Computer security researchers are warning that a new version of the sophisticated cyberweapon that sabotaged Iran’s nuclear program could be the precursor to a new wave of cyberattacks.
The new weapon, dubbed Duqu, appears to use portions of the original source code from the Stuxnet worm that attacked computers at the Iranian nuclear plant at Natanz in 2009 and 2010.
It is designed to steal information to enable future attacks against the special computerized systems that control power stations, chemical plants, oil refineries and water treatment facilities, according to computer security firm Symantec.
“We thought the people behind Stuxnet would disappear. We caught them red-handed,” Symantec researcher Liam O Murchu told The Washington Times. “Instead, they’re back.”
“The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility,” Symantec warned in a bulletin issued last week.
Industrial control systems are considered among the most dangerous potential targets for computer hackers because they can be manipulated to damage or even destroy the plants they control, causing explosions at power stations, polluting drinking water supplies or releasing oil or deadly chemicals into the environment.
“This threat is highly targeted toward a limited number of organizations,” the DHS bulletin says. “Although the method of propagation has yet to be determined, the targeted nature of the threat would make social engineering a likely method of attack.”
Social-engineering attacks generally involve email attachments that are cleverly designed to look as though they come from a colleague or other trusted associate. When opened, they install malicious software on the victim’s computer.
Stuxnet, the first example of a cyberweapon aimed at industrial control systems, was designed to destroy the centrifuges Iran used to enrich uranium by manipulating the computer software that ran them to make them spin out of control.
It has never been revealed who was behind Stuxnet, but the sophistication of the weapon led most observers to conclude it was a nation state. The targeting of Iran’s nuclear program and some clues apparently left by the authors led some to speculate that the intelligence agencies of Israel or the United States might have been responsible.
Mr. O Murchu, whose team spent months last year studying Stuxnet, said about 50 percent of Duqu used source code from the earlier cyberweapon. The program got its name because it creates computer files with the prefix, DQ.
“Only the creators [of Stuxnet] have access to the source code,” he said, adding that the attackers had been working on Duqu for “probably the last year.”
The first definite evidence of the weapon being used was discovered last month, but attacks could have started as early as December, the Symantec report says.
Peter Szor, the senior director of research at McAfee Inc., the computer security arm of Intel Corp., said it theoretically would be possible to create Duqu by reverse-engineering Stuxnet itself.
But that would be “very, very time consuming and resource intensive.”