A report from the Netherlands claims that a Dutch man played a key role in the notorious Stuxnet worm attack against an Iranian nuclear facility, which then accidentally escaped into the wider world.
It’s not news that the US and Israel are widely believed to be the creators of the sophisticated Stuxnet malware, which exploited zero-day flaws to sabotage Iran’s uranium enrichment facilities at Natanz, or that the US is believed to have later tried to use a version of Stuxnet against North Korea’s nuclear weapons program.
If the report from NL Times is taken at face value, what is news is that an agent of AIVD (the Dutch intelligence agency), named as Erik van Sabben, also assisted the attack.
The suggestion is that Erik van Sabben gained access to Natanz, working undercover for a company installing equipment at the nuclear facility. Such a person might not only be able to gather technical information about the computer systems that manage centrifuges, but also introduce malware on a USB stick.
It certainly sounds a more plausible way of introducing malware to an air-gapped system than leaving a USB stick lying around in the car park, and hoping that someone picks it up and plugs into a PC.
Perhaps the most eyebrow-raising claim of all made in the report is an almost throwaway remark that Stuxnet “cost over a billion dollars to develop.”
That seems an astonishingly large amount of money to have spent on a piece of malware, even for one so targeted and revolutionary as Stuxnet. I find the figure hard to take seriously without more explanation as to how it was calculated.
Much of the report by NL News appears to be based on a lengthy piece in de Volksrant from 2019, written by investigative Dutch journalist Huib Modderkolk.
However, that article makes no mention of Erik van Sabben, and claims that AIVD recruited an unnamed Iranian (not Dutch) engineer.
Unfortunately, Erik van Sabben can’t respond to the claims that he played a critical role in one of the most notorious cyber attacks in history. He died in a motorbike accident, shortly after leaving Iran, in January 2009. He was 36 years old.
Update: Thanks to Clu-blog reader Baerd who got in touch to point out that NL News‘s story appears to be based upon a more recent article from de Volksrant than the one NL News was linking to originally.