>Ralph Langner, a researcher who conducted an in-depth analysis of Stuxnet after the malware’s existence came to light, noted that “a water pump cannot carry a copy of Stuxnet”.
In his Xitter post he also says the infiltration timeline doesn't match his analysis.
Does anyone else remember the 27C3 presentation on this? My take away was that Stuxnet was _largely_ enabled by 0day vulnerabilities in Microsoft's products. The especially damning one was the print spooler script running vulnerability.
Anyways, from this perspective, even back then, the analysis was pretty thorough:
The thing that made it so notable at the time is that it was basically using 'all the things'... a hardcoded password by Siemens, a zero day in some Siemens code, a couple stolen private keys from Taiwanese hardware manufacturers, and 4 Windows zero days (the print spooler one, something with Shortcuts, and two escalation of privilege vulns).
> For anybody getting worked up about the Stuxnet article in de Volkskrant:
A water pump cannot carry a copy of Stuxnet
Erik van Sabben's visit to Iran allegedly happened end of 2018, whereas we assume initial infiltration in 2017.
Well, that's all the proof I needed — a twitter post with no further information.
Obviously he may be right as he is a researcher and most likely actually did the research, but an non-sourced definitive statement on social media is not what I consider "proof".
Furthermore he may be wrong. After living through the Xbox 360 modding scene and the cat and mouse between home hackers not state sponsored hackers with unlimited resources I am always amazed when I look back at the cat and mouse game and what the Xbox hackers came up with. It’s simply mind blowing at times. The one that comes to mind is when Microsoft started making games 8gb by default. Lots of games used padding to fill that space so hackers then truncated games. Microsoft learned to detect and ban consoles using truncated games so hackers created custom software to flash to dvd burners so that the burner could burn to the outermost edge of the disc not normally useable. It was so cool to see this back and forth. My point is that with unlimited resources who knows what sort of creative way this water pump could have been used to transport the malware.
I think Sony benefitted from turning a blind eye to PS2 piracy. And I also think Microsoft might have purposefully used hackers to develop counter attacks. Maybe for fun.
I'd say it's even likely. I have worked on software for electric pumps, not this kind, but in general everything has software running on it now.
The more hard to believe part is that a lot of electric equipment like water pumps have very simple software running on them, which might only be controlled by some messages on a serial bus that sends certain commands. To use that as a vector you would need the software to have very specific vulnerabilities.
You're thinking of one specific kind of "water pump", a small device with a simple microcontroller. But a "water pump" could mean many things, and it could be a larger system that is run by a computer running windows, with functionality that is essentially "a water pump" but it may be doing far more than only pumping water. Often the details are lost when journalists try to dumb down a subject so an average luddite can read it. The actual equipment may be a large box that has a water input and water output, but contain many other functions within - and the article does not describe any of this, it simply says "water pump", so of course some people are going to construe that as simply a motor, an H-bridge, and a microcontroller. But the reality is that it could be a far more complex device than that. The "water pump" designation could come from nothing more than the "telephone game" where information gets diluted as it gets told to successive people in the chain until it gets written in an article simply as "water pump" when it could be a far more sophisticated piece of equipment than that.
True, I wouldn't call it a water pump if it was some separate, sophisticated control system that controls more than a water pump. But it's a realistic scenario.
A water pump cannot carry Stuxnet.... but the Variable frequency drive (VFD) that runs the motor which runs the pump in theory could host malware within the drive's firmware. Or perhaps the VFD was interdicted and had some custom hardware installed? This is all assuming that it's a variable speed pump and not a fixed speed, in which case it's basically directly wired to line voltage with big electrical switch for on/off control.
VFDs are connected to the process control system through a variety of interfaces... simple voltage or current loops, serial buses like BACnet, modbus, or ethernet interfaces like modbus TCP.
Hacked VFD firmware makes the most sense to me. The PLC/PAC is giving a reference of xx Hz, the hacked VFD overrides the speed reference to destroy the centrifuge but reports back that everything is tickety-boo.
