{ "id": "6a1536ee-ce78-465a-b73a-bac9a3875790", "created_at": "2026-04-06T00:09:27.053223Z", "updated_at": "2026-04-10T03:37:32.867768Z", "deleted_at": null, "sha1_hash": "29692df82394b9a0d85e0ff46a6add0301ee3d17", "title": "Revealed: How a secret Dutch mole aided the U.S.-Israeli Stuxnet cyberattack on Iran", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5472326, "plain_text": "Revealed: How a secret Dutch mole aided the U.S.-Israeli Stuxnet\r\ncyberattack on Iran\r\nBy Kim Zetter and Huib Modderkolk\r\nPublished: 2019-09-02 · Archived: 2026-04-05 14:28:36 UTC\r\nFor years, an enduring mystery has surrounded the Stuxnet virus attack that targeted Iran’s nuclear program: How\r\ndid the U.S. and Israel get their malware onto computer systems at the highly secured uranium-enrichment plant?\r\nThe first-of-its-kind virus, designed to sabotage Iran’s nuclear program, effectively launched the era of digital\r\nwarfare and was unleashed some time in 2007, after Iran began installing its first batch of centrifuges at a\r\ncontroversial enrichment plant near the village of Natanz.\r\nThe courier behind that intrusion, whose existence and role has not been previously reported, was an inside mole\r\nrecruited by Dutch intelligence agents at the behest of the CIA and the Israeli intelligence agency, the Mossad,\r\naccording to sources who spoke with Yahoo News.\r\nAn Iranian engineer recruited by the Dutch intelligence agency AIVD provided critical data that helped the U.S.\r\ndevelopers target their code to the systems at Natanz, according to four intelligence sources. That mole then\r\nprovided much-needed inside access when it came time to slip Stuxnet onto those systems using a USB flash\r\ndrive.\r\nThe Dutch were asked in 2004 to help the CIA and Mossad get access to the plant, but it wasn’t until three years\r\nlater that the mole, who posed as a mechanic working for a front company doing work at Natanz, delivered the\r\ndigital weapon to the targeted systems. “[T]he Dutch mole was the most important way of getting the virus into\r\nNatanz,” one of the sources told Yahoo.\r\nNeither the CIA nor the Mossad responded to inquiries from Yahoo News about the information. The AIVD\r\ndeclined to comment on its involvement in the operation.\r\nThe now famous covert operation known as “Olympic Games” was designed not to destroy Iran’s nuclear\r\nprogram outright but to set it back for a while to buy time for sanctions and diplomacy to take effect. That strategy\r\nwas successful in helping to bring Iran to the negotiating table, and ultimately resulted in an agreement with the\r\ncountry in 2015.\r\nThe revelation of Dutch involvement harkens back to a time when there was still extensive cooperation and\r\nstrong, multilateral agreement among the U.S. and its allies about how to deal with the Iranian nuclear program —\r\na situation that changed last year after the Trump administration pulled out of the hard-won nuclear accord with\r\nTehran.\r\nhttps://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html\r\nPage 1 of 8\n\nPresident Trump displays a document reinstating sanctions against Iran after announcing the U.S.\r\nwithdrawal from the Iran nuclear deal, May 8, 2018. (Photo: Saul Loeb/AFP/Getty Images)\r\nThe Olympic Games operation was primarily a joint U.S.-Israel mission that involved the NSA, the CIA, the\r\nMossad, the Israeli Ministry of Defense and the Israeli SIGINT National Unit, Israel’s equivalent of the NSA. But\r\nthe U.S. and Israel had assistance from three other nations, according to sources, hence the covert codename that\r\ngave nod to the five-ring symbol of the world’s most famous international sporting event. Two of the three\r\nparticipating players were the Netherlands and Germany. The third is believed to be France, although U.K.\r\nintelligence also played a role.\r\nGermany contributed technical specifications and knowledge about the industrial control systems made by the\r\nGerman firm Siemens that were used in the Iranian plant to control the spinning centrifuges, according to sources.\r\nFrance is believed to have provided intelligence of a similar sort.\r\nBut the Dutch were in a unique position to perform a different role — delivering key intelligence about Iran’s\r\nactivities to procure equipment from Europe for its illicit nuclear program, as well as information about the\r\ncentrifuges themselves. This is because the centrifuges at Natanz were based on designs stolen from a Dutch\r\ncompany in the 1970s by Pakistani scientist Abdul Qadeer Khan. Khan stole the designs to build Pakistan’s\r\nnuclear program, then proceeded to market them to other countries, including Iran and Libya.