Revealed: How A Secret Dutch Mole Aided The U.S.-Israeli Stuxnet Cyberattack On Iran

Excerpts:
 
“It’s amazing that we’re still getting insights into the development process of Stuxnet [10 years after its discovery],” said Liam O’Murchu, director of development for the Security Technology and Response division at Symantec. O’Murchu was one of three researchers at the company who reversed the code after it was discovered. “It’s interesting to see that they had the same strategy for [the first version of Stuxnet] but that it was a more manual process. … They needed to have someone on the ground whose life was at risk when they were pulling off this operation.”
O’Murchu thinks the change in tactics for the later version of Stuxnet may be a sign that the capabilities of the attackers improved so that they no longer needed an inside mole.
Months after Stuxnet’s discovery, a website in Israel indicated that Iran had arrested and possibly executed several workers at Natanz under the belief that they helped get the malware onto systems at the plant. Two of the intelligence sources who spoke with Yahoo News indicated that there indeed had been loss of life over the Stuxnet program, but didn’t say whether this included the Dutch mole.
While Stuxnet didn’t significantly set back the Iranian program — due to its premature discovery — it did help buy time for diplomacy and sanctions to bring Iran to the negotiating table. Stuxnet also changed the nature of warfare and launched a digital arms race. It led other countries, including Iran, to see the value in using offensive cyber operations to achieve political aims — a consequence the U.S. has been dealing with ever since.

Gen. Michael Hayden, former head of the CIA and the NSA, acknowledged its groundbreaking nature when he likened the Stuxnet operation to the atomic bombs dropped on Hiroshima and Nagasaki.

“I don’t want to pretend it’s the same effect,” he said, “but in one sense at least, it’s August 1945.”

Revealed: How a secret Dutch mole aided the U.S.-Israeli Stuxnet cyberattack on Iran

news.yahoo.com · by Kim Zetter and Huib Modderkolk · September 2, 2019

The Dutch intelligence agency, known as AIVD, along with U.S. and British intelligence, infiltrated Khan’s supply network of European consultants and front companies who helped build the nuclear programs in Iran and Libya. That infiltration didn’t just involve old-school tradecraft but also employed offensive hacking operations being developed as part of the burgeoning field of digital espionage.

AIVD’s cyber capabilities are well known now — last year it was revealed that AIVD was responsible for tipping off the FBI to the 2016 hack of the Democratic National Committee, knowledge it had acquired because its operatives had hacked into computers belonging to the Russian hacking group known as Cozy Bear in 2014 and were watching in 2015 when the Russians broke into computers at the U.S. State Department and the DNC.

But during the early days of Iran’s nuclear program, AIVD’s hacking team was small and still developing.

Nuclear physicist Adbul Qadeer Khan. (Photo: Robert Nickelsberg/Life Images Collection via Getty Images)

The Iranian program, which had been on the back burner for years, kicked into high gear in 1996, when Iran secretly purchased a set of blueprints and centrifuge components from Khan. In 2000, Iran broke ground at Natanz with plans to build a facility that would hold 50,000 spinning centrifuges for enriching uranium gas. That same year, AIVD hacked the email system of a key Iranian defense organization in an effort to obtain more information about Iran’s nuclear plans, according to sources.

Israeli and Western intelligence agencies secretly monitored the progress at Natanz over the next two years, until August 2002, when an Iranian dissident group publicly exposed the Iranian program at a press conference in Washington, D.C., using information provided by the intelligence agencies. Inspectors for the International Atomic Energy Agency, the United Nations body that monitors nuclear programs around the world, demanded access to Natanz and were alarmed to discover that the Iranian program was much further along than believed.

Iran was pressed into agreeing to halt all activity at Natanz while the IAEA sought to obtain more information about the nuclear program, and the suspension continued throughout all of 2004 and most of 2005. But it was only a matter of time before operations at Natanz resumed, and the CIA and the Mossad wanted to be inside when they did.

The request to the Dutch for help with this came toward the end of 2004, when a Mossad liaison working out of the Israeli Embassy in the Hague and a CIA official based at the U.S. Embassy met with a representative from AIVD. There was no talk yet about inserting a digital weapon into the control systems at Natanz; the aim at that time was still just intelligence.

