Information Warfare: Duqu Lives


July 4, 2015: A respected Russian Internet security firm (Kapersky) recently revealed that it had found new spyware software in three hotels used by delegates to negotiations with Iran over sanctions and the Iranian nuclear weapons program. The spyware was described as a much improved version of Duqu and that Israel was probably behind this. Israel denied any involvement but this is actually an old story. In 2012 Internet security researchers accused Israel of a similar stunt when new spyware was found throughout the Middle East. Similar to Stuxnet and Duqu (both created by a joint U.S.-Israeli effort for use against Iran), the new spyware was called Gauss, and it was used to monitor Hezbollah (an Iran backed Lebanese terrorist group) financial activity. Gauss was apparently unleashed in 2011, and had already done its job by the time it was discovered.

The 2015 version is called Duqu 2.0 and it is much improved over the 2011 original. Duqu 2.0 uses a new communications system making it very difficult (and often impossible) to determine where it is sending data and getting orders from. Duqu 2.0 also hides itself much more efficiently, making it more difficult to detect and remove. Duqu 2.0 uses more powerful encryption, making it more difficult to even examine portions of it that are captured. Duqu 2.0 uses all of this, especially the stealth, to compromise entire networks, including routers and “smart” devices (like printers) attached to the network. This makes it much more difficult to remove because parts of Duqu 2.0 are all over an infected network and well hidden. Clean out one server and surviving Duqu 2.0 components will note this and quietly re-infect the “cleaned” computer or server.

Duqu 2.0 is one of a growing number of powerful malware systems showing up. In late 2014 another high grade Cyber War weapon has been found. This one is called Regin and it joined illustrious predecessors like Stuxnet, Duqu, Flame and several others that have been discovered since 2009. Regin, like its predecessors, was extensive, apparently built by skilled and well organized professionals and designed to stay hidden. This it apparently did for over six years. Malware like this is royalty of hacker software, built with care and abundant resources by top talent.

Regin has numerous modules and the ability to do a lot of spying on its own without much, if any, human intervention. Security researchers are now trying to find where Regin has been, which is difficult because Regin was designed to erase all traces of itself after getting what it was sent in for. Regin apparently was not designed for long term visits, which made it more vulnerable to detection and analysis. Once researchers knew more about Regin they were able to quickly search likely systems that might have been attacked to look for clues that Regin was there once, or more, in the past. Unlike earlier software of this type, Regin was designed to intrude in a wider variety of places and look for a much longer list of items.  Regin was also designed to recover deleted files and even take over the operation of an infected PC for some operations.

Meanwhile Internet security companies continue to study older major league Cyber War weapons like Stuxnet and keep finding new angles to these powerful weapons. It was that kind of research that led to the discovery of Regin and similar (like Duqu 2.0) high end hacking tools. Stuxnet was different in that it was developed specifically to damage Iran’s uranium enrichment equipment. All high-end cyber weapons like Stuxnet are designed to keep their activities hidden, and some have done so for up to a decade, or more. Apparently a beta version of Stuxnet was at work as early as 2005. It also appears that Stuxnet got into the Iranian enrichment facilities at least twice.

After the 2005 beta version, there were several more improved versions released. Iran believes that a more recent version of Stuxnet is was still trying to gain access to the enrichment equipment even after the Iranians knew these attacks were taking place. More prudent (or paranoid) Iranian software experts warned that this new (3.0?) version of Stuxnet might already inside the enrichment control systems, waiting for the right time to do more major damage. So far that has not apparently happened.

It was first believed that Stuxnet was released in late 2009, and thousands of computers were infected as the worm sought out its Iranian target. Initial dissection of Stuxnet indicated that it was designed to interrupt the operation of the control software used in various types of industrial and utility (power, water and sanitation) plants. Eventually, further analysis revealed that Stuxnet was programmed to subtly disrupt the operation of gas centrifuges used to turn uranium ore into nuclear plant fuel or, after more refining, into nuclear weapons grade material. It is now believed that the first attack was made before 2009, and another attack after that.

The Stuxnet "malware" was designed to hide itself in the control software of an industrial plant, making it very difficult to be sure you have cleaned all the malware out. This is the scariest aspect of Stuxnet as ever since the Iranians first became aware of it they have been nervous about other Stuxnet-type attacks. Although Iran eventually admitted that Stuxnet did damage, they would not reveal details of when Stuxnet got to the centrifuges or how long the malware was doing its thing before it was discovered and removed. But all this accounts for the unexplained slowdown with Iran getting new centrifuges working. Whoever created Stuxnet probably knows the extent of the damage because Stuxnet also had a "call home" capability even though it was designed to operate in systems without Internet access (by travelling via memory sticks or DVDs).

In 2012 American and Israeli officials admitted that the industrial grade Cyber War weapons (like Stuxnet and several others) used against Iran recently were indeed joint U.S.-Israel operation. Few other details were released, although many more rumors have since circulated. The U.S. and Israel were long suspected of being responsible for these "weapons grade" computer worms. Both nations had the motive to use, means to build, and opportunity to unleash these powerful Cyber War weapons against Iran and others that support terrorism. Regin was believed to be another such Israeli-American creation. East European programmers are suspected of being capable of this sort of thing and Russia appears to have commissioned some “royal” software.

The U.S. and Israel have been successful with "software attacks" in the past. This stuff doesn't get reported much in the general media, partly because it's so geeky and because there are no visuals. It is computer code and arcane tech skills that gets it to its target. The earlier attacks, especially Stuxnet, spread in a very controlled fashion, sometimes via agents who got an infected USB memory stick into an enemy facility. Even if some copies of these programs get out onto Internet connected PCs, they do not spread far. Worms and viruses designed to spread can go worldwide and infest millions of PCs within hours.

Despite all the secrecy, this stuff is very real and the pros are impressed by Stuxnet-type systems, even if the rest of us have not got much of a clue. The demonstrated capabilities of these Cyber War weapons usher in a new age in Internet based warfare. Amateur hour is over and the big dogs are in play. The Cyber War offensive by the U.S. and Israel appears to have been underway for years, using their stealth to remain hidden. There are probably more than three of these stealthy Cyber War applications in use and most of us will never hear about it until, and if, other such programs are discovered and their presence made public.





Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   Contribute   Close