\r\nThe Dutch intelligence agency, known as AIVD, along with U.S. and British intelligence, infiltrated Khan’s\r\nsupply network of European consultants and front companies who helped build the nuclear programs in Iran and\r\nLibya. That infiltration didn’t just involve old-school tradecraft but also employed offensive hacking operations\r\nbeing developed as part of the burgeoning field of digital espionage.\r\nhttps://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html\r\nPage 2 of 8\n\nAIVD’s cyber capabilities are well known now — last year it was revealed that AIVD was responsible for tipping\r\noff the FBI to the 2016 hack of the Democratic National Committee, knowledge it had acquired because its\r\noperatives had hacked into computers belonging to the Russian hacking group known as Cozy Bear in 2014 and\r\nwere watching in 2015 when the Russians broke into computers at the U.S. State Department and the DNC.\r\nBut during the early days of Iran’s nuclear program, AIVD’s hacking team was small and still developing.\r\nNuclear physicist Adbul Qadeer Khan. (Photo: Robert Nickelsberg/Life Images Collection via Getty\r\nImages)\r\nThe Iranian program, which had been on the back burner for years, kicked into high gear in 1996, when Iran\r\nsecretly purchased a set of blueprints and centrifuge components from Khan. In 2000, Iran broke ground at Natanz\r\nwith plans to build a facility that would hold 50,000 spinning centrifuges for enriching uranium gas. That same\r\nyear, AIVD hacked the email system of a key Iranian defense organization in an effort to obtain more information\r\nabout Iran’s nuclear plans, according to sources.\r\nIsraeli and Western intelligence agencies secretly monitored the progress at Natanz over the next two years, until\r\nAugust 2002, when an Iranian dissident group publicly exposed the Iranian program at a press conference in\r\nWashington, D.C., using information provided by the intelligence agencies. Inspectors for the International\r\nAtomic Energy Agency, the United Nations body that monitors nuclear programs around the world, demanded\r\naccess to Natanz and were alarmed to discover that the Iranian program was much further along than believed.\r\nIran was pressed into agreeing to halt all activity at Natanz while the IAEA sought to obtain more information\r\nabout the nuclear program, and the suspension continued throughout all of 2004 and most of 2005. But it was only\r\na matter of time before operations at Natanz resumed, and the CIA and the Mossad wanted to be inside when they\r\ndid.\r\nhttps://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html\r\nPage 3 of 8\n\nThe request to the Dutch for help with this came toward the end of 2004, when a Mossad liaison working out of\r\nthe Israeli Embassy in the Hague and a CIA official based at the U.S. Embassy met with a representative from\r\nAIVD. There was no talk yet about inserting a digital weapon into the control systems at Natanz; the aim at that\r\ntime was still just intelligence.\r\nBut the timing wasn’t random. In 2003, British and U.S. intelligence had landed a huge coup when they\r\nintercepted a ship containing thousands of centrifuge components headed to Libya — components for the same\r\nmodel of centrifuges used at Natanz. The shipment provided clear evidence of Libya’s illicit nuclear program.\r\nLibya was persuaded to give up the program in exchange for the lifting of sanctions, and also agreed to relinquish\r\nany components already received.\r\nBy March 2004, the U.S., under protest from the Dutch, had seized the components from the ship and those\r\nalready in Libya and flown them to the Oak Ridge National Lab in Tennessee and to a facility in Israel. Over the\r\nnext months, scientists assembled the centrifuges and studied them to determine how long it might take for Iran to\r\nenrich enough gas to make a bomb. Out of this came the plot to sabotage the centrifuges.\r\nThe Department of Energy complex at Oak Ridge, Tenn. (Photo: Cryptome.org)\r\nThe Dutch intelligence agency already had an insider in Iran, and after the request from the CIA and Mossad came\r\nin, the mole decided to set up two parallel tracks — each involving a local front company — with the hope that\r\none would succeed getting into Natanz.