But the timing wasn’t random. In 2003, British and U.S. intelligence had landed a huge coup when they intercepted a ship containing thousands of centrifuge components headed to Libya — components for the same model of centrifuges used at Natanz. The shipment provided clear evidence of Libya’s illicit nuclear program. Libya was persuaded to give up the program in exchange for the lifting of sanctions, and also agreed to relinquish any components already received.

By March 2004, the U.S., under protest from the Dutch, had seized the components from the ship and those already in Libya and flown them to the Oak Ridge National Lab in Tennessee and to a facility in Israel. Over the next months, scientists assembled the centrifuges and studied them to determine how long it might take for Iran to enrich enough gas to make a bomb. Out of this came the plot to sabotage the centrifuges.

The Department of Energy complex at Oak Ridge, Tenn. (Photo: Cryptome.org)

The Dutch intelligence agency already had an insider in Iran, and after the request from the CIA and Mossad came in, the mole decided to set up two parallel tracks — each involving a local front company — with the hope that one would succeed getting into Natanz.

Establishing a dummy company with employees, customers and records showing a history of activity, takes time, and time was in short supply. In late 2005, Iran announced it was withdrawing from the suspension agreement, and in February 2006 it began to enrich its first batch of uranium hexaflouride gas in a pilot plant in Natanz. The Iranians ran into some problems that slowed them down, however, and it wasn’t until February 2007 that they formally launched the enrichment program by installing the first centrifuges in the main halls at Natanz.

By then, development of the attack code was already long under way. A sabotage test was conducted with centrifuges some time in 2006 and presented to President George Bush, who authorized the covert operation once he was shown it could actually succeed.

By May 2007, Iran had 1,700 centrifuges installed at Natanz that were enriching gas, with plans to double that number by summer. But sometime before the summer of 2007, the Dutch mole was inside Natanz.

The first company the mole established had failed to get into Natanz — there was a problem with the way the company was set up, according to two of the sources, and “the Iranians were already suspicious,” one explained.

The second company, however, got assistance from Israel. This time, the Dutch mole, who was an engineer by training, managed to get inside Natanz by posing as a mechanic. His work didn’t involve installing the centrifuges, but it got him where he needed to be to collect configuration information about the systems there. He apparently returned to Natanz a few times over the course of some months.

“[He] had to get … in several times in order to collect essential information [that could be used to] update the virus accordingly,” one of the sources told Yahoo News.

The sources didn’t provide details about the information he collected, but Stuxnet was meant to be a precision attack that would only unleash its sabotage if it found a very specific configuration of equipment and network conditions. Using the information the mole provided, the attackers were able to update the code and provide some of that precision.

There is, in fact, evidence of updates to the code occurring during this period. According to the security firm Symantec, which reverse-engineered Stuxnet after it was discovered, the attackers made updates to the code in May 2006 and again in February 2007, just as Iran began installing the centrifuges at Natanz. But they made final changes to the code on Sept. 24, 2007, modifying key functions that were needed to pull off the attack, and compiled the code on that date. Compiling code is the final stage before launching it.

An aerial view of the Natanz fuel enrichment plant. (Photo: DigitalGlobe via Getty Images)

The code was designed to close exit valves on random numbers of centrifuges so that gas would go into them but couldn’t get out. This was intended to raise the pressure inside the centrifuges and cause damage over time and also waste gas.

This version of Stuxnet had just one way to spread — via a USB flash drive. The Siemens control systems at Natanz were air-gapped, meaning they weren’t connected to the internet, so the attackers had to find a way to jump that gap to infect them. Engineers at Natanz programmed the control systems with code loaded onto USB flash drives, so the mole either directly installed the code himself by inserting a USB into the control systems or he infected the system of an engineer, who then unwittingly delivered Stuxnet when he programmed the control systems using a USB stick.

Once that was accomplished, the mole didn’t return to Natanz again, but the malware worked its sabotage throughout 2008. In 2009 the attackers decided to change tactics and launched a new version of the code in June that year and again in March and April 2010. This version, instead of closing valves on the centrifuges, varied the speed at which the centrifuges spun, alternatively speeding them up to a level beyond which they were designed to spin and slowing them down. The aim was to both damage the centrifuges and undermine the efficiency of the enrichment process. Notably, the attackers had also updated and compiled this version of the attack code back on Sept. 24, 2007, when they had compiled the code for the first version — suggesting that intelligence the Dutch mole had provided in 2007 may have contributed to this version as well.

