Security News

Secret Dutch Mole Aided CIA and Mossad Stuxnet Cyber Attack on Iran

One of the world's most infamous malware, Stuxnet, was delivered to its Iranian target in 2007 by a mole recruited by the Dutch intelligence agency, AIVD, according to sources who spoke with Yahoo News.

The mole - an Iranian engineer - was able to gain access to a uranium-enrichment plant near the village of Natanz and gather information for the attack on systems at the plant. Then, when the time came, he uploaded Stuxnet using a USB flash drive.

The Dutch were asked by the CIA and the Israeli intelligence agency, Mossad, in 2004 to help and it took three years before the mole was able to unleash the malware, which targeted centrifuges that were an essential part of the uranium enrichment process. The sabotage wasn't intended to wipe out Iran's nuclear program, but set it back and act as a catalyst to get Iran to the negotiating table, which it did (resulting in the 2015 'Iran nuclear deal', which the US withdrew from in May 2018).

While the US and Israel were the main instigators, the Netherlands, Germany and UK were also involved, along with (it is believed) the French. The Dutch, however, were able to provide specific intelligence about Iran’s "activities to procure equipment from Europe for its illicit nuclear program", including the all-important centrifuges. They also had an insider - the mole - in Iran.

The plan to deliver Stuxnet was a long time in the making. Iran started building the facility at Natanz in 2000, with the intention that 50,000 centrifuges would be housed there. Israeli and Western intelligence agencies monitored goings on at Natanz and in 2002 inspectors with the International Atomic Energy Agency demanded access to the site, where they discovered Iran's nuclear program had progressed further than initially thought.

Iran agreed to halt activity at Natanz but resumed within a couple of years. It was at this point that the CIA and Mossad wanted to get inside the facility and turned to AIVD and their mole, who set up a dummy company - complete with employees, customers and data showing a history of activity - with every intention of using this as a front to gain access to Natanz. However, access was denied due to issues with the set up of the company and, according to one of Yahoo's sources, "the Iranians were already suspicious."

While this was happening, a (successful) sabotage test was conducted during 2006 with the same centrifuges as those at Natanz. The results of the test were presented to President George W Bush, who authorized the covert operation to proceed.

By now the mole had established a second dummy company and sometime during early 2007 he got inside Natanz by posing as a mechanic. Once inside, he was able to access the area where he could collect configuration information about the systems. The mole returned to Natanz numerous times over the next few months.

"(He) had to get in several times in order to collect essential information (that could be used to) update the virus accordingly," one of the sources told Yahoo News.

Security firm Symantec reverse-engineered Stuxnet after it was discovered and showed that updates were made to the code in May 2006 and February 2007, with final changes occurring on September 24, 2007. This final change modified key functions needed to co-ordinate the attack and compiled the code (the last step before launching it).

According to Yahoo, "the control systems at Natanz were air-gapped, meaning they weren’t connected to the internet, so the attackers had to find a way to jump that gap to infect them. Engineers at Natanz programmed the control systems with code loaded onto USB flash drives, so the mole either directly installed the code himself by inserting a USB into the control systems or he infected the system of an engineer, who then unwittingly delivered Stuxnet when he programmed the control systems using a USB stick."

The mole didn't return to Natanz after 2007 and later versions of the malware were taken into Natanz via 'infected' external targets, namely employees of five Iranian companies who installed industrial control systems in the facility.

Stuxnet changed warfare as we know it, to the point where General Michael Hayden, former head of the CIA and the NSA, drew similarities between what happened with Stuxnet and use of atomic bombs during WWII: "I don’t want to pretend it's the same effect, but in one sense at least, it's August 1945."

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.

Get weekly security news and vulnerability alerts

Join 752 others receiving a free weekly report with a round-up of vulnerabilities and security news customised to your software stack. See an example email

Example email for SecAlerts

Earlier: