The mysterious Stuxnet worm — perhaps the most powerful ever created — managed to infiltrate computer systems in Iran and do damage to that nation’s nuclear research program. The new worm, dubbed Duqu, has no such targeted purpose. But it shares so much code with the original Stuxnet that researchers at Symantec Corp. say it must either have been created by the same group that authored Stuxnet, or by a group that somehow managed to obtain Stuxnet’s source code. Either way, Duqu’s authors are brilliant, and mean business, said Symantec’s Vikrum Thakur.
“There is a common trait among the (computers) being attacked,” he said. “They involve industrial command and control systems.”
Symantec speculates that Duqu is merely gathering intelligence as a precursor to a future industrial-strength attack on infrastructure computers…
McAfee researchers Guilherme Venere and Peter Szor said in a blog post that they are pretty sure Duqu was written by Stuxnet’s authors, in part because both programs utilize fraudulent “stolen” digital certificates which had been issued to companies in Taiwan. The use of what appear to be real digital certificate keys make both programs particularly deceptive. It also proves the programmers are clever enough to fool Certificate Authorities who issued the certificates.
ABC also sees the Stuxnet team’s fingerprints on Duqu, noting that “the authors of the new virus apparently had access to original Stuxnet code that was never made public,” and McAfee reports that the new virus uses a digital certificate “stolen” from a business in the same neighborhood in Taipei as the businesses from whom Stuxnet “stole” its own certificates. That’s reassuring insofar as most experts believe Stuxnet was a U.S./Israeli operation targeting Iran; if Son of Stuxnet really is a product of the same team then obviously it’s working for us, not against us. But … working to do what? Stuxnet, remember, wasn’t mere spyware. It was designed to actually take over the controls at industrial plants — like, say, Iran’s uranium enrichment facility — and make them go haywire. Duqu is pure spyware, but of an exceptionally advanced kind. It’s designed to infiltrate the same sort of industrial infrastructure and record keystrokes, pilfer design documents, and so forth. And apparently it’s a prelude to something big. More from ABC:
If successful, the information gleaned from those companies through Duqu could be used in a future attack on any industrial control system in the world where the companies’ products are used — from a power plant in Europe to an oil rig in the Gulf of Mexico.
“Right now it’s in the reconnaissance stage, you could say,” Symantec Senior Director for Security Technology and Response, Gerry Egan, told ABC News. “[But] there’s a clear indication an attack is being planned.”
Duqu is also not designed to spread on its own, so researchers believe its targets were the computer systems it had already infiltrated, Egan said.
That last part makes it sound like Duqu has been found on only a small number of systems, but NBC quotes a Symantec analyst as saying it’s now infected industrial computers “around the globe.” Either this is some sort of massive industrial-espionage fishing expedition by the Stuxnet team or ABC is wrong and Duqu is spreading inadvertently far beyond the systems that were initially targeted. Symantec’s own blog post on this says, “Our telemetry shows the threat was highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.” I’m not sure how it could be “highly targeted” and yet affecting systems “around the globe.” Just how ambitious is this looming operation, anyway?
The most curious thing about all of the posts I’ve linked here is that they’re conspicuously vague about which systems in which countries have actually been infected. If the worm is “highly targeted,” then it must be clear from the pattern of infection who the focus of the operation is, yet everyone seems to be keeping mum about that. The only specific (and intriguing) detail, per NBC, is that the command computer appears to be located in India. With facts as meager as that, the only limit on speculation about what’s happening is your imagination. Maybe it really is a big fishing expedition. Or maybe it’s simply phase two of the original Stuxnet operation, with the U.S. and Israel gathering info on Iran’s infrastructure for a massive cyberattack in the event of war. (Iran has been experiencing new setbacks to its nuclear program lately, although they appear to be unrelated to cyber-sabotage.) Or maybe the U.S. and Israel are now partnering with India to target Pakistan’s nuclear facilities. Or maybe the entire Middle East is now under surveillance to see who else might be inching towards nuclear proliferation as Iran gets closer to the bomb. Or maybe the U.S. and Israel weren’t behind Stuxnet after all and this is all a diabolical plot by Chinese hackers backed by Beijing. Stuxnet was meant to throw the world off their scent by focusing on Iran, and now Duqu’s doing the info-gathering China needs for cyberwar on the west if/when it comes to that. Stop me before I “maybe” again.
Update: A belated exit question. How can the U.S. be so squeamish about reducing the taboo on cyberwar that it would decline to attack Qaddafi’s computers, yet also so gung ho about cyberwar that it would unleash Stuxnet and Duqu on the world? An administration official provides a possible answer:
“These cybercapabilities are still like the Ferrari that you keep in the garage and only take out for the big race and not just for a run around town, unless nothing else can get you there,” said one Obama administration official briefed on the discussions.
No comments:
Post a Comment