Vahid Salemi/AP/File
An Iranian technician works at the Uranium Conversion Facility 255 miles south of the capital Tehran, Iran, Feb. 3, 2007.

Exclusive: New thesis on how Stuxnet infiltrated Iran nuclear facility

The Stuxnet worm that attacked Iran's nuclear facility at Natanz came to light nearly four years ago, but how it got there remains a mystery. A possible new explanation, outlined Tuesday, cites the supply chain as the key.

One enduring mystery about Stuxnet, the first cyberweapon the world has known, is this: Just how did that “digital missile” infiltrate Iran’s secret Natanz nuclear fuel-enrichment facility in the first place?

A new thesis about that, to be outlined Tuesday at a security conference in San Francisco, points to a vulnerability in the Iranian facility's supply chain – and may hold lessons for owners of critical infrastructure in the US concerning how to guard their own industrial equipment against cyberattack.

Presented by Critical Intelligence, a cyber security firm based in Idaho Falls, Idaho, the tale of cyber infiltration comes nearly four years after the covert operation was discovered. It’s already been fairly well documented that the United States and Israel created the Stuxnet worm, which ultimately infected and destroyed about 1,000 fuel-refining centrifuges at Natanz. The surreptitious attack sowed confusion within Iran’s uranium-fuel-enrichment program, which the US suspects is aimed at creating a nuclear bomb, and delayed it for years.

But how did Stuxnet get in there? As early as 2004, US intelligence agencies identified an Iranian company, NEDA Industrial Group, that had oversight of the Natanz facility’s computerized industrial control systems, says the Critical Intelligence report, citing documents gleaned from federal court cases, leaked State Department cables, and nuclear proliferation reports. 

Documents suggest that the US was monitoring NEDA’s efforts to procure components that may be needed for a nuclear weapons program, says Sean McBride, lead author of the report and director of analysis for Critical Intelligence. The report is the first to name NEDA in connection with Stuxnet. 

The US, he maintains, had identified NEDA as Iran's leading expert in Siemens Step7 software used throughout Iran’s nuclear program, including its centrifuge fuel-refining system. Then, probably in 2008, the US targeted industrial control systems equipment that NEDA had ordered from suppliers overseas.

Leaked State Department cables posted on the WikiLeaks website show the US at that time to have been seeking to intercept shipments of equipment headed to Iran.

“It’s my contention that the evidence shows the US targeted the leading Siemens control systems integrator for Natanz – and that was NEDA,” Mr. McBride says in a phone interview. “NEDA would have had all the plans for just how the Natanz system was going to be set up, the proper centrifuge speeds, when they would be turned on and off. The company had all the key information the US needed to write Stuxnet – and then a way to get the worm into Natanz.”

Sometime around 2008, computerized industrial control system equipment bound for Iran was intercepted, and Stuxnet or other malware was installed on it before it was sent on its way, McBride posits.

His thesis runs contrary to prevailing theories that a spy used a memory stick, or “thumb drive,” to introduce Stuxnet into the network. Rather, NEDA engineers unwittingly installed infected work stations or other equipment, which then proceeded to infect all of Natanz’s systems, McBride says.

Among the report’s findings are online documents showing that NEDA was involved in industrial control systems work in Iran. They include archived files in which an Iranian control systems engineer, identified only as “Behrooz,” asks during an online Siemens support forum for help dealing with an unspecified virus that he says had infected all the machines in his company’s network.

Other online documents show that person was probably Mohammad Rez, an engineer with NEDA. By September 2008, the US Department of Commerce had added NEDA to a watch list of companies thought to be assisting Iran’s nuclear program. Finally, in December 2012 NEDA and a handful of other companies were placed on a US Treasury Department list of firms banned from doing business with the US because of alleged involvement in Iran’s nuclear program. E-mail requests to NEDA seeking comment on the new report were not returned.

McBride says his findings are not conclusive, and he notes that gaps in documentation remain. But they do dovetail with recent media reports based on top-secret National Security Agency documents leaked by Edward Snowden, a former NSA contractor. One such report reveals aggressive NSA efforts to “interdict” computer equipment in transit and to install surveillance software and hardware before the equipment reaches an intended surveillance target.

Some security experts say McBride's hypothesis makes sense given what is now known about the frequent cyber vulnerability of corporate suppliers – and is a warning shot across the bow of critical infrastructure operators in the US that use them.

“It’s certainly a plausible theory,” says Jen Weedon, a manager in the threat intelligence division at Mandiant, a firm specializing in mitigating cyber espionage attacks on US corporations. “We’ve seen a lot of targeting of supply chains and partner companies in the US by the Chinese. For a difficult target like Natanz, infiltrating the supply chain would make a lot of sense – and it could work that way in the US, too, if companies aren’t careful.”

Worldwide, even large companies with excellent cyber defenses are facing the fact that smaller business partners may have less robust security and may be vulnerable to attacks, she and others note.

“It highlights an infection vector – contractors – that almost definitely would be used against hard targets in the US,” writes Ralph Langner, the cyber security expert who first identified Stuxnet as a cyber weapon, in an e-mail interview. “A sophisticated attacker wouldn't bother to try directly attacking a power utility, for example. They would go after the several hundred contractors with access to critical distribution systems [such as] electrical substations.”

Did US intelligence agencies score one of their biggest cyber attack victories using clandestine supply-chain infiltration to get Stuxnet into Natanz?

“I’m not saying other theories about how Stuxnet got into Natanz aren’t true,” McBride says. “They could be. But there’s plenty of evidence that what I’m suggesting happened was what actually did happen.”

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Exclusive: New thesis on how Stuxnet infiltrated Iran nuclear facility
Read this article in
QR Code to Subscription page
Start your subscription today