This article simultaneously says “here are a bunch of things we claim happened” and then paragraphs later quotes experts who say they could not have or did not happen that way. Why is this valuable? I know as little as I did before reading it.
For all we know, the death could have been fabricated and the guy is still alive under another identity. This isn’t entirely unreasonable given Iran would have probably tried to kill him anyway, so this could have been agreed by him and the government beforehand to protect his life.
I don't really understand the point being made.
It just seems to basically a story about a baseless rumor, the CIA could not confirm or deny, so it must be true, except an independent expert has suggested it's not even possible.
The story I read was that the perpetrators had access to the physical centrifuge control center for a while, and used a thumb drive carried by a contract engineer to plant the malware. Then they lost that physical access, and the centrifuge center replaced all its computers or re-installed the OS, and so they tried to use a viral worm (Stuxnet) to get in and deliver the malware to the target system, which somehow escaped onto the web, resulting in Stuxnet getting detected.
Here's a past discussion on HN:
"Unilateral Israeli changes to Stuxnet caused its exposure, angering US" 2016, 132 comments:
The key point is in the Ralph Langer pdf in the top comment there (To Kill a Centrifuge, 2013):
> "Stuxnet’s early version had to be physically installed on a victim machine, most likely a portable engineering system, or it could have been passed on a USB stick carrying an infected configuration file for Siemens controllers. Once that the configuration file was opened by the vendor’s engineering software, the respective computer was infected. But no engineering software to open the malicious file, equals no propagation."
> "That must have seemed to be insufficient or impractical for the new version, as it introduced a method of self-replication that allowed it to spread within trusted networks and via USB sticks even on computers that did not host the engineering software application. The extended dropper suggests that the attackers
had lost the capability to transport the malware to its destination by directly infecting the systems of authorized personnel."
On the positive side, this event led to a lot of job creation in the energy-related cybersecurity sector. This is an informative read from the time:
>Getting the worm into Natanz, however, was no easy trick. The United States and Israel would have to rely on engineers, maintenance workers and others — both spies and unwitting accomplices — with physical access to the plant. “That was our holy grail,” one of the architects of the plan said. “It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand.”
>In fact, thumb drives turned out to be critical in spreading the first variants of the computer worm; later, more sophisticated methods were developed to deliver the malicious code.
>The first attacks were small, and when the centrifuges began spinning out of control in 2008, the Iranians were mystified about the cause, according to intercepts that the United States later picked up. “The thinking was that the Iranians would blame bad parts, or bad engineering, or just incompetence,” one of the architects of the early attack said.
I have it saved for that quote: "It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand."
Developing this type of malware is a lot more complicated than developing some web service or database.
For instance the attack path isnt immediately clear and there needs to be a period of developing proof of concept exploits that are then tested in a variety of environments, there needs to be persistence techniques developed, there needs to be a C2 system, there needs to be a methods to avoid detection. Stuxnet was probably a collection of many 0days that were used in conjunction. Each 0day probably takes months of "dev time" at minimum to develop.
It's not a salary - the "8200" is Unit 8200 - part of the intelligence corps of the IDF. So, it the pay for soldiers, and soldiers in the IDF don't get a salary, but they do get "pocket money".
Ah, thanks. I didn’t know it was mandatory. So if you want to work on Stuxnet, you’d start by climbing the corporate ladder for pocket money. Interesting.
Many are delusional and believe they are doing, "gods work." You couldn't pay me enough money to murder innocent children and civilians but many IDf do it for extremely low pay.
Sure, but killing people doesn’t require a lot of skill. Hacking does.
I’ve seen firsthand that security engineers tend to be paid less than mainstream dev roles, but pocket money for the best talent in the world seems unlikely. The IDF needs them more than they need the IDF. Even with religious beliefs in play, wouldn’t market forces still have an effect?
> than mainstream dev roles, but pocket money for the best talent in the world seems unlikely
Well, this of course only applies to the conscripts who are serving their mandatory (almost) 3 years in the IDF. It's not like you can leave and if you're planning to build your career in this field it obviously preferable than serving in combat or logistics units.
