Roughly a year ago, the era of cyberwar officially began with the revelation that a complex computer worm called Stuxnet, allegedly designed in the U.S and tested in Israel, had sabotaged the Iranian nuclear facility in Natanz.
It was, as Stewart Baker, the former general counsel of the U.S. National Security Agency, told Newsweek last December, “the first time we’ve actually seen a weapon created by a state to achieve a goal that you would otherwise have used multiple cruise missiles to achieve.”
Now a new variant of malicious software called Duqu, which uses remarkably similar coding, has emerged, and though security analysts remain divided as to whether Stuxnet’s creators are responsible, many concede that Duqu could very well be a precursor to yet another cyberattack.
Despite the coding similarities, Duqu, which was discovered (PDF) by the Laboratory of Cryptography and Systems Security at Budapest University of Technology and Economics this fall, functions quite differently from Stuxnet.
Stuxnet likely originated from an infected USB thumb drive, and spread outward, replicating itself on tens of thousands of computers across the globe. Yet it seemed to target only Siemens computers at the Natanz facility involved in enriching uranium. Its purpose: gathering intelligence and causing some of the plant’s equipment to malfunction in the process. On all other machines, it did nothing.
Duqu, on the other hand, is what’s known in security and hacking parlance as a trojan; it spread through email, purporting to be something benign, and exploited an unknown vulnerability in Microsoft Word. Its creators sent it to a specifically small number of targets, and the mission appears to have been strictly related to espionage.
“What Duqu might be going after are blueprints,” says Roel Schouwenberg, a senior researcher at Kaspersky Labs, a security firm. “It’s something that could possibly lead to a sabotage kind of attack.”
It is widely assumed that various nation-states and criminal organizations regularly engage in cyber-intelligence operations. Earlier this month, for instance, the U.S. Office of the National Counterintelligence Executive released a report (PDF) accusing Russia and China of using cyber-espionage to steal intellectual property and technology, among other things, from U.S. companies, universities, and government institutions.
What is unique, however, according to James Lewis, a senior fellow at the Center for Strategic and International Studies, is that “we’re seeing this new style of conflict coming out in the open.”
Thus far, researchers have yet to figure out—or at least publicly acknowledge—the motives of Duqu’s creators. But they do know that its highly specified targets have included government computer systems in Iran and Sudan, along with computer systems linked to industrial machinery in Europe, according to security researchers. And like Stuxnet before it, Duqu was designed to self-destruct weeks after infecting a particular machine.
The nature of the known targets, coupled with the similarity in coding and the complexity involved in it, have led some analysts to believe that the creators of Stuxnet also created Duqu.
“This is a completely separate operation,” says Dmitri Alperovitch, an independent security researcher. “But I do believe it was written by the same individuals, most likely government employees responsible for Stuxnet.”
Although a number of computer-security firms have analyzed the Stuxnet code, the original source code of the worm—the readable instructions most likely needed to replicate it—is not public knowledge.
“The only people who have it are the people who created it,” says Alperovitch. “Someone was either using the original source code, or it took years of effort to replicate it.”
Like Stuxnet, Duqu also utilized at least one zero-day exploit—an unknown vulnerability in a particular computer program—in this case, Microsoft Word.
“Those are quite rare,” says Eric Chien, a researcher at Symantec, a computer-security firm. “It’s not just some rogue hacker.”
Microsoft has issued a temporary fix for the vulnerability.
Despite the apparent complexity of Duqu, there also appears to be a degree of sloppiness involved in it, as the trojan continued to be sent out after researchers had discovered it. “That’s a very amateurish mistake,” says Alperovitch. “The first thing you do is pull the plug.”
Another wrinkle: Kaspersky Labs recently analyzed an email carrying the Duqu trojan and found that a component of it was dated August 2007. “If this information is correct, then the authors of Duqu must have been working on this project for over four years!” writes Alexander Gostev, a senior analyst, on a company blog.
That could be an indication that Duqu’s development actually preceded that of Stuxnet, rather than the other way around.
Not everyone is convinced that Duqu and Stuxnet have common parents.
“Malware writers learn from other malware writers,” says Chris Wysopal, the chief information-security officer at the security company Veracode. “It wouldn’t be any old hacker, but could be done without state resources because you have a template. It still could be a criminal organization, someone doing this to make money.”
Richard Clarke, a former White House counterterrorism and cyberwarfare adviser who is on the board of Veracode, agrees. “The notion that it [Stuxnet] was developed in the U.S. is kind of the consensus, expert view,” he says. “[But] it would seem unlikely that the U.S. government is repeating the use of the same sort of software where the signature is already laid out.”
Rather, Clarke—who now runs a security-consulting business—postulates that a team of highly sophisticated hackers may have replicated parts of the Stuxnet source code and repurposed it to gather information.
That may be the scarier of the two prospects. And if some sort of boomerang effect hasn’t already taken place, analysts say it likely will in the near future. As Ralph Langner, a German security consultant said in a September interview with The Christian Science Monitor: “The clock is ticking.”
With Isaac Stone Fish in Beijing and Eli Lake in Washington.