Computer security researchers are warning that a new version of the sophisticated cyberweapon that sabotaged Iran’s nuclear program could be the precursor to a new wave of cyberattacks.
The new weapon, dubbed Duqu, appears to use portions of the original source code from the Stuxnet worm that attacked computers at the Iranian nuclear plant at Natanz in 2009 and 2010.
It is designed to steal information to enable future attacks against the special computerized systems that control power stations, chemical plants, oil refineries and water treatment facilities, according to computer security firm Symantec.
“We thought the people behind Stuxnet would disappear. We caught them red-handed,” Symantec researcher Liam O Murchu told The Washington Times. “Instead, they’re back.”
“The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility,” Symantec warned in a bulletin issued last week.
Industrial control systems are considered among the most dangerous potential targets for computer hackers because they can be manipulated to damage or even destroy the plants they control, causing explosions at power stations, polluting drinking water supplies or releasing oil or deadly chemicals into the environment.
“This threat is highly targeted toward a limited number of organizations,” the DHS bulletin says. “Although the method of propagation has yet to be determined, the targeted nature of the threat would make social engineering a likely method of attack.”
Social-engineering attacks generally involve email attachments that are cleverly designed to look as though they come from a colleague or other trusted associate. When opened, they install malicious software on the victim’s computer.
Stuxnet, the first example of a cyberweapon aimed at industrial control systems, was designed to destroy the centrifuges Iran used to enrich uranium by manipulating the computer software that ran them to make them spin out of control.
It has never been revealed who was behind Stuxnet, but the sophistication of the weapon led most observers to conclude it was a nation state. The targeting of Iran’s nuclear program and some clues apparently left by the authors led some to speculate that the intelligence agencies of Israel or the United States might have been responsible.
Mr. O Murchu, whose team spent months last year studying Stuxnet, said about 50 percent of Duqu used source code from the earlier cyberweapon. The program got its name because it creates computer files with the prefix, DQ.
“Only the creators [of Stuxnet] have access to the source code,” he said, adding that the attackers had been working on Duqu for “probably the last year.”
The first definite evidence of the weapon being used was discovered last month, but attacks could have started as early as December, the Symantec report says.
Peter Szor, the senior director of research at McAfee Inc., the computer security arm of Intel Corp., said it theoretically would be possible to create Duqu by reverse-engineering Stuxnet itself.
But that would be “very, very time consuming and resource intensive.”
“Who would do that?” he asked, when it would be cheaper and easier to write a new piece of software from scratch.
Other experts cautioned that, without access to the source code itself, it was impossible to be certain that Duqu was developed by the same authors.
“Just from looking at the [infections], you can’t tell for sure whether it used the same source code,” said Ralph Langner, another security specialist who studied Stuxnet.
Rick Howard, director of intelligence for iDefense, went further, saying he doubted the same people were behind the two weapons.
Stuxnet was “very highly targeted … planned and executed with military precision,” said Mr. Howard, a former computer security specialist for the Army.
“It doesn’t make sense to me” that a team with that level of skills and resources “would use the same techniques and codes twice,” he said.
Nonetheless, the Hungarian lab that first discovered Duqu reiterated its conviction over the weekend that the two cyberweapons were “nearly identical.”
Mr. Szor said McAfee had preliminary data from its customer base of about half a dozen potential infections, including a factory, possibly a car plant, in Iran, and computer systems in Britain and the United States.
Mr. O Murchu said that Symantec had identified “about 10” Duqu infections in Europe, and that the software was not designed to propagate like conventional malicious software does.
“It’s not a worm or a virus,” he said. “It doesn’t replicate itself.”
He said researchers do not know it got into the systems it infected.
But “several” of the affected organizations were “companies involved with the manufacture of industrial control systems,” he said.
The Duqu attackers apparently were gathering information about industrial control systems, Mr. O Murchu said.
He noted that one of the reasons Stuxnet was so dangerous was that the people who designed it had very detailed information about the centrifuge control system they were attacking.
“Why is the team behind Stuxnet now looking at other [industrial control system] data?” he asked, “When you draw that dotted line, it gives you pause for thought.”
A DHS spokesman said the department would continue to work with cybersecurity researchers to get more information about Duqu and distribute it to the private-sector companies that own and operate critical U.S. industrial control systems.
Mr. Szor said early signs indicate that “more than one machine is infected” at some of the victim organizations, underlining the determined and targeted nature of the attack.
He said McAfee had identified three or four slightly different versions of Duqu.
“It’s almost like every piece is custom made for just that one attack,” he said.
Mr. O Murchu said the attackers had been more careful to try to hide the traces of their weapon this time around. Data that Duqu sent to its home base, a computer server in India that was disabled this week, was both encrypted and hidden along with photographs.
“They’ve gone to a lot more effort to to hide the traffic,” he said.
Duqu also was designed to erase itself from infected computers automatically after 36 days, he said, although that could be modified by the attackers.