I would assume they are more like interns/apprentices though (how useful can most 18-20 year olds be anyway?) and most real work is done by people who are actually being paid a salary.
I'm not a fan of the extreme Israeli right wing politics, but then it's quite easy to sympathize with this particular effort of trying to prevent/slow down Iran from acquiring nukes.
Why make it a worm that spread all over the world if they had access to the water pumps directly, doesn't make any sense. Now that it's so long ago, I guess a lot of people want their name on Stuxnet because of how sophisticated the attack was.
Is it worth it, to set back Iran's nuclear program only for two years? Obviously I know nothing about foreign nuclear policy, but 1b still sounds like a lot.
> Is it worth it, to set back Iran's nuclear program only for two years?
Dr Jeffrey Lewis (an American expert in nuclear nonproliferation) answers this with a no. Not on monetary grounds, but on the grounds that the setback is only momentary. (While as he proposes diplomacy can bring lasting change.)
I mean it's a great deal for Israel, to get the US to fund efforts to sabotage your rivals nuclear program.
But it's hard to imagine it being worth it to the American taxpayer. Remember it's arguable whether Iran would have bothered pursuing this at all, except Israel itself is a nuclear power, which the United States allowed (see Taiwan in the 1980s for what the US does when other allies try and start their own programs).
Maybe, but I'm skeptical. Also, credibly blaming the infiltration on someone who is no longer alive could be a good way of protecting the spy who really did it and is still alive.
From the article: "Van Sabben [the engineer] passed away in the United Arab Emirates two weeks after the Stuxnet attack as a result of a motorcycle accident."
I bet my ass that the recent re-emergence of the Stuxnet story has got everything to do with liability.
Who is going to pay for all the damage done outside of Iran ?
Questions are tabled in Dutch parliament...
The focus on a guy with a USB stick and access to shitty SIEMENS/SCADA systems makes a nice james bond story but I don't see the actual relevance.
And a few months later, a similar attack against Saudi Aramco wiped out all of their computer systems, including back-ups. Saudi Aramco management had to rely on employees who kept unauthorized external drives to back-up data. Much was lost. Iran is suspected but: were they able to isolate, turn around an weaponize Stuxnet for their own use?
Would be nice to know more details. The mention of water pump is pretty useless, especially one person saying "uh huh" and the other saying "nuh huh". I am assuming it came with an industrial controller that connected via Ethernet which spread the malware.
lol. I love how people can't believe it costs intelligence $1B to do this.
I suspect they don't understand that intelligence and the military function by pouring money on a problem until it gets solved despite profound, systemic failures.
$1-2 Billion… At that moment I thought this article is probably complete trash.
I’m not that gullible (even though the word ’gullible’ was removed from the English dictionary in 2021, I am still fond of it).
But, seriously. No chance on earth. It’s just PR. And the pump thing is probably just psychological warfare… ‘if they can put it into a water pump, they can put it into anything…’.
It was more likely just a mundane USB stick. Every computer has a usb port.
He was a well known engineer that had worked in Dubai for 12 years in the transport industry and had an Iranian wife. He was well known as an engineer at the forefront of the rapid development of major projects in the Gulf region.
A regional paper even published his obituary in 2009:
Erik van Sabben, a Dubai-based engineer whose expertise in the heavy lifting and transport industry placed him at the forefront of the rapid development in the Gulf over the past decade, has died. A keen motorcycle rider, he was killed in an accident near Dhaid on Jan 16, just two weeks short of his 37th birthday. Born in Vlissingen, The Netherlands, Mr van Sabben had lived in the Gulf on and off for 12 years. While an undergraduate, he worked as a trainee for Mammoet Gulf in Dubai, a specialist heavy lifting company, which he joined after graduating. He spent the next decade in Dubai, and briefly, Abu Dhabi.
The article is mistaken, I don't know if it was a typo or misunderstanding. He actually died two *years* after this event, and given how insane driving in the UAE is that doesn't seem hard to believe. Two years is a long time to leave a loose end dangling that you intend to disappear after all.
