Threat Management, Malware, Network Security, Security Strategy, Plan, Budget

Part Two: Duqu: father, son, or unholy ghost of Stuxnet?


Three U.S. Air Force information security experts, independent of their role in the military, studied the Duqu trojan, and you might be surprised by what they found. This is the second article in a two-part series that examines the sophisticated threat that everyone is talking about. (Read the first part).

The Force is strong in Duqu

From an attacker's standpoint, there was nothing in the Duqu code that indicated a cyberattack payload was meant to cause harm to systems. Conversely, the Stuxnet code was highly targeted toward the centrifuges in the Iranian nuclear facility to change the rate of spin, and achieve some political or military objective of delaying and weakening Iran's nuclear enrichment program.

Duqu is used for information gathering with its functions of screen capturing, network information capture, keylogger, viewable shares, file explorer, and domain enumeration. This clearly indicates a RAT (remote access trojan) targeted against Windows domains and enterprises.  

One of the most interesting parts of Duqu is the fact that it used private certificates to create some of the secure sockets layer (SSL) channels used to communicate with the command-and-control server, as well as exfiltrate data. Given the complexity of obtaining the certificates this could indicate other prior intrusions into the certificate authorities in the form of an insider threat or network compromise. It is safe to assume that there are additional stolen or forged certificates that have yet to be discovered.

It is also possible, given the way that nation-states operate, that Duqu is being used as a show of force for the purpose of cyber deterrence.  

One of the most alluring qualities of cyberspace is the non-attribution. To maintain non-attribution, it is important for nation-states to not show off their own capabilities and tactics that may be used to identify them in operations.  However, by launching cyber capabilities and providing no claim for credit, the same level of deterrence is achieved. Nation-states around the world can then see the capabilities that other unknown nation-states possess and are willing to use.

Furthermore, one can look to statements made by U.S. officials that the greatest cyber weapons have yet to be deployed. The unknown potency of these cyber weapons in comparison to Stuxnet and Duqu can create a level of deterrence that is unattainable with conventional weapons.

Something wicked this way comes

Stuxnet changed cyberwarfare by opening up the previously secret operations and capabilities of cyberspace to the world. The control systems community was the community most affected by Stuxnet and it destroyed any doubt that it was a lucrative target for cyberwarfare.  

The worm also showed the control systems community how ill-prepared it is to deal with an advanced cyber weapon.  

Control systems are created by design to provide availability and ease of use. For years security was an afterthought of the design process, and even with the some of the most intelligent cybersecurity minds out there pushing for change, the issue of time remains.

It takes time to cause substantial changes to any community, let alone a community that operates systems up to 15 years behind current technology, due to long acquisition phases and high financial costs. It does not take much time, though, to create and adapt cyber weapons to target and effectively compromise systems.

The control systems community is working hard to counter cyberthreats at every level, including the government, regulation committees, vendors, and control system owners. However, not enough is being done, and Duqu has raised a warning yet again for the community. Stuxnet was not a one-time threat, and the impending cyberattacks cannot be ignored.  

With yet another warning, the control systems community must work together more quickly, and with higher standards and an emphasis on security. The community owns assets that have been identified as critical infrastructure for the United States and as such represent targets that could cripple the U.S. government and military. With these systems at risk it is not purely an issue of potential loss of money and corporate secrets, but the potential loss of human life on a massive scale. 

Cyber capabilities and weapons are incredibly powerful and have even been described by one Obama administration official as the “Ferrari you keep in the garage and only take out for the big race.”

This demonstrates, at some level, that there are restraints involved in using cyber weapons. However, not every nation-state and organization have claimed to use such restraint. Without restraint and understanding of second- and third-order effects, cyber weapons can be quickly deployed with deadly and unintended consequences.

Stuxnet was a wake-up call for the control systems community and a look into the capabilities of cyberwarfare. Duqu is a firm statement that nation=states are going to continue launching powerful and anonymous cyber weapons. 

Robert M. Lee

Robert M. Lee is the CEO and co-founder of the ICS cybersecurity technology and services firm Dragos. He gained his start in the U.S. Air Force as a Cyber Warfare Operations Officer where he spent most of his career at the National Security Agency where he built and led a first-of-its-kind mission hunting and analyzing state actors targeting ICS. He is also a Senior Instructor at the SANS Institute where he authored the Forensics 578 course on Cyber Threat Intelligence and the ICS 515 course on ICS network monitoring and incident response. He may be found on Twitter @RobertMLee

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.