- Marionville mayor ‘kind of agreed’ with Kansas City shooter’s views
- Rev. Al Sharpton’s Easter message: Politically ‘crucified’ Obama has risen again
- Supreme Court to weigh challenge to ban on campaign lies
- UNICEF launches ‘Mr. Poo’ mascot in India to curb public defecation
- Teen taking selfie by train: ‘Wow, that guy just kicked me in the head’
- Goodbye, Afghanistan — hello, Africa: Air Force to shift as U.S. exits Middle East
- Iran mulls ban on vasectomies, decrease on abortions to bolster population
- CNN op-ed claims right-wingers ‘more deadly than jihadists’
- Classes resume at high school rocked by stabbings
- ABC News accuses Center for Public Integrity of stealing Pulitzer-winning work
New cyberweapon ‘Duqu’ threatens vital infrastructure
Computer security researchers are warning that a new version of the sophisticated cyberweapon that sabotaged Iran’s nuclear program could be the precursor to a new wave of cyberattacks.
The new weapon, dubbed Duqu, appears to use portions of the original source code from the Stuxnet worm that attacked computers at the Iranian nuclear plant at Natanz in 2009 and 2010.
It is designed to steal information to enable future attacks against the special computerized systems that control power stations, chemical plants, oil refineries and water treatment facilities, according to computer security firm Symantec.
“We thought the people behind Stuxnet would disappear. We caught them red-handed,” Symantec researcher Liam O Murchu told The Washington Times. “Instead, they’re back.”
“The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility,” Symantec warned in a bulletin issued last week.
Industrial control systems are considered among the most dangerous potential targets for computer hackers because they can be manipulated to damage or even destroy the plants they control, causing explosions at power stations, polluting drinking water supplies or releasing oil or deadly chemicals into the environment.
“This threat is highly targeted toward a limited number of organizations,” the DHS bulletin says. “Although the method of propagation has yet to be determined, the targeted nature of the threat would make social engineering a likely method of attack.”
Social-engineering attacks generally involve email attachments that are cleverly designed to look as though they come from a colleague or other trusted associate. When opened, they install malicious software on the victim’s computer.
Stuxnet, the first example of a cyberweapon aimed at industrial control systems, was designed to destroy the centrifuges Iran used to enrich uranium by manipulating the computer software that ran them to make them spin out of control.
It has never been revealed who was behind Stuxnet, but the sophistication of the weapon led most observers to conclude it was a nation state. The targeting of Iran’s nuclear program and some clues apparently left by the authors led some to speculate that the intelligence agencies of Israel or the United States might have been responsible.
Mr. O Murchu, whose team spent months last year studying Stuxnet, said about 50 percent of Duqu used source code from the earlier cyberweapon. The program got its name because it creates computer files with the prefix, DQ.
“Only the creators [of Stuxnet] have access to the source code,” he said, adding that the attackers had been working on Duqu for “probably the last year.”
The first definite evidence of the weapon being used was discovered last month, but attacks could have started as early as December, the Symantec report says.
Peter Szor, the senior director of research at McAfee Inc., the computer security arm of Intel Corp., said it theoretically would be possible to create Duqu by reverse-engineering Stuxnet itself.
But that would be “very, very time consuming and resource intensive.”
“Who would do that?” he asked, when it would be cheaper and easier to write a new piece of software from scratch.
Other experts cautioned that, without access to the source code itself, it was impossible to be certain that Duqu was developed by the same authors.
“Just from looking at the [infections], you can’t tell for sure whether it used the same source code,” said Ralph Langner, another security specialist who studied Stuxnet.
Rick Howard, director of intelligence for iDefense, went further, saying he doubted the same people were behind the two weapons.
Stuxnet was “very highly targeted … planned and executed with military precision,” said Mr. Howard, a former computer security specialist for the Army.
“It doesn’t make sense to me” that a team with that level of skills and resources “would use the same techniques and codes twice,” he said.
Nonetheless, the Hungarian lab that first discovered Duqu reiterated its conviction over the weekend that the two cyberweapons were “nearly identical.”
Mr. Szor said McAfee had preliminary data from its customer base of about half a dozen potential infections, including a factory, possibly a car plant, in Iran, and computer systems in Britain and the United States.
Mr. O Murchu said that Symantec had identified “about 10” Duqu infections in Europe, and that the software was not designed to propagate like conventional malicious software does.
“It’s not a worm or a virus,” he said. “It doesn’t replicate itself.”
He said researchers do not know it got into the systems it infected.
But “several” of the affected organizations were “companies involved with the manufacture of industrial control systems,” he said.
The Duqu attackers apparently were gathering information about industrial control systems, Mr. O Murchu said.
He noted that one of the reasons Stuxnet was so dangerous was that the people who designed it had very detailed information about the centrifuge control system they were attacking.
“Why is the team behind Stuxnet now looking at other [industrial control system] data?” he asked, “When you draw that dotted line, it gives you pause for thought.”
A DHS spokesman said the department would continue to work with cybersecurity researchers to get more information about Duqu and distribute it to the private-sector companies that own and operate critical U.S. industrial control systems.
Mr. Szor said early signs indicate that “more than one machine is infected” at some of the victim organizations, underlining the determined and targeted nature of the attack.
He said McAfee had identified three or four slightly different versions of Duqu.
“It’s almost like every piece is custom made for just that one attack,” he said.
Mr. O Murchu said the attackers had been more careful to try to hide the traces of their weapon this time around. Data that Duqu sent to its home base, a computer server in India that was disabled this week, was both encrypted and hidden along with photographs.
“They’ve gone to a lot more effort to to hide the traffic,” he said.
Duqu also was designed to erase itself from infected computers automatically after 36 days, he said, although that could be modified by the attackers.
© Copyright 2014 The Washington Times, LLC. Click here for reprint permission.
About the Author
TWT Video Picks
By returning to Christian roots, the nation can achieve greatness once again
- 'Culture of intimidation' seen in Nevada ranch standoff
- Rand and Ron Paul ride to the rescue for Bundy in Nevada standoff with feds
- Fuel-filled wings, ability to swarm: Pentagon offers glimpse at future of drone fleet
- WEBER: Obamacare cuts home healthcare for millions of seniors
- UNICEF launches 'Mr. Poo' mascot in India to curb public defecation
- CARSON: Recovering Tocqueville's vision of American exceptionalism
- Nevada Bundy ranch standoff could leave dirt on Harry Reid reputation
- CNN op-ed claims right-wingers 'more deadly than jihadists'
- U.S. Navy to turn seawater into jet fuel
- GOP writes legislation to deny Attorney General Eric Holder his salary
Celebrity deaths in 2014
Top 10 handguns in the U.S.