\r\nEstablishing a dummy company with employees, customers and records showing a history of activity, takes time,\r\nand time was in short supply. In late 2005, Iran announced it was withdrawing from the suspension agreement,\r\nhttps://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html\r\nPage 4 of 8\n\nand in February 2006 it began to enrich its first batch of uranium hexaflouride gas in a pilot plant in Natanz. The\r\nIranians ran into some problems that slowed them down, however, and it wasn’t until February 2007 that they\r\nformally launched the enrichment program by installing the first centrifuges in the main halls at Natanz.\r\nBy then, development of the attack code was already long under way. A sabotage test was conducted with\r\ncentrifuges some time in 2006 and presented to President George Bush, who authorized the covert operation once\r\nhe was shown it could actually succeed.\r\nBy May 2007, Iran had 1,700 centrifuges installed at Natanz that were enriching gas, with plans to double that\r\nnumber by summer. But sometime before the summer of 2007, the Dutch mole was inside Natanz.\r\nThe first company the mole established had failed to get into Natanz — there was a problem with the way the\r\ncompany was set up, according to two of the sources, and “the Iranians were already suspicious,” one explained.\r\nThe second company, however, got assistance from Israel. This time, the Dutch mole, who was an engineer by\r\ntraining, managed to get inside Natanz by posing as a mechanic. His work didn’t involve installing the centrifuges,\r\nbut it got him where he needed to be to collect configuration information about the systems there. He apparently\r\nreturned to Natanz a few times over the course of some months.\r\n“[He] had to get … in several times in order to collect essential information [that could be used to] update the\r\nvirus accordingly,” one of the sources told Yahoo News.\r\nThe sources didn’t provide details about the information he collected, but Stuxnet was meant to be a precision\r\nattack that would only unleash its sabotage if it found a very specific configuration of equipment and network\r\nconditions. Using the information the mole provided, the attackers were able to update the code and provide some\r\nof that precision.\r\nThere is, in fact, evidence of updates to the code occurring during this period. According to the security firm\r\nSymantec, which reverse-engineered Stuxnet after it was discovered, the attackers made updates to the code in\r\nMay 2006 and again in February 2007, just as Iran began installing the centrifuges at Natanz. But they made final\r\nchanges to the code on Sept. 24, 2007, modifying key functions that were needed to pull off the attack, and\r\ncompiled the code on that date. Compiling code is the final stage before launching it.\r\nhttps://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html\r\nPage 5 of 8\n\nAn aerial view of the Natanz fuel enrichment plant. (Photo: DigitalGlobe via Getty Images)\r\nThe code was designed to close exit valves on random numbers of centrifuges so that gas would go into them but\r\ncouldn’t get out. This was intended to raise the pressure inside the centrifuges and cause damage over time and\r\nalso waste gas.\r\nThis version of Stuxnet had just one way to spread — via a USB flash drive. The Siemens control systems at\r\nNatanz were air-gapped, meaning they weren’t connected to the internet, so the attackers had to find a way to\r\njump that gap to infect them. Engineers at Natanz programmed the control systems with code loaded onto USB\r\nflash drives, so the mole either directly installed the code himself by inserting a USB into the control systems or\r\nhe infected the system of an engineer, who then unwittingly delivered Stuxnet when he programmed the control\r\nsystems using a USB stick.\r\nOnce that was accomplished, the mole didn’t return to Natanz again, but the malware worked its sabotage\r\nthroughout 2008. In 2009 the attackers decided to change tactics and launched a new version of the code in June\r\nthat year and again in March and April 2010. This version, instead of closing valves on the centrifuges, varied the\r\nspeed at which the centrifuges spun, alternatively speeding them up to a level beyond which they were designed to\r\nspin and slowing them down. The aim was to both damage the centrifuges and undermine the efficiency of the\r\nenrichment process. Notably, the attackers had also updated and compiled this version of the attack code back on\r\nSept. 24, 2007, when they had compiled the code for the first version — suggesting that intelligence the Dutch\r\nmole had provided in 2007 may have contributed to this version as well.