A report from the Netherlands claims that a Dutch man played a key role in the notorious Stuxnet worm attack against an Iranian nuclear facility, which then accidentally escaped into the wider world.
It’s not news that the US and Israel are widely believed to be the creators of the sophisticated Stuxnet malware, which exploited zero-day flaws to sabotage Iran’s uranium enrichment facilities at Natanz, or that the US is believed to have later tried to use a version of Stuxnet against North Korea’s nuclear weapons program.
If the report from NL Times is taken at face value, what is news is that an agent of AIVD (the Dutch intelligence agency), named as Erik van Sabben, also assisted the attack.
The suggestion is that Erik van Sabben gained access to Natanz, working undercover for a company installing equipment at the nuclear facility. Such a person might not only be able to gather technical information about the computer systems that manage centrifuges, but also introduce malware on a USB stick.
It certainly sounds a more plausible way of introducing malware to an air-gapped system than leaving a USB stick lying around in the car park, and hoping that someone picks it up and plugs into a PC.
Perhaps the most eyebrow-raising claim of all made in the report is an almost throwaway remark that Stuxnet “cost over a billion dollars to develop.”
That seems an astonishingly large amount of money to have spent on a piece of malware, even for one so targeted and revolutionary as Stuxnet. I find the figure hard to take seriously without more explanation as to how it was calculated.
Much of the report by NL News appears to be based on a lengthy piece in de Volksrant from 2019, written by investigative Dutch journalist Huib Modderkolk.
However, that article makes no mention of Erik van Sabben, and claims that AIVD recruited an unnamed Iranian (not Dutch) engineer.
Unfortunately, Erik van Sabben can’t respond to the claims that he played a critical role in one of the most notorious cyber attacks in history. He died in a motorbike accident, shortly after leaving Iran, in January 2009. He was 36 years old.
Update: Thanks to Clu-blog reader Baerd who got in touch to point out that NL News‘s story appears to be based upon a more recent article from de Volksrant than the one NL News was linking to originally.
I agree with you on the unlikeliness of the mentioned costs for developing stuxnet, I assume it is based on an interview with former CIA Director Hayden in 2011:
https://www.thenationalnews.com/business/former-cia-chief-speaks-out-on-iran-stuxnet-attack-1.392917?outputType=amp
In a 2012 interview on CBS, Ralph Langner who analyzed stuxnet in detail, said you only needed a few millions, not billions, to develop a virus like stuxnet. It’ll also cost a few bucks to get it on the targeted site but a billion looks a bit exaggerated 💰
The article is based on a piece from the investigative journalism department at De Volkskrant (https://www.volkskrant.nl/kijkverder/v/2024/sabotage-in-iran-een-missie-in-duisternis~v989743/), NL news is just reporting based off that. So I encourage you to read that article
Thanks for the link Baerd.
The NL News article was linking to an older article from De Volkstrant, so it's good to have a more up-to-date source for where they were getting their information from.
(Quoting from a SecurityWeek article, which had a screenshot of a Twitter thread between Raiu and Hupponen where this discussion happened)
"Costin Raiu, a reputable member of the cybersecurity industry and former director of Kaspersky’s research team, and Mikko Hypponen, chief research officer at WithSecure, have expressed some doubts regarding the amount."
Raiu put the cost of creating Stuxnet at $20 million (2005 dollars), and the whole operation at $1 billion.