[HN Gopher] Engineer Used Water Pump to Get $1B Stuxnet Malware ...
___________________________________________________________________
Engineer Used Water Pump to Get $1B Stuxnet Malware into Iranian
Nuclear Plant
Author : rmason
Score : 113 points
Date : 2024-01-11 19:53 UTC (3 hours ago)
(HTM) web link (www.securityweek.com)
(TXT) w3m dump (www.securityweek.com)
| vlovich123 wrote:
| Why is the name of an asset being leaked? Doesn't this put a
| target on this guys back and make it less likely for other assets
| to cooperate?
| ecnahc515 wrote:
| He's dead. He died in a motorcycle accident according to the
| article.
| bmitc wrote:
| "Accident." Even still, it outs his family, including his
| Iranian wife.
| vlovich123 wrote:
| The timing on that is quite the coincidence.
|
| > Van Sabben passed away in the United Arab Emirates two
| weeks after the Stuxnet attack as a result of a motorcycle
| accident.
| foobarian wrote:
| Assuming the news reporting is true, of course. Would be a
| convenient way to protect the real asset.
| vlovich123 wrote:
| I missed the last sentence at the end.
| RohanAlexander wrote:
| From the article: "Van Sabben [the engineer] passed away in the
| United Arab Emirates two weeks after the Stuxnet attack as a
| result of a motorcycle accident."
| salynchnew wrote:
| This fact gives the whole story "Operation Mincemeat" vibes,
| tbh.
| rdtsc wrote:
| > Van Sabben passed away in the United Arab Emirates two weeks
| after the Stuxnet attack as a result of a motorcycle accident.
|
| Well, that's not suspicious at all. Any of the parties involved
| could conceivably benefit from his accident.
| iwontberude wrote:
| I agree to the first point that it isn't suspicious given how
| dangerous motorcycle accidents are. These accidents have a
| staggering 80% injury or death rate.
| lwhi wrote:
| Yep, the perfect way to dispatch him without raising too much
| suspicion.
| iwontberude wrote:
| But it's occams razor that says its more likely to be in a
| wreck because he commutes on a motorcycle.
| mlyle wrote:
| I don't know whether commuting on a motorcycle or working
| for foreign intelligence to sabotage a hostile state is
| more dangerous.
|
| Either one can cause what looks like a typical accident.
| noqc wrote:
| Neither Occam's nor Hanlon's razor are to be used in
| strategic pursuits.
| xwolfi wrote:
| But I mean, even my dad died of a motorcycle accident...
| maybe this dude just did too ?
| croes wrote:
| Isn't the question how dangerous motorcycles are and not how
| dangerous motorcycle accidents?
|
| Plane crashes have a pretty high death rate too, but plane
| crashs are rare.
|
| What is the probability of having a motorcycle accident in
| Saudi Arabia.
| rgmerk wrote:
| It was the United Arab Emirates.
|
| The odds of dying in a traffic accident in that country are
| considerably higher than in the United States, and _much_
| higher than in other developed countries (sorry USA, you
| suck at road safety, but not as much as the UAE does)[1].
|
| While I don't have country-specific statistics to hand, the
| odds of dying riding a motorcycle are much, much higher
| than in a car. One estimate is that you are around 27 times
| more likely to die per distance driven/ridden [2].
|
| Even so, in an absolute sense, the odds of dying on a
| typical motorcycle commute are low. My guess is that your
| odds of meeting foul play shortly after screwing with the
| Iranian nuclear program are likely higher than dying in a
| random traffic accident. But coincidences do occur.
|
| [1]https://en.wikipedia.org/wiki/List_of_countries_by_traff
| ic-r...
|
| [2] https://www.autoinsurance.org/motorcycle-vs-car-
| accidents/
| dingnuts wrote:
| Citation 1 does not support the claim that the USA "sucks
| at road safety" -- only a handful of the countries listed
| actually have a statistic for deaths per km traveled,
| which is the metric that matters (since the USA is much
| less dense than many of the countries it's being compared
| to, its citizens drive farther).
