Damage from the Stuxnet virus has apparently set back the Iranian nuclear program by as much as two years, according to a German security expert talking to the Jerusalem Post. This makes the virus as effective as a military strike—but without loss of life or risk of full-blown war.

This comes amid claims that the virus is continuing to infect Iranian systems and disrupt the Iranian nuclear effort, and the news from IAEA last month that Iran had suspended work at its nuclear production facilities, likely as a result of the virus.

Speaking to the Post, an expert identifed only as "Langer" (we believe the Post likely means Stuxnet expert Ralph Langner, but have not had confirmation at the time of writing) said that due to poor Iranian IT security expertise, the only effective way the country would be able to rid itself of the virus would be through discarding all infected machines. He said that, further, centrifuges would need to be replaced at Iran's Natanz facility, as might a turbine at Bushehr. Centrifuges operating at between 807Hz and 1210Hz were believed to be a specific target of the virus.

Even if the Iranians can clean up their own machines—whether by replacing them entirely or removing the virus—the country will have to ensure that outside contractors remain uninfected too.

Evidence of continued disruption comes from security firms providing solutions to industrial companies to deal with Stuxnet infections. Eric Byres, an expert from SCADA security firm Tofino Security, told the Post that his company's website was receiving an increasing number of visits from Iranians in recent weeks, suggesting that dealing with Stuxnet and properly securing industrial automation and control systems was still a problem for the Iranians.

The authorship of Stuxnet remains unknown. In Langer's view, the complexity means that the Israeli and US governments are likely to be the only groups who could have pulled it off. Indeed, the scale of the program is so expansive that he feels that the project may have been too large for any one country, and that the two governments may have collaborated on development.

If the damage to the Iranian nuclear program is genuine, this makes Stuxnet something of a landmark in cyberwar history. Much has been made of the threat of computer-based attacks, but thus far they appear to have been limited to either denial-of-service attacks, website defacement, or attempts to break into systems to steal classified data.

Stuxnet is something of a different beast. This was no crude DoS attack or vandalistic defacement. It is a carefully developed, specifically targeted device, one intended to cause subtle but substantial damage to key infrastructure. While a DoS or defacement may take a few days or weeks to clear up, Stuxnet-like attacks have the potential to set back their victims by many years.

Update: "Langer" is indeed Ralph Langner, who has researched Stuxnet extensively.