, there would be questions if nuclear plants all over Europe just stop working. That might erode their soft power over Europe.

So, in that regard the plot is unrealistic, but, again, it doesn’t really matter. Clearly someone had stumbled upon Stuxnet and just used it without deeper understanding of how it works and what it does.