Kaspersky Lab: While Connections Exist Between Cyber Weapons, Many Secrets Remain

Defending Against Complex Cyber Attacks Requires a Radical Approach to Security

BROOKLYN, NY—While security researchers have unraveled many of the mysteries surrounding Stuxnet, Flame, Duqu, and Gauss, experts acknowledge that many secrets remain.

Researchers have spent the last few years since the initial discovery of Stuxnet in 2010 learning about various modules that make up Stuxnet, Flame, Duqu, and Gauss and how they relate to each other. Despite having a different purpose, since Stuxnet targeted Iranian nuclear facilities and Gauss monitored financial transactions at specific banks, Kaspersky Lab researchers believe the four pieces are somehow connected because they share modules and have other similarities in the source code, Roel Schouwenberg, senior security researcher at Kaspersky Lab, told attendees at a student conference on cyber-security at NYU-Poly on Friday.

Kaspersky researchers have thus far found common code and modules directly linking Stuxnet to Duqu, Stuxnet with Flame, and Flame to Gauss. Stuxnet appears to be built on the same platform as Duqu, and Stuxnet has a more recent version of a module that was found in Flame, Schouwenberg said. Gauss was built on the same platform as Flame, and when the source code is laid out side-by-side, there were similarities. With each subsequent malware discovery, researchers are left wondering how many other modules related to Flame and Stuxnet are still out in the wild, waiting to be discovered.

“There could be a Flame module deployed years ago with the same functionality as Stuxnet,” Schouwenberg said.

Stuxnet was “younger” than Flame, in the sense that it was developed at a later date, but it was discovered first, noted Schouwenberg. That may be because Stuxnet’s main goal wasn’t cyber-espionage, so being quiet and stealthy wasn’t as important as being able to quickly infect the computers attached to industrial control systems and damaging centrifuges controlled by them.

It’s possible that there are other pieces of undiscovered malware out there with the same destructive capabilities as Stuxnet but equipped with the same stealthy features as Flame and Duqu.

Researchers will likely uncover more “years old” cyber-operations where attackers employed novel techniques to accomplish their goals, Schouwenberg said.

The recently identified Wiper malware, capable of erasing all data stored on the hard drive and making the system unable to boot, is one such question mark. Researchers have yet to see a sample of Wiper as it destroys itself during the course of the infection, but have pieced together some of the capabilities based on the clues it left behind in infected computers, Schouwenberg said. Wiper inspired the Shamoon attacks, which wiped data on several computers at Saudi oil company Aramco this summer.

There are hints that Wiper is somehow related to the tilded platform used to build Duqu, Schouwenberg said. Does that mean Wiper is one of the modules in the Stuxnet-Duqu-Flame family? At this point, there are “a lot of guesses and no certainties,” Schouwenberg said.

While researchers have learned a lot about what the modules for each of the tools do, there are still “a lot of unknowns here,” Schouwenberg said. Researchers still aren’t sure how Flame infected machines or how it propagated, for example.

Schouwenberg emphasized that one of the reasons researchers have gotten as far as they have in understanding these cyber tools is because the information was being shared. Sharing information about what happened to the machine, forensic data, and technical skills have made it possible. When serious attacks occur and the information is suppressed for security concerns, researchers don’t have access to significant blocks of information.

While the security industry has been able to detect and come up with ways to defend against these advanced tools thus far, Schouwenberg worried over the possibility of an attack employing such novel techniques that it would get past existing defenses and there would be no way to defend against it. A lot of existing protective measures rely on the ability to be able to detect threats to block them, but the new attacks will require a radical approach to security, he said.

“Stuxnet has changed our job,” Schouwenberg said.