A Dutchman was responsible for infecting equipment at Iran's Natanz nuclear plant in 2008 with the Stuxnet virus, leading to years of delay in the country's nuclear program, a Dutch publication, Volkskrant, claims.
Erik van Sabben, who was 36 at the time, is claimed to have carried out the task after having been recruited in 2005 by the AIVD, a Dutch intelligence outfit.
A few years ago, Volksrant claimed Van Sabben had been recruited by AIVD and also another Dutch intelligence outfit, MIVD.
Stuxnet was discovered by researcher Sergey Ulasen in 2010; he joined Russian security firm Kaspersky a year later. At that time, the virus was believed to have been infiltrated into the Natanz plant through an USB drive as the lab was not connected to any external network.
{loadposition sam08}But Volksrant claimed the equipment used to infect the plant was a water pump that Van Sabben himself had installed there. The engineer is said to have left Iran soon after he carried out this task and died two weeks later in a motorcycle accident in Dubai.
His death is claimed to have been natural, and not due to any foul play. He was apparently chosen for the task because of his technical background and also his links with Iran: he was already doing business in the country and was married to an Iranian woman.
The Volksrant report said the Dutch government was unaware of the operation, with an anonymous source at AIVD claiming this was due to potential political fallout, adding that it was usual practice to "sweep the prime minister's doorstep clean".
Another new claim by Volksrant was that Stuxnet, which is believed to have been developed jointly by the NSA and Israel's Unit 8200, cost more than US$1 billion to create.
Reacting to the story, Costin Raiu, long-time head of Kaspersky's Global Research & Analysis Team who left the company last year, said: "Some interesting points from the article: Stuxnet cost more than US$1 billion to build (!).
"If true, it was brought into Natanz in a 'water pump', that later spread it to the network.
"The guy who did this died in 2009, so very important detail, the Stuxnet variant he brought in 2007 would be a really early one, like Stuxnet 0.5.
"IMHO, the really impactful variants were the later ones, that were seeded through five different organisations in Iran, in 2009 and 2010."
Mikko Hypponen, chief research officer at security firm WithSecure, said he did not buy the claim of the US$1 billion price tag. "Millions, certainly, dozens of millions, sure. A billion? I don’t think so," he said.