\r\nBy the time this later version of the code was unleashed, however, the attackers had lost the inside access to\r\nNatanz that they had enjoyed through the mole — or perhaps they simply no longer needed it. They got this\r\nversion of Stuxnet into Natanz by infecting external targets who brought it into the plant. The targets were\r\nhttps://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html\r\nPage 6 of 8\n\nemployees of five Iranian companies — all of them contractors in the business of installing industrial control\r\nsystems in Natanz and other facilities in Iran — who became unwitting couriers for the digital weapon.\r\n“It’s amazing that we’re still getting insights into the development process of Stuxnet [10 years after its\r\ndiscovery],” said Liam O’Murchu, director of development for the Security Technology and Response division at\r\nSymantec. O’Murchu was one of three researchers at the company who reversed the code after it was discovered.\r\n“It’s interesting to see that they had the same strategy for [the first version of Stuxnet] but that it was a more\r\nmanual process. ... They needed to have someone on the ground whose life was at risk when they were pulling off\r\nthis operation.”\r\nO’Murchu thinks the change in tactics for the later version of Stuxnet may be a sign that the capabilities of the\r\nattackers improved so that they no longer needed an inside mole.\r\n“Maybe … back in 2004 they didn’t have the ability to do this in an automated way without having someone on\r\nthe ground,” he said. “Whereas five years later they were able to pull off the entire attack without having an asset\r\non the ground and putting someone at risk.”\r\nBut their later tactic had a different drawback. The attackers added multiple spreading mechanisms to this version\r\nof the code to increase the likelihood that it would reach the target systems inside Natanz. This caused Stuxnet to\r\nspread wildly out of control, first to other customers of the five contractors, and then to thousands of other\r\nmachines around the world, leading to Stuxnet’s discovery and public exposure in June 2010.\r\nInternational Atomic Energy Agency inspectors and Iranian technicians at the nuclear power plant\r\nin Natanz, Iran, in January 2014. (Photo: Kazem Ghane/AFP/Getty Images)\r\nhttps://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html\r\nPage 7 of 8\n\nMonths after Stuxnet’s discovery, a website in Israel indicated that Iran had arrested and possibly executed several\r\nworkers at Natanz under the belief that they helped get the malware onto systems at the plant. Two of the\r\nintelligence sources who spoke with Yahoo News indicated that there indeed had been loss of life over the Stuxnet\r\nprogram, but didn’t say whether this included the Dutch mole.\r\nWhile Stuxnet didn’t significantly set back the Iranian program — due to its premature discovery — it did help\r\nbuy time for diplomacy and sanctions to bring Iran to the negotiating table. Stuxnet also changed the nature of\r\nwarfare and launched a digital arms race. It led other countries, including Iran, to see the value in using offensive\r\ncyber operations to achieve political aims — a consequence the U.S. has been dealing with ever since.\r\nGen. Michael Hayden, former head of the CIA and the NSA, acknowledged its groundbreaking nature when he\r\nlikened the Stuxnet operation to the atomic bombs dropped on Hiroshima and Nagasaki.\r\n“I don’t want to pretend it’s the same effect,” he said, “but in one sense at least, it’s August 1945.”\r\nKim Zetter is a journalist and the author of Countdown to Zero Day: Stuxnet and the Launch of the World’s First\r\nDigital Weapon. Huib Modderkolk is a journalist with the Dutch newspaper de Volkskrant who broke the story last\r\nyear of AIVD’s hack of Cozy Bear; he is also the author of Het is oorlog: maar niemand die het ziet (The Invisible\r\nWar), to be published this week in the Netherlands.\r\n_____\r\nDownload the Yahoo News app to customize your experience.\r\nRead more from Yahoo News:\r\nSource: https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html\r\nhttps://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html" ], "report_names": [ "revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434167, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/29692df82394b9a0d85e0ff46a6add0301ee3d17.pdf", "text": "https://archive.orkl.eu/29692df82394b9a0d85e0ff46a6add0301ee3d17.txt", "img": "https://archive.orkl.eu/29692df82394b9a0d85e0ff46a6add0301ee3d17.jpg" } }