Stuxnet Clone Duqu – Aimed back at USA?

Editorial Note – Stuxnet was installed by an operative inside Iran who plugged in a thumb drive containing the virus. Stuxnet is software that has many thresholds and layers and its source code is known only to its creators. Each time a condition is met, yet another part of the virus within the software kicks in. Well, it seems that Stuxnet has some characterics that have been cloned into a new form dubbed ‘Duqu’ and the threat is now reversed and may be employed upon our own facilities.

Stuxnet Clone ‘Duqu’ Possibly Preparing Power Plant Attacks

Fox News

By Matt Liebowitz

Security researchers have detected a new Trojan, scarily similar to the infamous Stuxnet worm, which could disrupt computers controlling power plants, oil refineries and other critical infrastructure networks.

AP Photo/IIPA, Ebrahim Norouzi Iranian technicians work at the Bushehr nuclear power plant, outside the southern city of Bushehr, Iran.

The Trojan, dubbed “Duqu” by the security firm Symantec, appears, based on its code, to have been written by the same authors as the Stuxnet worm, which last July was used to cripple an Iranian nuclear-fuel processing plant.

“Stuxnet source code is not out there,” wrote F-Secure cybersecurity expert Mikko Hyppönen on his firm’s blog. “Only the original authors have it. So, this new backdoor was created by the same party that created Stuxnet.”

The original Stuxnet was specifically designed to compromise an industrial control system by manipulating the supervisory control and data acquisition (SCADA) software on which these facilities rely on for automation. Duqu may have its sights set on the same target, but it approaches from a different angle.

“Duqu shares a great deal of code with Stuxnet; however, the payload is completely different,” researchers for the security firm Symantec wrote on its Security Response blog.

Instead of directly targeting the SCADA system, Duqu gathers “intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.”

“Duqu is essentially the precursor to a future Stuxnet-like attack,” the researchers added.

Symantec said whoever is behind Duqu rigged the Trojan to install another information-stealing program on targeted computers that could record users’ keystrokes and system information and transmit them, and other harvested data, to a command-and-control (C&C) server. The C&C server is still operational, Symantec said.

McAfee, another prominent security firm, has a different analysis of Duqu. Two of its researchers wrote on McAfee’s blog that Duqu is actually highly sophisticated spyware designed to steal digital certificates, which are encrypted “keys” that websites use to verify their identities. (Stolen certificates, apparently purloined by a lone Iranian hacker, have become a big issue recently.)

Neither Symantec, McAfee nor F-Secure would speculate about who’s behind Duqu, but the conventional wisdom on Stuxnet is that it was created by the intelligence services of the U.S. and Israel to knock out a uranium-refinement plant in Iran.

This new entry into the Stuxnet family comes just after the Department of Homeland Security (DHS) issued a bulletin warning that the notorious hacking group Anonymous may soon start looking to bring down or disrupt industrial control facilities. Posted yesterday (Oct. 18) to publicintelligence.net, the unclassified bulletin assesses Anonymous’ ability to compromise SCADA systems that run power plants, chemical plants, oil refineries and other industrial facilities.

Government officials did not blame Anonymous for any such hacks, and the bulletin says that based on available information, Anonymous has “a limited ability to conduct attacks” on industrial control systems.

The group’s agenda could change, however. The DHS document cites several recent actions, including Anonymous’ cyberattack on the websites and servers of biotech seed company Monsanto, as proof that Anonymous could “develop capabilities to gain access and trespass on control system networks very quickly.”

DHS says Cyber attacks are rising on industry and utilities

Editor’s Note – Not much is printed or taken seriously about cyber threats to America but, it should be known, just how fragile our way of life actually is as virtually every part of our infrastructure is tied to the Internet as are most communications and the military. For this reason, the DHS publishes a weekly events summary listing security breaches that requires our attention. The month of October is dedicated to the study of all segments of the internet and recommendations are made to keep some order and protection walls from cyber threats.

DHS – Report for September 30, 2011

The world banking system, corporations, power grid, and water systems, as well as most of our industries are tied to Internet communications. With the ubiquitous viruses, worms and malware, the Idaho National Laboratory for example is armed with cyber experts that are dedicated to responding and assisting to minimize and stop cyber interference.