|
| The US is right in the middle -- doing better than the
| Czech Republic and South Korea -- on the metric that
| matters on the page you linked, but really, more data is
| needed because the metric you want to look at is mostly
| missing from the table.
| rdtsc wrote:
| They are especially dangerous in autocratic countries, when
| also co-operating with powerful intelligence agencies, trying
| to plant spyware in an arch-enemy's nuclear infrastructure. I
| hear even helmets and spine protectors have a hard time with
| that situation :-)
|
| But to be serious, I meant it mostly that it's certainly one
| case that would warrant extra investigations. Even if it was
| a random accident, someone like the Iranians could have
| claimed that their super advanced spy hunting team got him.
| declaredapple wrote:
| > These accidents have a staggering 80% injury or death rate
|
| This is not the number that really matters in this context.
|
| Falling out of a 8 story window has an incredibly high
| injury/death rate. Yet those we often assume ARE the result
| of foul-play.
|
| What we're really comparing here is the probability of a
| party either lying, or contributing (causing) the motor cycle
| accident. The lethality rates aren't super interesting in
| this case. The main difference between this and falling out
| of windows, is that window-falls are much more rare then
| motor cycle accidents.
| kube-system wrote:
| > Falling out of a 8 story window has an incredibly high
| injury/death rate. Yet those we often assume ARE the result
| of foul-play.
|
| Who is 'we'? Falls out of buildings are overwhelmingly due
| to accidents by tradespeople or suicide.
|
| Most homicides by being pushed from a height occur in
| remote areas, not from buildings. Most windows on high
| buildings are limited in how far they open during normal
| operation for safety reasons. And most older buildings that
| lack these features have smaller windows with higher sills.
| Statistics aren't tracked to this level by most crime
| reports because it is so overwhelmingly rare for someone to
| be killed this way.
|
| While homicidal defenestration makes for a good fictional
| story line, I don't think it is useful for murderers.
| declaredapple wrote:
| I should have specified - important/at-risk people who
| suddenly fall from a window, especially after they did
| something the country they were in doesn't like.
|
| > Statistics aren't tracked to this level by most crime
| reports because it is so overwhelmingly rare for someone
| to be killed this way.
|
| The real issue here is we aren't comparing the statistics
| of the "average joe". For random-person we can predict
| the reason for their fall was unlikely to be state-level
| foul play - in fact near zero chance of it.
|
| The likely hood of state-level foul play is substantially
| higher for spies, rich oligarchs with unpopular opinions,
| journalists, etc. How much higher I have no idea.
|
| ---
|
| Anyway my point was the lethality of the cause of death
| is really not what anyone is interested in. When spies,
| rich oligarchs with unpopular opinions, journalists, etc
| die shortly after they did something particularly
| provoking I don't think people care about the lethality
| of the incident as much as the cause.
| kube-system wrote:
| Yes, when people work in sensitive positions with the
| potential to make enemies, they have a higher risk of
| death from those causes.
|
| However, it's also easy to fall into the fallacious trap
| of defining people solely by their profession. People who
| have sensitive jobs and also do other risky activities in
| their spare time incur those risks _in addition_ to the
| risks they have due to their profession.
|
| In fact, some successful people with enemies engage in
| more risky activities because they can afford to do so.
| Rich people dying in general aviation accidents is a
| pretty frequent pattern, for example.
| nneonneo wrote:
| https://en.wikipedia.org/wiki/Suspicious_deaths_of_Russia
| n_b...