By the time this later version of the code was unleashed, however, the attackers had lost the inside access to Natanz that they had enjoyed through the mole — or perhaps they simply no longer needed it. They got this version of Stuxnet into Natanz by infecting external targets who brought it into the plant. The targets were employees of five Iranian companies — all of them contractors in the business of installing industrial control systems in Natanz and other facilities in Iran — who became unwitting couriers for the digital weapon.

“It’s amazing that we’re still getting insights into the development process of Stuxnet [10 years after its discovery],” said Liam O’Murchu, director of development for the Security Technology and Response division at Symantec. O’Murchu was one of three researchers at the company who reversed the code after it was discovered. “It’s interesting to see that they had the same strategy for [the first version of Stuxnet] but that it was a more manual process. … They needed to have someone on the ground whose life was at risk when they were pulling off this operation.”

O’Murchu thinks the change in tactics for the later version of Stuxnet may be a sign that the capabilities of the attackers improved so that they no longer needed an inside mole.

“Maybe … back in 2004 they didn’t have the ability to do this in an automated way without having someone on the ground,” he said. “Whereas five years later they were able to pull off the entire attack without having an asset on the ground and putting someone at risk.”

But their later tactic had a different drawback. The attackers added multiple spreading mechanisms to this version of the code to increase the likelihood that it would reach the target systems inside Natanz. This caused Stuxnet to spread wildly out of control, first to other customers of the five contractors, and then to thousands of other machines around the world, leading to Stuxnet’s discovery and public exposure in June 2010.

International Atomic Energy Agency inspectors and Iranian technicians at the nuclear power plant in Natanz, Iran, in January 2014. (Photo: Kazem Ghane/AFP/Getty Images)

Months after Stuxnet’s discovery, a website in Israel indicated that Iran had arrested and possibly executed several workers at Natanz under the belief that they helped get the malware onto systems at the plant. Two of the intelligence sources who spoke with Yahoo News indicated that there indeed had been loss of life over the Stuxnet program, but didn’t say whether this included the Dutch mole.

While Stuxnet didn’t significantly set back the Iranian program — due to its premature discovery — it did help buy time for diplomacy and sanctions to bring Iran to the negotiating table. Stuxnet also changed the nature of warfare and launched a digital arms race. It led other countries, including Iran, to see the value in using offensive cyber operations to achieve political aims — a consequence the U.S. has been dealing with ever since.

Gen. Michael Hayden, former head of the CIA and the NSA, acknowledged its groundbreaking nature when he likened the Stuxnet operation to the atomic bombs dropped on Hiroshima and Nagasaki.

“I don’t want to pretend it’s the same effect,” he said, “but in one sense at least, it’s August 1945.”

Kim Zetter is a journalist and the author of Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. Huib Modderkolk is a journalist with the Dutch newspaper de Volkskrant who broke the story last year of AIVD’s hack of Cozy Bear; he is also the author of Het is oorlog: maar niemand die het ziet (The Invisible War), to be published this week in the Netherlands.

_____

Download the Yahoo News app to customize your experience.

Read more from Yahoo News:

news.yahoo.com · by Kim Zetter and Huib Modderkolk · September 2, 2019

Secret Dutch mole aided Stuxnet attack on Iran’s nuke program – report

Jerusalem Post · September 2, 2019

Stuxnet virus 150. (photo credit: Courtest)

An Iranian mole recruited by Dutch intelligence was the US and Israel’s key to installing the Stuxnet virus on Iran’s nuclear centrifuges in Natantz, according to a report Monday by Yahoo News, citing foreign sources.

Neither the Mossad, nor former Mossad agents or US intelligence agents reportedly involved in operations regarding Iran at the time, had commented to The Jerusalem Post on the report by press time.

The Stuxnet virus ruined around 2,000 Iranian centrifuges, delaying its uranium enrichment plans by as many as a couple of years according to analysts.

