Pierluigi Paganini September 02, 2019

Journalists revealed the role of a mole recruited by the Dutch intelligence in the US-Israeli Stuxnet attack on the Natanz plant in Iran.

The story of the Stuxnet attack is still one of the most intriguing case of modern information warfare. The virus was developed by the US and Israel to interfere with the nuclear enrichment program conducted by Iran in the plant of Natanz.

Stuxnet is a malicious computer worm developed to target SCADA systems that was first uncovered in 2010, but researchers believe its development begun at least 2005. 

Stuxnet has been designed to hit centrifuges used in the uranium enrichment process in nuclear plants of the country.

The unanswered question is, how did the U.S. and Israel get Stuxnet onto the highly secured Natanz plant?

For years, experts speculated the involvement of a spy that infiltrated the Iranian plant and installed the malware. Now, journalists Kim Zetter and Huib Modderkolk revealed that Stuxnet was dropped by a mole recruited by Dutch intelligence agents at the behest of the CIA and the Mossad, according to sources who spoke with Yahoo News.

The Dutch intelligence agency AIVD received critical data on the plant by an Iranian engineer that it recruited. That mole physically spread the malware inside the plant using a USB flash drive.

“An Iranian engineer recruited by the Dutch intelligence agency AIVD provided critical data that helped the U.S. developers target their code to the systems at Natanz, according to four intelligence sources. That mole then provided much-needed inside access when it came time to slip Stuxnet onto those systems using a USB flash drive.” wrote the journalists.

In 2004, CIA and Mossad requested help to the the Dutch intelligence to get access to the plant, only in 2007 the mole, who posed as a mechanic working for a front company doing work at Natanz, dropped the virus into the target systems.

“[T]he Dutch mole was the most important way of getting the virus into Natanz,” one of the sources told Yahoo.

The development of the deadly cyber weapon started under the administration of George Bush Junior as part of a military operation named “Olympic Games”, but the Obama administration has been pushing a more energetic on the offensive program. 

The Olympic Games operation was carried out by a joint U.S.-Israel mission that involved the NSA, the CIA, the Mossad, the Israeli Ministry of Defense and the Israeli SIGINT National Unit- It was revealed that the cyber spies were helped by three other nations, the Netherlands, Germany. and likely France, although is also known the involvement of U.K. intelligence.

Germany provided technical specifications and knowledge about the ICS systems manufactured by Siemens that were controlling the centrifuges at the Natanz Iranian plant. France only provided support to intelligence.

“But the Dutch were in a unique position to perform a different role — delivering key intelligence about Iran’s activities to procure equipment from Europe for its illicit nuclear program, as well as information about the centrifuges themselves.” continue the journalists. “This is because the centrifuges at Natanz were based on designs stolen from a Dutch company in the 1970s by Pakistani scientist Abdul Qadeer Khan. Khan stole the designs to build Pakistan’s nuclear program, then proceeded to market them to other countries, including Iran and Libya.”

In 1996, Iran secretly purchased a set of blueprints and centrifuge components from Pakistani scientist Abdul Qadeer Khan. In 2000, cyberspies from AIVD hacked the email system of a key Iranian defense organization to obtain more information about Iran’s nuclear program.

The AIVD, along with U.S. and British intelligence, infiltrated Khan’s supply network of European consultants and front companies who helped build the nuclear programs in Iran and Libya. The spies used both conventional and cyber capabilities.

In 2003, British and U.S. intercepted a ship containing thousands of centrifuge components headed to Libya, the same model used at Natanz. Western intelligence persuaded Libya to give up the program in exchange for the lifting of sanctions.

In 2004, Mossad and the CIA asked for help from AIVD. The U.S.seized the components from the ship and those already in Libya and sent them to the Oak Ridge National Lab in Tennessee and to a facility in Israel where scientists assembled the centrifuges and devised methods to hack them.

The Dutch, with an insider in Iran, established a dummy company with employees, customers, and records showing a history of activity.

In 2006, the researchers conducted a sabotage test with centrifuges, and President George Bush authorized the operation.

By May 2007, Iran had 1,700 centrifuges installed at Natanz, while the Dutch mole was inside Natanz in the summer of the same year.

A first company established by the mole had failed to access to Natanz, but fortunately, the second one with the support of Israel achieved the goal.

The mole visited Natanz a few times to collect configuration information about the systems in the plant.

“[He] had to get … in several times in order to collect essential information [that could be used to] update the virus accordingly,” one of the sources told Yahoo News.

Symantec researchers discovered that the Stuxnet code was updated over time, in May 2006 and in February 2007, when the Iran’s government began installing the centrifuges at Natanz. The final updates were made on Sept. 24, 2007.

The code was designed to close exit valves on random numbers of centrifuges so that gas would go into them but couldn’t get out. This was intended to raise the pressure inside the centrifuges and cause damage over time and also waste gas.

The mole installed the code by inserting a USB into the control systems or he infected the system of one of the engineers that unwittingly delivered Stuxnet when he programmed the control systems using a USB stick.

Once the systems were infected, the mole didn’t return to Natanz again, while malware continues its action throughout 2008. In June 2009, the attackers launched a new version of Stuxnet, followed by other variants in March and April 2010.

This new version of Stuxnet was dropped into Natanz by infecting employees of five Iranian companies (all of them contractors in the business of installing industrial control systems in Natanz and other facilities in Iran) who brought it into the plant.

“It’s amazing that we’re still getting insights into the development process of Stuxnet [10 years after its discovery],” said Liam O’Murchu, director of development for the Security Technology and Response division at Symantec. O’Murchu was one of three researchers at the company who reversed the code after it was discovered. “It’s interesting to see that they had the same strategy for [the first version of Stuxnet] but that it was a more manual process. … They needed to have someone on the ground whose life was at risk when they were pulling off this operation.”

Researchers pointed out that the spreading mechanisms implemented in the latest version caused Stuxnet to spread wildly out of control. The malware first infected the customers of the five contractors, then thousands of other machines around the world. This is the root cause of the discovery of Stuxnet in June 2010.

Months after the discovery of the cyber weapon, Iranian authorities arrested and possibly executed several workers at Natanz plant, but it is not clear if one of them was the Dutch mole.

Pierluigi Paganini

(Security Affairs – Stuxnet, ICS)

[adrotate banner=”5″]

[adrotate banner=”13″]