|
| Plenty of weirdly coincidental falls from windows:
|
| > Ravil Maganov, September 1 2022, reportedly
| hospitalised for heart problems and depression, then
| "fell out of a window"
|
| > Grigory Kochenov, December 7 2022, reportedly fell to
| his death from his balcony while officials from the
| Investigative Committee executed a search warrant for his
| apartment
|
| > Dmitriy Zelenov, December 9 2022, reportedly felt ill
| and fell over a railing and hit his head, later died in
| hospital without regaining consciousness
|
| > Pavel Antov, December 24 2022, fell out of window from
| Hotel Sai International
|
| > Marina Yankina, February 16 2023, found dead after
| falling from a window on the 16th-floor of a high-rise
| building.
|
| > Artyom Bartenev, June 8 2023, found dead after falling
| 12 stories from his apartment window.
|
| > Kristina Baikova, June 23 2023, fell off her apartment
| at the 11th floor; circumstances of the incident have not
| yet been clarified.
| bostonsre wrote:
| That's pretty screwed up to kill an asset like that. I doubt
| Iran could have unraveled the plot so quickly and I'm not sure
| how they could benefit from killing him.
| AlecSchueler wrote:
| The US/Israel benefits because he's no longer around to talk
| about it.
| rustcleaner wrote:
| This one sees!
| michaelt wrote:
| Or it wasn't Van Sabben, and the US/Israel just picked some
| random dead guy to pin the blame on.
|
| These stories are all "according to intelligence sources",
| they can really anonymously brief out anything that serves
| their needs.
| runjake wrote:
| After a quick public records search, it looks like he was
| a real person -- or a real identity with a tangible
| history. It appears he was formerly married to an
| American woman in his first marriage.
| pedalpete wrote:
| The comment isn't suggesting that he didn't exist, but
| rather that after he died in the motorcycle accident, it
| was possible to say that he was the actor and protect the
| people who were actually involved.
|
| All this requires is to understand who died shortly after
| Stuxnet who could have feasibly been involved.
| ARandomerDude wrote:
| It's been done before.
|
| https://en.m.wikipedia.org/wiki/Operation_Mincemeat
| oh_sigh wrote:
| Talking about it would have painted a huge target on his
| back for retribution from the Iranian government. It would
| have also put a target on his wife's back, as well as all
| of her family that is presumably still in Iran. Killing him
| also would make it much harder to recruit assets in the
| future, if it became common knowledge that you will be
| offed after your mission is complete.
|
| It seems much more likely that he actually did die in a
| random motorcycle accident (not uncommon), or he was
| entirely uninvolved and a dead man was chosen to pin blame
| on in order to hide the real method(or, to make Iranians
| stop trusting foreign contractors, making them do
| everything in-house with higher costs and worse quality).
| ghufran_syed wrote:
| In general, intelligence agencies _don't_ tend to kill
| their assets to keep them quiet, because that "benefit" is
| massively outweighed by the negative effect when trying to
| recruit the next 1000 assets over the next few years -
| pragmatism and self-interest, not morality. So its much
| more likely Iran did it - if a foreign engineer who worked
| at the attacked site suddenly decides to leave the country,
| it doesn 't take 2 weeks to identify him as a suspect, more
| like 2 seconds. And if they kill him, it at least sends the
| message to other potential assets who might work against
| the interests of Iran. I'm sure Iran would have preferred
| to capture and question him to try unravel the rest of the
| network, but they'd settle for killing him I think?
| vkou wrote:
| It's much more likely that they just pinned this story on
| some guy who died in a motorcycling accident.
|
| The point of killing someone over some wrong they did you
| is _publicizing it after the fact_. If you don 't take
| credit for it, it doesn't have any deterrent power.
| RationalDino wrote:
| Or alternately, they staged what appeared to be a fatal
| accident to put him in a witness protection program.
|
| Or alternately, he did it and then tried to back out of
| the deal. Now arranging an apparently accidental death
| then became the best way to keep security intact.
|
| The one theory that makes no sense is that they intended
| his death from the beginning.
| LanceH wrote:
| The problem with killing an asset is that you've now
| involved multiple more teams of assets who now know that
| you kill assets. This is not how you keep secrets, nor
| how you retain people who keep secrets.
