Stuxnet cyberweapon looks to be one on a production line, researchers say
Evidence is rising that Stuxnet, a cyberweapon that attacked Iran's nuclear facilities in 2009, is part of a supersophisticated manufacturing process for malicious software, two antivirus companies tell the Monitor.
Somewhere in the world, the creators of the Stuxnet worm are involved in a cyberweapon manufacturing operation that can pump out supersophisticated malicious software tweaked for specific missions, new targets, and detection evasion.
Stuxnet, the first military-grade cyberweapon known to the world, has been called a digital missile and a cyber-Hiroshima bomb. But it was not a one-shot blast, new research shows. Rather, Stuxnet is part of a bigger cyberweapons system – a software platform, or framework – that can modify already-operational malicious software, researchers at two leading antivirus companies told the Monitor.
The platform appears to be able to fire and reload – again and again – to recalibrate for different targets and to bolt on different payloads, but with minimal added cost and effort, say researchers at Kaspersky Labs and at Symantec.
RECOMMENDED: Iran nuclear program: 5 key sites
Kaspersky, based in Moscow, and Symantec, in Sunnyvale, Calif., are antivirus companies, competitors in fact. Each has had teams laboring independently for more than a year to decipher Stuxnet. Both are amazed to have discovered digital fingerprints of a much larger family of weaponized software.
What each has uncovered are at least seven cyberweapon "launcher" files created from a common software platform. A launcher file is needed to stealthily insert the malicious payload (Stuxnet, for instance) onto a computer, as well as carrying the payload files and encryption keys needed to unfurl them and make them function.
All seven launcher files contain chunks of identical source code, yet differ in small but important ways, according to a Kaspersky Labs study released last week. Just two of those files are known to be used by the Stuxnet program. Two others are related to an espionage software program called Duqu, discovered last fall.
That leaves three launcher files with no known affiliations. While those three could be affiliated with as-yet-undetected variants of Stuxnet or Duqu, they are more likely to be affiliated with undiscovered cyberweapons operating "in the wild" somewhere in cyberspace, researchers say.
Kaspersky's findings are buttressed by researchers at Symantec, which led the deciphering effort on Stuxnet in 2010. The companies' findings imply that Stuxnet's creators are not resting on past deeds, such as the attack on Iran's nuclear fuel manufacturing facilities. Instead, they are apparently churning out new cyberweapons for new missions from that same common software platform, researchers from both firms told the Monitor.
"Stuxnet's creators used a [software] platform to package and deliver it, because they wanted to be able to make many cyberweapons easily and be able to change them rapidly for targeting and attack," says Costin Raiu, director of the global research and analysis team at Kaspersky Labs, in a phone interview from Romania.
"What's going on seems not so much like a weapons factory as much as a super-secret lab that creates experimental cyberweapons," he adds. "It's more like they're making ion cannons or something – but for cyberwar. These are not normal line weapons, but the highest tech possible to wage cyberwar and cybersabotage."
First signs that Stuxnet was part of a larger family of malicious software, or malware, came with the discovery in September 2010 of Duqu, a specialized espionage program. Duqu appears to be designed to zero in on industrial secrets related to Stuxnet's target, and its code contains digital fingerprints akin to some in Stuxnet, indicating it was created with some of the same source code. Stuxnet's mission, much of it now decoded, was to wreak havoc on Iran's ability to refine nuclear fuel using centrifuges.
"We've done the same analysis Kaspersky has, and seen the same timelines, dates, encryption keys," says Liam O Murchu, manager of operations for Symantec Security Response, in a phone interview. "We think Stuxnet and Duqu are made by the same team, with the same goal.... They can change [the software weapon produced on the common platform], manipulate it, have different payloads."
Using a common malware "platform," or "framework," system can be likened to an auto factory building an exotic car, like a Lamborghini. There are a lot of common parts, but also a bit of artistry. There may be a common frame and engine, but other code has been hand-tooled by expert engineers, Mr. Raiu and Mr. O Murchu agree.
That common platform – for Stuxnet, Duqu, and the rest – is a way to reuse software that was expensive to develop. But it also allows for faster assembly of existing modules into full-blown cyberweapons, which can then be tweaked to sabotage a new industrial control system target or to evade detection.
"Let's imagine you want to steal documents," Raiu adds. "You don't need the sort of sabotage capability built into Stuxnet, so you take that off. Instead, you use the same platform to create targeted malware, but perhaps focusing on espionage instead. That's Duqu."
A light bulb went on last October when Kaspersky researchers looking at Duqu downloaded a different piece of malware that had been on a Chinese computer that also had Duqu on it. At first, the file was misidentified as Stuxnet. But a closer examination showed it was something new and slightly different. So Kaspersky began reexamining its own archive of malware again to see what files might have been missed, dredging up seven in all.
Duqu used two files. Stuxnet used two files. Three others had no affiliated programs. But all of the files shared a common characteristic: They carried a "~d" symbol in their names. That led Kaspersky's researchers to dub the common platform used to create all the files for Duqu, Stuxnet, and the others the Tilde-d, or "Tilded," platform.
"There were a number of projects involving programs based on the “Tilded” platform throughout the period 2007-2011," Kaspersky's report concludes. "Stuxnet and Duqu are two of them – there could have been others, which for now remain unknown. The platform continues to develop, which can only mean one thing – we’re likely to see more modifications in the future."
Some experts agree that Duqu and Stuxnet share code, but strongly disagree on what that implies. It could mean that different entities, working toward their own ends, used the same "kit." Despite the common code, "many other dimensions of the separate attacks indicate no common authorship or attribution," writes Don Jackson, a senior security researcher with the Dell SecureWorks Counter Threat Unit research team, in an e-mail. Still others say the Kaspersky findings are telling.
"It makes tremendous sense," says Ed Skoudis, cofounder of Inguardians, a cybersecurity firm based in Washington, D.C. "Look at the effort needed to produce Stuxnet. You wouldn't want to do it in a way that was one-off. You would want to produce a process that could reuse the parts, not shoot your entire cache of weapons in one attack."
He likens it to the US system for building atom bombs after World War II.
"When the US built the atom bomb. it wasn't just the one. We had an infrastructure and platform for building additional weapons," Mr. Skoudis says. "Whoever built Stuxnet got a lot of money and a lot of smart people working on it. It just makes sense that creating these kinds of weapons be repeatable –and that some set of fingerprints are left behind that shows that."
But what neither he nor any expert interviewed for this article believes is that identifying the software platform used to build Stuxnet and Duqu will lead to the identity of whomever built those weapons.
"I don't think it will help much," he says. "But this finding does indicate that we'll see more of these kinds of weapons when a definite military objective that suits whoever created these things appears. We now know there is a production facility for these types of things – and that it is operational and releasing things. I'm sure we'll see more."