The operation to install the pump was in 2007 but the damage seems to have started in 2009 when Iran started to replace the centrifuges. Stuxnet was publicized in 2010 but Iran might have found out about it before that time.
That's pretty screwed up to kill an asset like that. I doubt Iran could have unraveled the plot so quickly and I'm not sure how they could benefit from killing him.
The idea that someone would use their real identity, or not disappear and get a new identity, while on covert action against America enemies is so absurd it's almost a great skit idea.
"We successfully attacked the nuclear facility!"
"Oh Van, by the way what name did you sign in the log book?"
"...Oh no"
I imagine there are a non-zero amount of readers (but not commenters) who find these stories comments extremely funny.
I think that only goes for when Dutch surnames are adopted by people who don't speak Dutch. "van Sabben" just means "from Sabben" and calling someone "From" just sounds weird. ;)
Sorry, I’ll respond seriously because re-reading my comment sounds like a bit of a cheap shot at P, et al.
From the report in Dutch, they raise the point he may not have even known the magnitude of what he was doing. Until it already had been done and he realized what happened.
He was an asset, not a member of a secret service organization. He was in a useful position in a company, then he was recruited. It sounds like he was more of a useful idiot and not some mastermind.
> it’s unclear if Van Sabben knew exactly what he was doing, but his family said he appeared to have panicked at around the time of the Stuxnet attack.
It was his family who said that he started panicking, so he was probably involved.
After a quick public records search, it looks like he was a real person -- or a real identity with a tangible history. It appears he was formerly married to an American woman in his first marriage.
The comment isn't suggesting that he didn't exist, but rather that after he died in the motorcycle accident, it was possible to say that he was the actor and protect the people who were actually involved.
All this requires is to understand who died shortly after Stuxnet who could have feasibly been involved.
In general, intelligence agencies don’t tend to kill their assets to keep them quiet, because that “benefit” is massively outweighed by the negative effect when trying to recruit the next 1000 assets over the next few years - pragmatism and self-interest, not morality. So its much more likely Iran did it - if a foreign engineer who worked at the attacked site suddenly decides to leave the country, it doesn't take 2 weeks to identify him as a suspect, more like 2 seconds. And if they kill him, it at least sends the message to other potential assets who might work against the interests of Iran. I’m sure Iran would have preferred to capture and question him to try unravel the rest of the network, but they’d settle for killing him I think?
It's much more likely that they just pinned this story on some guy who died in a motorcycling accident.
The point of killing someone over some wrong they did you is publicizing it after the fact. If you don't take credit for it, it doesn't have any deterrent power.
Or alternately, they staged what appeared to be a fatal accident to put him in a witness protection program.
Or alternately, he did it and then tried to back out of the deal. Now arranging an apparently accidental death then became the best way to keep security intact.
The one theory that makes no sense is that they intended his death from the beginning.
All believable scenarios. I personally am fond of the "pin it on a dead guy" story. I want to believe that western security services have some sense of elegance.
The problem with killing an asset is that you've now involved multiple more teams of assets who now know that you kill assets. This is not how you keep secrets, nor how you retain people who keep secrets.
Like the JFK assassination theories that involve killing off an additional dozens of people. You can't cover up one murder by involving an extra 1000 people.
> If you don't take credit for it, it doesn't have any deterrent power.
The various deaths associated with Putin are a counter example here. Russia denies involvement but the method usually makes it pretty obvious. Rare poison, unlikely situation etc.
The putin assassinations are a little different though. The assassinated are publicly known to have links to the regime. The methods of death have a similar signature and the rarity of that type of death makes most people draw one likely conclusion so that the message is communicated. People fall out of windows for minor infractions and to really send a message they are poisoned.
The asset in this case wasn't known publicly and the method of death makes people assume it was simply an accident. Unless they did some private announcement, no one was deterred. If it was Iran and they wanted to send a message, they would probably have to out the asset publicly and/or make it clear that it was an assassination. e.g. a bomb would send a clear signal that it was more likely to be a nation state assassination and not some accident or a random robbery/act of violence.