|
| Like the JFK assassination theories that involve killing
| off an additional dozens of people. You can't cover up
| one murder by involving an extra 1000 people.
| lostlogin wrote:
| > I'm not sure how they could benefit from killing him.
|
| It's a pretty strong signal to others that there are
| consequences.
| goles wrote:
| The idea that someone would use their real identity, or not
| disappear and get a new identity, while on covert action
| against America enemies is so absurd it's almost a great skit
| idea.
|
| "We successfully attacked the nuclear facility!"
|
| "Oh Van, by the way what name did you sign in the log book?"
|
| "...Oh no"
|
| I imagine there are a non-zero amount of readers (but not
| commenters) who find these stories comments extremely funny.
| b4ke wrote:
| maybe the death was an implementation detail?
| wddkcs wrote:
| Gallows humor, we' be dead without it
| ibejoeb wrote:
| He must've fucked up big time even to have been recruited.
| That was a kamikaze mission from the outset. It amazing he
| got it done at all.
| SCM-Enthusiast wrote:
| This is Iran priority #1. I'm surprised it took Iran two
| weeks. They benefited by sending a message.
| lwhi wrote:
| My thoughts exactly.
| mensetmanusman wrote:
| Also, his actual existence could be a fabrication itself as
| part of a counter op.
| lebean wrote:
| Don't stop there! What if the whole thing was made up? Who's
| to say otherwise?! /s
| trhway wrote:
| The guy probably existed. It is his involvement which may
| have been fabricated to hide the real story. His death, the
| time and the manner, exactly provides indirect credibility to
| such fabrication.
| geocrasher wrote:
| Indeed, his involvement could have been fabricated after
| his death, and he'd be unable to defend himself.
| mensetmanusman wrote:
| I'm thinking this is the most likely case, all of this
| stuff is great for generating confusion.
| myth_drannon wrote:
| It's a big assumption that he died. A pretty standard way to
| disappear is to die in some 3rd world country where you can
| easily bribe the officials.
| logicchains wrote:
| The UAE is one of the richest countries in the world, not a
| good place to go for cheap bribes.
| jorblumesea wrote:
| Any proof he died? It's not hard for western countries to
| manufacture identities. Pretty common practice to given sources
| a form of witness protection.
| swarnie wrote:
| A CIA/Mossad pension plan?
|
| Do you think he got the villa next to Epstein or Kobe?
| lp4vn wrote:
| Exactly what I thought.
|
| It's much easier for a country to retire an engineer with a
| fat paycheck than to create an incredible amount of distrust
| killing him.
|
| An assassination only makes sense if somehow he threatened to
| tell everything to the iranian goverment.
| EA-3167 wrote:
| The article is mistaken, I don't know if it was a typo or
| misunderstanding. He actually died two *years* after this
| event, and given how insane driving in the UAE is that doesn't
| seem hard to believe. Two years is a long time to leave a loose
| end dangling that you intend to disappear after all.
|
| https://english.aawsat.com/features/4778291-stuxnet-mystery-...
| HomeDeLaPot wrote:
| Yes, one of the X (formerly Twitter) screenshots confirms he
| died in 2009 while the operation took place in 2007.
| throwup238 wrote:
| The operation to install the pump was in 2007 but the
| damage seems to have started in 2009 when Iran started to
| replace the centrifuges. Stuxnet was publicized in 2010 but
| Iran might have found out about it before that time.
| at-fates-hands wrote:
| >> Well, that's not suspicious at all.
|
| He was a well known engineer that had worked in Dubai for 12
| years in the transport industry and had an Iranian wife. He was
| well known as an engineer at the forefront of the rapid
| development of major projects in the Gulf region.
|
| A regional paper even published his obituary in 2009:
|
| https://www.thenationalnews.com/uae/engineer-who-helped-buil...
