Stuxnet, the infamous malware worm that sabotaged Iran’s Natanz nuclear power station in 2010, was introduced into the network via a USB flash drive inserted by a mole recruited by Dutch intelligence agents on behalf of the CIA and Mossad, reported Kim Zetter in Yahoo News yesterday.
She says that according to four intelligence sources the Dutch intelligence agency AIVD recruited an Iranian engineer who provided critical data that helped the US developers target their code to the systems at Natanz, as well as get the inside access needed to insert the USB flash drive.
Apparently the Dutch were asked in 2004 to help the CIA and Mossad get access to the plant, but it wasn’t until three years later that the mole, who posed as a mechanic working for a front company doing work at Natanz, delivered the digital weapon to the targeted systems.
The Olympic Games operation, of which this attack was a part, is reported to have been primarily a joint US-Israel mission involving the NSA, the CIA, the Mossad, the Israeli Ministry of Defence and the Israeli SIGINT National Unit, with assistance from three other nations, including the Netherlands and Germany. Zetter says that the third is believed to be France, although UK intelligence also played a role.
Germany provided technical specifications and knowledge about the industrial control systems made by the German firm Siemens and France provided similar intelligence.
The Natanz centrifuges used stolen Dutch designs. This helped Dutch intelligence, with US and British intelligence, infiltrate a supply network of European consultants and front companies who help build out the designs stolen by Pakistani scientist Abdul Qadeer Khan.
The clandestine Iranian nuclear plans were discovered, with centrifuges intercepted by western/Israeli intelligence and two dummy companies were set up in Iran to get into Natanz. One failed, but the second, with Israeli assistance, succeeded. The Dutch mole, an Iranian engineer, got inside Natanz as a mechanic. The Yahoo report says his work didn’t involve installing the centrifuges, but it got him where he needed to be to collect configuration information about the systems, returning several times.
Siemens control systems at Natanz were air-gapped, but were programmed with code loaded onto USB flash drives. To overcome this, the report says that "the mole either directly installed the code himself by inserting a USB into the control systems or he infected the system of an engineer, who then unwittingly delivered Stuxnet when he programmed the control systems using a USB stick." The mole didn’t return to Natanz.
In an email to SC Media UK, Tim Erlin, VP, product management and strategy at Tripwire, comments: "While we like to focus on the technical aspects of cyber-attacks, it’s important to remember the role that people and social engineering play. From nation-state espionage to routine ransomware, human beings are often part of the attack chain, and an invaluable part of any defence strategy."