The entire point of stuxnet was to covertly sabotage the centrifuges, so it wasn't clear that they were broken until months or years later. 2 weeks isn't remotely long enough for Iran to know they were sabotaged.
Talking about it would have painted a huge target on his back for retribution from the Iranian government. It would have also put a target on his wife's back, as well as all of her family that is presumably still in Iran. Killing him also would make it much harder to recruit assets in the future, if it became common knowledge that you will be offed after your mission is complete.
It seems much more likely that he actually did die in a random motorcycle accident (not uncommon), or he was entirely uninvolved and a dead man was chosen to pin blame on in order to hide the real method(or, to make Iranians stop trusting foreign contractors, making them do everything in-house with higher costs and worse quality).
It doesn't even have to be a totally "random" (unrelated) motorcycle accident.
If he panicked after the Stuxnet attack, as his family is reported to have said, then it's likely he has behaving erratically and was fearful for his life.
That could easily translate to circumstances where he rides a motorcycle in a particularly dangerous manner - e.g. fleeing from someone he thought was Iranian/Dutch/US/Israeli intelligence (even if they weren't).
Is a car accident and not publicly announcing it as a reprisal sending a message? Seems a little too quiet for that and like it might be cleaning up loose ends by someone else instead.
I’m not clear on the timeline. As I understand it, the hack went on for ages before it went malignant and started damaging stuff. Is it 2 weeks from being deployed, or 2 weeks from wrecking equipment?
The guy probably existed. It is his involvement which may have been fabricated to hide the real story. His death, the time and the manner, exactly provides indirect credibility to such fabrication.
Any proof he died? It's not hard for western countries to manufacture identities. Pretty common practice to given sources a form of witness protection.
I agree to the first point that it isn't suspicious given how dangerous motorcycle accidents are. These accidents have a staggering 80% injury or death rate.
> These accidents have a staggering 80% injury or death rate
This is not the number that really matters in this context.
Falling out of a 8 story window has an incredibly high injury/death rate. Yet those we often assume ARE the result of foul-play.
What we're really comparing here is the probability of a party either lying, or contributing (causing) the motor cycle accident. The lethality rates aren't super interesting in this case. The main difference between this and falling out of windows, is that window-falls are much more rare then motor cycle accidents.
> Falling out of a 8 story window has an incredibly high injury/death rate. Yet those we often assume ARE the result of foul-play.
Who is 'we'? Falls out of buildings are overwhelmingly due to accidents by tradespeople or suicide.
Most homicides by being pushed from a height occur in remote areas, not from buildings. Most windows on high buildings are limited in how far they open during normal operation for safety reasons. And most older buildings that lack these features have smaller windows with higher sills. Statistics aren't tracked to this level by most crime reports because it is so overwhelmingly rare for someone to be killed this way.
While homicidal defenestration makes for a good fictional story line, I don't think it is useful for murderers.
Plenty of weirdly coincidental falls from windows:
> Ravil Maganov, September 1 2022, reportedly hospitalised for heart problems and depression, then "fell out of a window"
> Grigory Kochenov, December 7 2022, reportedly fell to his death from his balcony while officials from the Investigative Committee executed a search warrant for his apartment
> Dmitriy Zelenov, December 9 2022, reportedly felt ill and fell over a railing and hit his head, later died in hospital without regaining consciousness
> Pavel Antov, December 24 2022, fell out of window from Hotel Sai International
> Marina Yankina, February 16 2023, found dead after falling from a window on the 16th-floor of a high-rise building.
> Artyom Bartenev, June 8 2023, found dead after falling 12 stories from his apartment window.
> Kristina Baikova, June 23 2023, fell off her apartment at the 11th floor; circumstances of the incident have not yet been clarified.
And that entire list fits inside of the rounding error of the number of people who die due to suicide and accident each year. 1.7 million Americans have attempted suicide.
This list is not complete and we are talking about deaths, not attempted suicides and we are talking about deaths in closed circle, not in overall population, so it is a "statistical oddity".
I should have specified - important/at-risk people who suddenly fall from a window, especially after they did something the country they were in doesn't like.