|
| Excerpt:
|
| _Erik van Sabben, a Dubai-based engineer whose expertise in
| the heavy lifting and transport industry placed him at the
| forefront of the rapid development in the Gulf over the past
| decade, has died. A keen motorcycle rider, he was killed in an
| accident near Dhaid on Jan 16, just two weeks short of his 37th
| birthday. Born in Vlissingen, The Netherlands, Mr van Sabben
| had lived in the Gulf on and off for 12 years. While an
| undergraduate, he worked as a trainee for Mammoet Gulf in
| Dubai, a specialist heavy lifting company, which he joined
| after graduating. He spent the next decade in Dubai, and
| briefly, Abu Dhabi._
| Magi604 wrote:
| I'm getting black ops vibes from this.
| vitiral wrote:
| Did you consider it could have been faked?
| jonathankoren wrote:
| >Well, that's not suspicious at all. Any of the parties
| involved could conceivably benefit from his accident.
|
| I swear, the latest generation of conspiracy theorists are
| really pathetic.
| WhackyIdeas wrote:
| So I am going to float another conspiracy just for fun sakes...
|
| USA and Israel think Iran have got a bit close to figuring out
| Stuxnet culprit, they put out a story and use a poor guy who
| can't defend himself against the accusation of being involved,
| one who happened to have had a tragic accident with a motorbike
| and who so just happened to do some work in Iran. And boom, the
| death is suspicious so there must be truth to it all...
|
| That is probably more believable (to me at least).
| bmitc wrote:
| Would be nice to know more details. The mention of water pump is
| pretty useless, especially one person saying "uh huh" and the
| other saying "nuh huh". I am assuming it came with an industrial
| controller that connected via Ethernet which spread the malware.
| boomboomsubban wrote:
| A recent discussion on the same story
| https://news.ycombinator.com/item?id=38909220
| runnr_az wrote:
| If one spends $1B on Malware, how does that money get used? Seems
| like a lot of dev time...
| neverartful wrote:
| If they told you, you would also have a fatal accident.
| dotancohen wrote:
| Probably to acquire the equipment that the code needs to run
| on.
| shmatt wrote:
| An Israeli 8200 engineer makes $350/month for 24/7
| availability. Must be the Americans making all the money
| MeImCounting wrote:
| Developing this type of malware is a lot more complicated than
| developing some web service or database.
|
| For instance the attack path isnt immediately clear and there
| needs to be a period of developing proof of concept exploits
| that are then tested in a variety of environments, there needs
| to be persistence techniques developed, there needs to be a C2
| system, there needs to be a methods to avoid detection. Stuxnet
| was probably a collection of many 0days that were used in
| conjunction. Each 0day probably takes months of "dev time" at
| minimum to develop.
| dgrin91 wrote:
| _conspiracy hat on_
|
| I wonder if he ain't dead and they faked his death incase his
| name ever got out (like this)
| muststopmyths wrote:
| In the middle of the article:
|
| >Ralph Langner, a researcher who conducted an in-depth analysis
| of Stuxnet after the malware's existence came to light, noted
| that "a water pump cannot carry a copy of Stuxnet".
|
| In his Xitter post he also says the infiltration timeline doesn't
| match his analysis.
|
| https://twitter.com/langnergroup/status/1744389845638635727
|
| who to believe ?
| ksjskskskkk wrote:
| love how the article ends with a bunch of Xitter links
| disproving everything it said.
| kurthr wrote:
| It's almost as if plausible deniability is all it's about.
| iamthirsty wrote:
| > For anybody getting worked up about the Stuxnet article in de
| Volkskrant: A water pump cannot carry a copy of Stuxnet Erik
| van Sabben's visit to Iran allegedly happened end of 2018,
| whereas we assume initial infiltration in 2017.
|
| Well, that's all the proof I needed -- a twitter post with no
| further information.
|
| Obviously he may be right as he is a researcher and most likely
| actually did the research, but an non-sourced definitive
| statement on social media is not what I consider "proof".
