Stuxnet Clone Found Possibly Preparing Power Plant Attacks

Fox News – October 18, 2011

Security researchers have detected a new Trojan, scarily similar to the infamous Stuxnet worm, which could disrupt computers controlling power plants, oil refineries and other critical infrastructure networks.

The Trojan, dubbed “Duqu” by the security firm Symantec, appears, based on its code, to have been written by the same authors as the Stuxnet worm, which last July was used to cripple an Iranian nuclear-fuel processing plant.

“Stuxnet source code is not out there,” wrote F-Secure cybersecurity expert Mikko Hyppönen on his firm’s blog. “Only the original authors have it. So, this new backdoor was created by the same party that created Stuxnet.”

The original Stuxnet was specifically designed to compromise an industrial control system by manipulating the supervisory control and data acquisition (SCADA) software on which these facilities rely on for automation. Duqu may have its sights set on the same target, but it approaches from a different angle.

“Duqu shares a great deal of code with Stuxnet; however, the payload is completely different,” researchers for the security firm Symantec wrote on its Security Response blog.

Instead of directly targeting the SCADA system, Duqu gathers “intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.”

“Duqu is essentially the precursor to a future Stuxnet-like attack,” the researchers added.

Symantec said whoever is behind Duqu rigged the Trojan to install another information-stealing program on targeted computers that could record users’ keystrokes and system information and transmit them, and other harvested data, to a command-and-control (C&C) server. The C&C server is still operational, Symantec said.

McAfee, another prominent security firm, has a different analysis of Duqu. Two of its researchers wrote on McAfee’s blog that Duqu is actually highly sophisticated spyware designed to steal digital certificates, which are encrypted “keys” that websites use to verify their identities. (Stolen certificates, apparently purloined by a lone Iranian hacker, have become a big issue recently.)

Neither Symantec, McAfee nor F-Secure would speculate about who’s behind Duqu, but the conventional wisdom on Stuxnet is that it was created by the intelligence services of the U.S. and Israel to knock out a uranium-refinement plant in Iran.

This new entry into the Stuxnet family comes just after the Department of Homeland Security (DHS) issued a bulletin warning that the notorious hacking group Anonymous may soon start looking to bring down or disrupt industrial control facilities. Posted yesterday (Oct. 18) to publicintelligence.net, the unclassified bulletin assesses Anonymous’ ability to compromise SCADA systems that run power plants, chemical plants, oil refineries and other industrial facilities.

Government officials did not blame Anonymous for any such hacks, and the bulletin says that based on available information, Anonymous has “a limited ability to conduct attacks” on industrial control systems.

The group’s agenda could change, however. The DHS document cites several recent actions, including Anonymous’ cyberattack on the websites and servers of biotech seed company Monsanto, as proof that Anonymous could “develop capabilities to gain access and trespass on control system networks very quickly.”

Source

The reemergence of the Stuxnet type virus hasn’t been confined to Iran only. It has also appeared in Europe too. See Son of Stuxnet Found in the Wild on Systems in Europe.

Comments are closed, but trackbacks and pingbacks are open.