Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Kaspersky Lab: While Connections Exist Between Cyber Weapons, Many Secrets Remain

Defending Against Complex Cyber Attacks Requires a Radical Approach to Security

BROOKLYN, NY—While security researchers have unraveled many of the mysteries surrounding Stuxnet, Flame, Duqu, and Gauss, experts acknowledge that many secrets remain.

Defending Against Complex Cyber Attacks Requires a Radical Approach to Security

BROOKLYN, NY—While security researchers have unraveled many of the mysteries surrounding Stuxnet, Flame, Duqu, and Gauss, experts acknowledge that many secrets remain.

Researchers have spent the last few years since the initial discovery of Stuxnet in 2010 learning about various modules that make up Stuxnet, Flame, Duqu, and Gauss and how they relate to each other. Despite having a different purpose, since Stuxnet targeted Iranian nuclear facilities and Gauss monitored financial transactions at specific banks, Kaspersky Lab researchers believe the four pieces are somehow connected because they share modules and have other similarities in the source code, Roel Schouwenberg, senior security researcher at Kaspersky Lab, told attendees at a student conference on cyber-security at NYU-Poly on Friday.

Kaspersky Lab, MoscowKaspersky researchers have thus far found common code and modules directly linking Stuxnet to Duqu, Stuxnet with Flame, and Flame to Gauss. Stuxnet appears to be built on the same platform as Duqu, and Stuxnet has a more recent version of a module that was found in Flame, Schouwenberg said. Gauss was built on the same platform as Flame, and when the source code is laid out side-by-side, there were similarities. With each subsequent malware discovery, researchers are left wondering how many other modules related to Flame and Stuxnet are still out in the wild, waiting to be discovered.

“There could be a Flame module deployed years ago with the same functionality as Stuxnet,” Schouwenberg said.

Stuxnet was “younger” than Flame, in the sense that it was developed at a later date, but it was discovered first, noted Schouwenberg. That may be because Stuxnet’s main goal wasn’t cyber-espionage, so being quiet and stealthy wasn’t as important as being able to quickly infect the computers attached to industrial control systems and damaging centrifuges controlled by them.

It’s possible that there are other pieces of undiscovered malware out there with the same destructive capabilities as Stuxnet but equipped with the same stealthy features as Flame and Duqu.

Researchers will likely uncover more “years old” cyber-operations where attackers employed novel techniques to accomplish their goals, Schouwenberg said.

Cyber WeaponsThe recently identified Wiper malware, capable of erasing all data stored on the hard drive and making the system unable to boot, is one such question mark. Researchers have yet to see a sample of Wiper as it destroys itself during the course of the infection, but have pieced together some of the capabilities based on the clues it left behind in infected computers, Schouwenberg said. Wiper inspired the Shamoon attacks, which wiped data on several computers at Saudi oil company Aramco this summer.

There are hints that Wiper is somehow related to the tilded platform used to build Duqu, Schouwenberg said. Does that mean Wiper is one of the modules in the Stuxnet-Duqu-Flame family? At this point, there are “a lot of guesses and no certainties,” Schouwenberg said.

Advertisement. Scroll to continue reading.

While researchers have learned a lot about what the modules for each of the tools do, there are still “a lot of unknowns here,” Schouwenberg said. Researchers still aren’t sure how Flame infected machines or how it propagated, for example.

Schouwenberg emphasized that one of the reasons researchers have gotten as far as they have in understanding these cyber tools is because the information was being shared. Sharing information about what happened to the machine, forensic data, and technical skills have made it possible. When serious attacks occur and the information is suppressed for security concerns, researchers don’t have access to significant blocks of information.

While the security industry has been able to detect and come up with ways to defend against these advanced tools thus far, Schouwenberg worried over the possibility of an attack employing such novel techniques that it would get past existing defenses and there would be no way to defend against it. A lot of existing protective measures rely on the ability to be able to detect threats to block them, but the new attacks will require a radical approach to security, he said.

“Stuxnet has changed our job,” Schouwenberg said.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...