| huitzitziltzin wrote:
| This article simultaneously says "here are a bunch of things we
| claim happened" and then paragraphs later quotes experts who say
| they could not have or did not happen that way. Why is this
| valuable? I know as little as I did before reading it.
| theginger wrote:
| I don't really understand the point being made. It just seems to
| basically a story about a baseless rumor, the CIA could not
| confirm or deny, so it must be true, except an independent expert
| has suggested it's not even possible.
|
| Have I missed anything?
| stefanos82 wrote:
| While I was reading it, I couldn't stop myself from thinking
| "Bourne franchise".
| poundofshrimp wrote:
| For all we know, the death could have been fabricated and the guy
| is still alive under another identity. This isn't entirely
| unreasonable given Iran would have probably tried to kill him
| anyway, so this could have been agreed by him and the government
| beforehand to protect his life.
| LanceH wrote:
| Or he's completely uninvolved and it's now pinned on him.
| photochemsyn wrote:
| The story I read was that the perpetrators had access to the
| physical centrifuge control center for a while, and used a thumb
| drive carried by a contract engineer to plant the malware. Then
| they lost that physical access, and the centrifuge center
| replaced all its computers or re-installed the OS, and so they
| tried to use a viral worm (Stuxnet) to get in and deliver the
| malware to the target system, which somehow escaped onto the web,
| resulting in Stuxnet getting detected.
|
| Here's a past discussion on HN:
|
| "Unilateral Israeli changes to Stuxnet caused its exposure,
| angering US" 2016, 132 comments:
|
| https://news.ycombinator.com/item?id=11108748
|
| The key point is in the Ralph Langer pdf in the top comment there
| (To Kill a Centrifuge, 2013):
|
| > "Stuxnet's early version had to be physically installed on a
| victim machine, most likely a portable engineering system, or it
| could have been passed on a USB stick carrying an infected
| configuration file for Siemens controllers. Once that the
| configuration file was opened by the vendor's engineering
| software, the respective computer was infected. But no
| engineering software to open the malicious file, equals no
| propagation."
|
| > "That must have seemed to be insufficient or impractical for
| the new version, as it introduced a method of self-replication
| that allowed it to spread within trusted networks and via USB
| sticks even on computers that did not host the engineering
| software application. The extended dropper suggests that the
| attackers had lost the capability to transport the malware to its
| destination by directly infecting the systems of authorized
| personnel."
|
| On the positive side, this event led to a lot of job creation in
| the energy-related cybersecurity sector. This is an informative
| read from the time:
|
| https://nuclear.duke-energy.com/2012/02/07/stuxnet-and-cyber...
| WhackyIdeas wrote:
| $1-2 Billion... At that moment I thought this article is probably
| complete trash.
|
| I'm not that gullible (even though the word 'gullible' was
| removed from the English dictionary in 2021, I am still fond of
| it).
|
| But, seriously. No chance on earth. It's just PR. And the pump
| thing is probably just psychological warfare... 'if they can put
| it into a water pump, they can put it into anything...'.
|
| It was more likely just a mundane USB stick. Every computer has a
| usb port.
| pseingatl wrote:
| And a few months later, a similar attack against Saudi Aramco
| wiped out all of their computer systems, including back-ups.
| Saudi Aramco management had to rely on employees who kept
| unauthorized external drives to back-up data. Much was lost. Iran
| is suspected but: were they able to isolate, turn around an
| weaponize Stuxnet for their own use?
| NelsonMinar wrote:
| The original Dutch language reporting:
| https://www.volkskrant.nl/kijkverder/v/2024/sabotage-in-iran...
| ARandomerDude wrote:
| > Stuxnet, which reportedly cost $1-2 billion to develop
|
| Wow. Arguably worth it but that is a staggering figure.
| tslmy wrote:
| What's that North Korean flag doing there in the cover image?
| padjo wrote:
| 2 billion? Did they sit on diamond chairs while they coded or
| something?
___________________________________________________________________
(page generated 2024-01-11 23:00 UTC)