The infamous Stuxnet cyber-attack on Iran’s nuclear program was made possible by an insider recruited by a Dutch intelligence agency, who fed back crucial information and deployed the virus, according to a new report.
Although not confirmed by Dutch agency AIVD, the CIA or Mossad, a Yahoo News story cites four unnamed intelligence sources to back-up its claims.
Operation “Olympic Games,” as it was known, is said to have involved not just these but also intelligence agencies from Germany, France and the UK.
The AIVD was useful to the operation because the crucial centrifuges at the Iranian Natanz nuclear facility were apparently based on designs stolen from a Dutch company in the 1970s by a Pakistani scientist.
It was these centrifuges, used to enrich the uranium needed to produce nuclear weapons, that the Western allies decided they needed to disrupt in order to set Iran’s nuclear program back.
The AIVD then played another crucial role, using an insider in Iran to gain employment at the plant as a mechanic.
Once there, he was able to gather vital intelligence on the configuration of the centrifuges, so that the Stuxnet code could be written to sabotage the facility only in specific operational circumstances.
He then deployed the virus via USB to jump the air-gap — either directly or by infecting a Natanz engineer’s computer system, according to the report.
Later versions are said to have circumvented the lack of direct connectivity at the plant by infecting targets who they unwittingly carried the malware inside with them.
Phil Neray, VP of industrial cybersecurity for CyberX, explained that it’s much easier to infect industrial environments today.
“The air gap has disappeared in virtually all environments except perhaps nuclear facilities, driven by business initiatives like Industry 4.0 and IIoT that require increased connectivity between OT networks, IT networks, and the internet,” he added.
“It's a lot easier today to send a phishing email to an employee or third-party contractor who has remote access to the control network, and then steal their credentials to conduct cyber-espionage to identify the specific manufacturers and model numbers of devices in the environment, followed by remotely inserting custom malware specifically designed to compromise those devices.”
This approach has been used in TRITON attacks on a petrochemical plant and the Industroyer attack on a Ukrainian energy supplier, Neray said.
Want to learn more about all things information security? Register for the upcoming Infosecurity Magazine Online Summit here!