Many say that this additional time bought by multiple rounds of sabotage in the 2008-2010 time frame provided pressure and space to get the Iranians to negotiate over their nuclear program, eventually resulting in the 2015 nuclear deal.

The report said that according to multiple sources, the courier behind the intrusion into Natanz, whose existence and role had not been previously reported, was a mole recruited by Dutch intelligence agents at the behest of the CIA and the Mossad.

An Iranian engineer recruited by Dutch intelligence agency AIVD, noted four intelligence sources in the report, provided critical data that helped the US developers target their cyberattack code to the systems at Natantz.

That mole then either inserted a USB flash drive with the virus onto Iranian systems (since the systems were not connected to the internet) or manipulated another person working at Natanz into doing so.

The report said that two of the three participating countries along with the central players – the US and Israel – were the Netherlands and Germany. It said that the third is believed to be France, although UK intelligence also allegedly played a role.

It has been previously reported that Germany contributed technical specifications and knowledge about the industrial control systems made by the German firm Siemens, which were used in the Iranian plant to control the spinning centrifuges. The report said that France is believed to have provided similar intelligence.

But, the Dutch, according to the report, were in a unique position to deliver key intelligence about Iran’s activities to procure equipment from Europe for its illicit nuclear program and about the centrifuges themselves.

This was because the centrifuges at Natantz were based on designs stolen from a Dutch company in the 1970s by Pakistani scientist Abdul Qadeer Khan, who used them for Pakistan’s nuclear program, and in order to help Iran and Libya.

Over the course of years of negotiations, the CIA and the Mossad convinced the Dutch and their operative to cooperate and be their man in Natantz as they developed the cyber weapon that would make history.

Later rounds of cyberattacks on Iran’s nuclear program did not require the operative’s physical presence in Natantz, but his initial intelligence and physical presence provided the basis for Stuxnet’s success.

Another important aspect of the Dutch operative eventually losing access to Natanz was that it may have been a factor that led the Mossad, against US advice, to reportedly act more aggressively with the Stuxnet virus in later stages.

When confronted with the difference of opinion between the Mossad and the CIA on the later uses of Stuxnet, one former Mossad operative has told the Post that those criticizing Israel for over-aggressiveness were usually not as directly threatened by Iran’s nuclear program.

But the new details about the Dutch mole’s loss of physical access provides a new window into why later rounds of cyberattacks on Iran’s nuclear program might have been exposed – and not only because of aggressiveness.

Physical access to Natanz may also have helped cover the cyberattack’s tracks in ways that a pure external cyberattack might be more easily exposed.

Another fascinating aspect of the report, was that the Dutch mole failed to infiltrate Natanz with one straw company before succeeding with another straw company, reportedly with guidance from the Mossad.

It was unclear why the sources who made the new revelations were coming forward now.

Often such new revelations come to influence current events, when a key actor retires and wants credit or when an operative dies, such that revealing his activities will no longer put him in danger.

It was unclear how this revelation might influence the ongoing current nuclear standoff between the US, Israel and Iran.

There are recent tensions between the Netherlands and Iran with the Dutch accusing Iran of involvement in attacks in 2015 and 2017. There are also ongoing internal battles within the EU about how to view Iran.

Tags:
  • cia
  • Dutch
  • intelligence
  • Iran
  • Mossad
  • stuxnet

Jerusalem Post · September 2, 2019

3 comments

  1. I have a weird thing but I don’t know if it qualifies. I feel textures when I hear sounds, but it’s usually confined to my ears and head unless the sound is especially loud (in which case due to my autism I’m too overwhelmed to comprehend exactly what I feel). For example, most dubstep bass drops feel like rough sandpaper and that feeling when you run your finger along a comb, but in my ear and inside my head. Violin feels smooth. Piano feels somewhat fuzzy. Are my ears just sensitive or do I actually have synesthesia?

  2. Very nice post. I just stumbled upon your blog and wanted to say that I’ve truly enjoyed surfing around your blog posts. After all I will be subscribing to your feed and I hope you write again soon!|

  3. Good post however , I was wanting to know if you could write a litte more on this subject? I’d be very grateful if you could elaborate a little bit further. Cheers!|

Leave a Reply

Your email address will not be published. Required fields are marked *