Watch the video below, then please read the article from Fox News:

Utilities and Industries Face Rising Number of Cyber Break-Ins, DHS Says

From Fox News

U.S. utilities and industries face a rising number of cyber break-ins by attackers using more sophisticated methods, a senior Homeland Security Department official said during the government’s first media tour of secretive defense labs intended to protect the U.S. power grid, water systems and other vulnerable infrastructure.

Acting DHS Deputy Undersecretary Greg Schaffer told reporters Thursday that the world’s utilities and industries increasingly are becoming vulnerable as they wire their industrial machinery to the Internet.

“We are connecting equipment that has never been connected before to these global networks,” Schaffer said. Disgruntled employees, hackers and perhaps foreign governments “are knocking on the doors of these systems, and there have been intrusions.”

According to the DHS, Control System Security Program cyber experts based at the Idaho National Laboratory responded to 116 requests for assistance in 2010, and 342 so far this year.

Department officials declined to give details about emergency response team deployments, citing confidentiality agreements with the companies involved. Under current law, the reporting of cyber attacks by private organizations is strictly voluntary.

The Obama administration has proposed making reporting mandatory, but the White House could find the idea difficult to sell at a time when Republicans complain about increased regulation of business.

Officials said they knew of only one recent criminal conviction for corrupting industrial control systems, that of a former security guard at a Dallas hospital whose hacking of hospital computers wound up shutting down the air conditioning system. The former guard was sentenced to 110 months in prison in March.

The Homeland Security Department’s control system program includes the emergency response team, a Cyber Analysis Center where systems are tested for vulnerabilities, a malware laboratory for analyzing cyber threats and a classified “watch and warning center” where data about threats are assessed and shared with other cyber security and intelligence offices.

The offices are located at nondescript office buildings scattered around Idaho Falls. No signs announce their presence.

Marty Edwards, chief of the control system security effort, said the malware lab analyzed the Stuxnet virus that attacked the Iranian uranium enrichment facility in Natanz last year. He did not describe the group’s findings in detail, except to say that they confirmed that it was “very sophisticated.”

Edwards said that several years ago he had asked the German company Siemens to study the same kind of industrial controllers used at Natanz for vulnerabilities to attack, because they were so widely used in industry.

But he said the study was not part of any effort to target the controllers with malware, and said his program’s work on the controllers could not have helped Stuxnet’s designers.

A senior Homeland Security cyber official, who spoke on condition of anonymity because of the sensitivity of the topic, said the Stuxnet worm exploited well-known design flaws common to many system controllers, vulnerabilities that in general can’t be patched.

Many independent experts and former government officials suspect that Stuxnet was created by the United States, perhaps with the help of IsraelBritain and Germany.

The U.S. and other nations believe Iran is building a nuclear weapons program, but Tehran insists it is interested only in the peaceful uses of nuclear technology.

While U.S. officials talk frequently about the threat of cyber attacks to America, they seldom discuss the country’s offensive cyber weapons capability. The U.S. is thought to be the world’s leader in cyber warfare, both defensive and offensive.

U.S. officials and others long have feared that future wars will include cyber assaults on the industries and economies of adversaries, and the potential targets include power plants, pipelines and air traffic control systems.

Foreign nations could also target military control systems, including those used for communications, radar and advanced weaponry.

Because of its advanced industrial base and large number of computer controlled machines connected to the Internet, the U.S. is thought to be highly vulnerable to a cyber attack on its infrastructure.

In a 2007 test at the Idaho National Laboratory, government hackers were able to break into the control system running a large diesel generator, causing it to self-destruct.

A video of the test, called Aurora, still posted on YouTube, shows parts flying off the generator as it shakes, shudders and finally halts in a cloud of smoke.

James Lewis, a former State Department official now with the Center for Strategic and International Studies in Washington, said in an interview that the Aurora test ushered in a new era of electronic warfare.

Before the test, he said, the notion of cyber warfare “was mainly smoke and mirrors. But the Aurora tests showed that, you know what? We have a new kind of weapon.”

Homeland Security officials said they have not conducted such a test on that scale since. But they demonstrated Thursday how a hacker could tunnel under firewalls in computer systems to take command of industrial processes.

“All systems deployed have vulnerabilities,” Edwards said.