Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Kaspersky Lab: While Connections Exist Between Cyber Weapons, Many Secrets Remain

Defending Against Complex Cyber Attacks Requires a Radical Approach to Security

BROOKLYN, NY—While security researchers have unraveled many of the mysteries surrounding Stuxnet, Flame, Duqu, and Gauss, experts acknowledge that many secrets remain.

Defending Against Complex Cyber Attacks Requires a Radical Approach to Security

BROOKLYN, NY—While security researchers have unraveled many of the mysteries surrounding Stuxnet, Flame, Duqu, and Gauss, experts acknowledge that many secrets remain.

Researchers have spent the last few years since the initial discovery of Stuxnet in 2010 learning about various modules that make up Stuxnet, Flame, Duqu, and Gauss and how they relate to each other. Despite having a different purpose, since Stuxnet targeted Iranian nuclear facilities and Gauss monitored financial transactions at specific banks, Kaspersky Lab researchers believe the four pieces are somehow connected because they share modules and have other similarities in the source code, Roel Schouwenberg, senior security researcher at Kaspersky Lab, told attendees at a student conference on cyber-security at NYU-Poly on Friday.

Kaspersky Lab, MoscowKaspersky researchers have thus far found common code and modules directly linking Stuxnet to Duqu, Stuxnet with Flame, and Flame to Gauss. Stuxnet appears to be built on the same platform as Duqu, and Stuxnet has a more recent version of a module that was found in Flame, Schouwenberg said. Gauss was built on the same platform as Flame, and when the source code is laid out side-by-side, there were similarities. With each subsequent malware discovery, researchers are left wondering how many other modules related to Flame and Stuxnet are still out in the wild, waiting to be discovered.

“There could be a Flame module deployed years ago with the same functionality as Stuxnet,” Schouwenberg said.

Stuxnet was “younger” than Flame, in the sense that it was developed at a later date, but it was discovered first, noted Schouwenberg. That may be because Stuxnet’s main goal wasn’t cyber-espionage, so being quiet and stealthy wasn’t as important as being able to quickly infect the computers attached to industrial control systems and damaging centrifuges controlled by them.

It’s possible that there are other pieces of undiscovered malware out there with the same destructive capabilities as Stuxnet but equipped with the same stealthy features as Flame and Duqu.

Researchers will likely uncover more “years old” cyber-operations where attackers employed novel techniques to accomplish their goals, Schouwenberg said.

Cyber WeaponsThe recently identified Wiper malware, capable of erasing all data stored on the hard drive and making the system unable to boot, is one such question mark. Researchers have yet to see a sample of Wiper as it destroys itself during the course of the infection, but have pieced together some of the capabilities based on the clues it left behind in infected computers, Schouwenberg said. Wiper inspired the Shamoon attacks, which wiped data on several computers at Saudi oil company Aramco this summer.

There are hints that Wiper is somehow related to the tilded platform used to build Duqu, Schouwenberg said. Does that mean Wiper is one of the modules in the Stuxnet-Duqu-Flame family? At this point, there are “a lot of guesses and no certainties,” Schouwenberg said.

Advertisement. Scroll to continue reading.

While researchers have learned a lot about what the modules for each of the tools do, there are still “a lot of unknowns here,” Schouwenberg said. Researchers still aren’t sure how Flame infected machines or how it propagated, for example.

Schouwenberg emphasized that one of the reasons researchers have gotten as far as they have in understanding these cyber tools is because the information was being shared. Sharing information about what happened to the machine, forensic data, and technical skills have made it possible. When serious attacks occur and the information is suppressed for security concerns, researchers don’t have access to significant blocks of information.

While the security industry has been able to detect and come up with ways to defend against these advanced tools thus far, Schouwenberg worried over the possibility of an attack employing such novel techniques that it would get past existing defenses and there would be no way to defend against it. A lot of existing protective measures rely on the ability to be able to detect threats to block them, but the new attacks will require a radical approach to security, he said.

“Stuxnet has changed our job,” Schouwenberg said.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.