> Statistics aren't tracked to this level by most crime reports because it is so overwhelmingly rare for someone to be killed this way.
The real issue here is we aren't comparing the statistics of the "average joe".
For random-person we can predict the reason for their fall was unlikely to be state-level foul play - in fact near zero chance of it.
The likely hood of state-level foul play is substantially higher for spies, rich oligarchs with unpopular opinions, journalists, etc. How much higher I have no idea.
---
Anyway my point was the lethality of the cause of death is really not what anyone is interested in. When spies, rich oligarchs with unpopular opinions, journalists, etc die shortly after they did something particularly provoking I don't think people care about the lethality of the incident as much as the cause.
Yes, when people work in sensitive positions with the potential to make enemies, they have a higher risk of death from those causes.
However, it's also easy to fall into the fallacious trap of defining people solely by their profession. People who have sensitive jobs and also do other risky activities in their spare time incur those risks in addition to the risks they have due to their profession.
In fact, some successful people with enemies engage in more risky activities because they can afford to do so. Rich people dying in general aviation accidents is a pretty frequent pattern, for example.
The odds of dying in a traffic accident in that country are considerably higher than in the United States, and much higher than in other developed countries (sorry USA, you suck at road safety, but not as much as the UAE does)[1].
While I don't have country-specific statistics to hand, the odds of dying riding a motorcycle are much, much higher than in a car. One estimate is that you are around 27 times more likely to die per distance driven/ridden [2].
Even so, in an absolute sense, the odds of dying on a typical motorcycle commute are low. My guess is that your odds of meeting foul play shortly after screwing with the Iranian nuclear program are likely higher than dying in a random traffic accident. But coincidences do occur.
Citation 1 does not support the claim that the USA "sucks at road safety" -- only a handful of the countries listed actually have a statistic for deaths per km traveled, which is the metric that matters (since the USA is much less dense than many of the countries it's being compared to, its citizens drive farther).
The US is right in the middle -- doing better than the Czech Republic and South Korea -- on the metric that matters on the page you linked, but really, more data is needed because the metric you want to look at is mostly missing from the table.
If we compare US to Germany that has 1000s of km without any speed restrictions then it has roughly 2 times less deaths. Even France, where people drive like they have a death wish has 1/3 less deaths. It is even slightly higher than Belgium that is the only Western European country where I have experienced potholes on highway. Perhaps US is not strictly sucking at it but it is as such clearly on the high side.
They are especially dangerous in autocratic countries, when also co-operating with powerful intelligence agencies, trying to plant spyware in an arch-enemy's nuclear infrastructure. I hear even helmets and spine protectors have a hard time with that situation :-)
But to be serious, I meant it mostly that it's certainly one case that would warrant extra investigations. Even if it was a random accident, someone like the Iranians could have claimed that their super advanced spy hunting team got him.
It doesn't matter how dangerous. He had years before and after to die this way. The fact that it happened right after has very low probability to be by chance. Which means it very likely wasn't.
You're applying Occam's razor for the most involved and complicated cyber attack in history, that was organized by some of the most powerful intelligence agencies in the world? Talk about stretching an already over stretched "rule of thumb"
So I am going to float another conspiracy just for fun sakes…
USA and Israel think Iran have got a bit close to figuring out Stuxnet culprit, they put out a story and use a poor guy who can’t defend himself against the accusation of being involved, one who happened to have had a tragic accident with a motorbike and who so just happened to do some work in Iran. And boom, the death is suspicious so there must be truth to it all…
That is probably more believable (to me at least).
Are we sure that he actually died in that accident and not chilling somewhere in Florida under a different name? Cause it can be a good cover story do disappear your agent that successfully fulfilled his mission.
>Ralph Langner, a researcher who conducted an in-depth analysis of Stuxnet after the malware’s existence came to light, noted that “a water pump cannot carry a copy of Stuxnet”.
In his Xitter post he also says the infiltration timeline doesn't match his analysis.
https://twitter.com/langnergroup/status/1744389845638635727
who to believe ?