November 01, 2019

The Stuxnet computer worm that damaged Iran’s nuclear centrifuges a decade ago was inserted into Iran’s centrifuges by an Iranian engineer who was recruited by the Dutch intelligence service.

A lengthy article by two journalists, one of them Dutch, was published by Yahoo News September 2 and detailed the long effort to penetrate the centrifuge complex at Natanz.

The effort has long been described as a joint US and Israeli scheme.  But the article says it involved five countries—hence the codename Olympic Games, for the five-ring logo on the Olympics.  The other countries involved were Germany and France, who obtained information from firms in their country that had sold technology to Iran that was used at Natanz.  The Dutch were involved because the Iranian centrifuges were based on technology from the Dutch centrifuge industry that had been stolen by Abdul Qadir Khan, a Pakistani engineer working there in the 1960s, who then sold the designs to Iran and Libya.

A key challenge of the western intelligence operation was how to gain access to the interior of the Natanz centrifuge complex.  They needed someone to carry the damaging computer worm, mounted in a USB flash drive, into the plant and then install it—perhaps the hardest part of the whole plan to damage Iran’s centrifuges.

The courier was an Iranian recruited by Dutch intelligence agents at the behest of the CIA and the Israeli intelligence agency, according to four sources who spoke with the reporters for Yahoo News.

But he was far more than a mere courier.  He had to design and carry out the entire plan for getting into the plant.  As such, it was an Iranian national who was really the key to the entire plan to damage the centrifuges.  Whether he is alive today or not is unknown.

The Iranian mole posed as a mechanic working for a front company he set up which then got a contract to do work at Natanz.  How he got the contract—by skill or bribery—is not revealed.

The Dutch intelligence agency, known as AIVD, along with US and British intelligence, had long before infiltrated Khan’s supply network of European consultants and front companies who helped build the nuclear programs in Pakistan, Iran and Libya.

The world first became aware of the Natanz plant in 2004 when the Mojahedin-e Khalq held a news conference in Washington, DC, to reveal the plant’s existence.  Many have wondered how the Mojahedin-e Khalq knew of the plant.  The Yahoo News story says that Western intelligence knew of the plant from the moment that ground was broken for it in 2000 and had given the information to the Moja-hedin-e Khalq to make public.

The Dutch intelligence agency already had an insider in Iran, and after the request from the CIA and Mossad came in late in 2004, that mole, an engineer, decided to set up two parallel tracks — each involving a local front company — with the hope that one would succeed in getting into Natanz.

Establishing a dummy company with employees, customers and records showing a history of activity, takes time, and talent. But sometime before the summer of 2007, the Dutch mole was inside Natanz.

The first company the mole established had failed to get into Natanz.  There was a problem with the way the company was set up, according to two of the sources who talked to Yahoo News, and “the Iranians were already suspicious,” one explained.

The second company, however, managed to get inside Natanz.  Posing as a mechanic, his work didn’t involve installing the centrifuges, but it got him where he needed to be to collect configuration information about the systems there. He apparently returned to Natanz a few times over the course of some months.

“[He] had to get … in several times in order to collect essential information [that could be used to] update the virus accordingly,” one of the sources told Yahoo News.

The sources didn’t provide details about the information he collected, but Stuxnet was meant to be a precision attack that would only unleash its sabotage if it found a very specific configuration of equipment and network conditions. Using the information the mole provided, the attackers were able to update the code and provide some of that precision.  One particular part at Natanz had to be a Polish component and another an Iranian design.  Without those two parts present, no attack would be triggered.

The code was designed to close exit valves on random numbers of centrifuges so that uranium hexafluoride gas would go into them but couldn’t get out. This was intended to raise the pressure inside the centrifuges and cause damage over time and also waste gas.

This version of Stuxnet had just one way to spread — via a USB flash drive. The Siemens control systems at Natanz were air-gapped, meaning they weren’t connected to the Internet, so the attackers had to find a way to jump that gap to infect them.

Engineers at Natanz programmed the control systems with code loaded onto USB flash drives, so the mole either directly installed the code himself by inserting a USB into the control systems or he infected the system of an engineer, who then unwittingly delivered Stuxnet when he programmed the control systems using a USB stick.

Once that was accomplished, the mole didn’t return to Natanz again, but the malware worked its sabotage throughout 2008.

In 2009, the attackers decided to change tactics and launched a new version of the code in June that year and again in March and April 2010. This version, instead of closing valves on the centrifuges, varied the speed at which the centrifuges spun, alternatively speeding them up to a level beyond which they were designed to spin and slowing them down.

The aim was to both damage the centrifuges and undermine the efficiency of the enrichment process, Yahoo reported.

They got this version of Stuxnet into Natanz by infecting external targets who brought it into the plant. The targets were employees of five Iranian companies — all of them contractors in the business of installing industrial control systems in Natanz and other facilities in Iran — who became unwitting couriers for the digital weapon.

“It’s amazing that we’re still getting insights into the development process of Stuxnet [10 years after its discovery],” said Liam O’Murchu, director of development for the Security Technology and Response division at Symantec. O’Murchu was one of three researchers at the company who reversed the code after it was discovered. “It’s interesting to see that they had the same strategy for [the first version of Stuxnet] but that it was a more manual process. … They needed to have someone on the ground whose life was at risk when they were pulling off this operation.”

O’Murchu thinks the change in tactics for the later version of Stuxnet may be a sign that the capabilities of the attackers improved so that they no longer needed an inside mole.

“Maybe … back in 2004 they didn’t have the ability to do this in an automated way without having someone on the ground,” he said. “Whereas five years later they were able to pull off the entire attack without having an asset on the ground and putting someone at risk.”

But their later tactic had a different drawback. The attackers added multiple spreading mechanisms to this version of the code to increase the likelihood that it would reach the target systems inside Natanz. This caused Stuxnet to spread wildly out of control, first to other customers of the five contractors, and then to thousands of other machines around the world, leading to Stuxnet’s discovery and public exposure in June 2010.

Months after Stuxnet’s discovery, a website in Israel reported that Iran had arrested and possibly executed several workers at Natanz under the belief that they helped get the malware onto systems at the plant. Two of the intelligence sources who spoke with Yahoo News indicated that there indeed had been loss of life over the Stuxnet program, but didn’t say whether this included the Dutch mole.