Son of Stuxnet?

When an unknown entity, most likely some combination of Western and Israeli intelligence agencies, created Stuxnet, the mysterious computer worm widely thought to be targeted at Iran’s nuclear program, cybersecurity experts warned that a new digital threat had been unleashed, with potentially dangerous and wideranging consequences.

David Hoffman wrote about Stuxnet for FP back in March:

The Institute for Science and International Security (ISIS), which has closely monitored the Iranian nuclear effort, reported that in late 2009 or early 2010, Iran decommissioned and replaced about 1,000 centrifuges in its uranium-enrichment plant at Natanz. If the goal of Stuxnet was to "set back Iran’s progress" while making detection of the malware difficult, an ISIS report stated, "it may have succeeded, at least for a while."

But there are risks of blowback. Langner warns that such malware can proliferate in unexpected ways: "Stuxnet’s attack code, available on the Internet, provides an excellent blueprint and jump-start for developing a new generation of cyber warfare weapons." He added, "Unlike bombs, missiles, and guns, cyber weapons can be copied. The proliferation of cyber weapons cannot be controlled. Stuxnet-inspired weapons and weapon technology will soon be in the hands of rogue nation states, terrorists, organized crime, and legions of leisure hackers."

Industrial control systems that were the target of Stuxnet are spread throughout the world and vulnerable to such attacks. In one 11-year-old Australian case, a disenchanted employee of the company that set up the control system at a sewage plant later decided to sabotage it. From his laptop, the worker ordered it to spill 211,337 gallons of raw sewage, and the control system obeyed — polluting parks, rivers, and the grounds of a hotel, killing marine life and turning a creek’s water black.

Now, tech researchers at Symantec and F-Secure have identified a new piece of malware they’re calling Duqu, and which they say is very similar to Stuxnet.

According to Symantec, "Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility."

Nobody knows who created Duqu, or why. (Says F-Secure: "Was Duqu written by US Government? Or by Israel? We don’t know. Was the target Iran? We don’t know.")

But Symantec reports that "the threat was highly targeted toward a limited number of organizations for their specific assets. … The creators of Duqu had access to the source code of Stuxnet, not just the Stuxnet binaries. The attackers intend to use this capability to gather intelligence from a private entity to aid future attacks on a third party."

So are we seeing another attempt by the same crowd that brought us Stuxnet in the first place? Or disturbing evidence that the predictions of Langner and others are coming true — that a tool intended to cripple Iran’s nuclear enrichment efforts has now been repurposed, possibly by another foreign government or a criminal syndicate?

We may find out in short order. F-Secure’s Mikko Hypponen, who has adopted the hashtag #Stuxnet2, warns on his Twitter feed: "If Duqu was indeed an information gathering operation, we should expect the real attack soon."