Beyond Stuxnet

Looks like someone, and I’m guessing it’s not the Anonymous script kiddies, is getting ready to open a serious can of cyberwarfare whoop ass on someone.

W32.Duqu: The Precursor to the Next Stuxnet

On October 14, 2011, a research lab with strong international connections alerted us to a sample that appeared to be very similar to Stuxnet. They named the threat “Duqu” [dyü-kyü] because it creates files with the file name prefix “~DQ”. The research lab provided us with samples recovered from computer systems located in Europe, as well as a detailed report with their initial findings, including analysis comparing the threat to Stuxnet, which we were able to confirm. Parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose.

Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.

Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). The threat does not self-replicate. Our telemetry shows the threat was highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.

See also:
Son of Stuxnet Found in the Wild on Systems in Europe
Duqu May Have Targeted Certificate Authorities for Encryption Keys
Stuxnet Clone ‘Duqu’: The Hydrogen Bomb of Cyberwarfare?
“Son of Stuxnet” Virus Uncovered
New virus a cyber ‘attack in the making’
Cyberattack forecast after spy virus found
Stuxnet successor on the loose?
Brace for “son of Stuxnet” — Duqu spies on SCADA
Duqu: Son of Stuxnet?
Symantec, McAfee differ on Duqu threat
Who’s behind worm Duqu, ‘son of Stuxnet’?
Stuxnet-based cyber espionage virus targets European firms
Key European Nuclear Firms Attacked By Variation On Stuxnet Virus

A couple of conclusions come to mind. First, the fact that Duqu is based on Stuxnet and the Stuxnet source code has never been released makes it a sure bet that the authors are one in the same, namely Israel and/or the United States, Second, the fact that Duqu is clandestinely collecting information from European manufacturers of industrial control system software, specifically software that controls nuclear facilities, strongly suggests that the eventual primary target of the apparent pending cyberattack will, once again, be Iran’s nuclear program.

/in other words, Duqu is setting up a cyberassault that will hopefully finish, once and for all, the job that Stuxnet so effectively started, halting Iran’s quest for a nuclear weapon in its tracks without having to bomb the [expletive deleted] out of their nuclear facilities

Is Our Back Door Open?

Gee, I wonder which computer component manufacturing country might be responsible for this? Hmmm, let me think.

(you might want to skip to 51:47)

U.S. Suspects Contaminated Foreign-Made Components Threaten Cyber Security

Some foreign-made computer components are being manufactured to make it easier to launch cyber attacks on U.S. companies and consumers, a security official at the the Department of Homeland Security said.

“I am aware of instances where that has happened,” said Greg Schaffer, who is the Acting Deputy Undersecretary National Protection and Programs Director at the DHS.

Schaffer did not say where specifically these components are coming from or elaborate on how they could be manufactured in such a way as to facilitate a cyber attack.

But Schaffer’s comment confirms that the U.S. government believes some electronics manufacturers have included parts in products that could make U.S. consumers and corporations more vulnerable to targeted cyber attacks.

A device tampered with prior to distribution or sale could act as a “Trojan horse” in the opening wave of an international cyberwar. Contaminated products could be used to jeopardize the entire network.

See also:
DHS: Imported Consumer Tech Contains Hidden Hacker Attack Tools
Tomorrow’s cyberwarfare may be carried out by pre-infected electronics: DHS
Malware Comes with Many Gadgets, Homeland Security Admits
Supply chain security – DHS finds imported software and hardware contain attack tools
U.S. official says pre-infected computer tech entering country
Homeland Security Admits Hidden Malware in Foreign-Made Devices
Homeland Security Finds Your Electronic Device Poses Risks?
Threat of destructive coding on foreign-manufactured technology is real
Homeland Security Official: Some Foreign-Made Electronics Compromise Cybersecurity
White House’s Cyberspace Policy Review (PDF)

So, Mr. Schaffer “did not say where specifically these components are coming from.” Well, here, let me help, it’s obviously China. There, how hard was that? The next question is, what are we doing about it?

Our national power grid, electronics infrastructure, you name it, very few of the critical components are manufactured in the U.S. anymore and if there exists a series of back doors, enabling a hostile country, like China, to preemptively take it all down at once, we’re in serious, catastrophic trouble territory, so far up the proverbial [expletive deleted] creek without a paddle we’re no longer visible. And we’d be down for the count too, because we don’t have the U.S. manufacturing capability to pick ourselves up off the canvas

/the end game scenario this revelation portends would make Pearl Harbor look like a sorority pillow fight