Early today Symantec published an inside look at a new targeted malware attack called Duqu. This might not be important news if it weren’t for its ties to Stuxnet.
Early analysis of Duqu shows it has evolved from the Stuxnet codebase. We shouldn’t jump to conclusions that it was developed by the same authors, but whoever created this malware likely had access to the original source code used to compile Stuxnet.
The components that were reused were not the pieces used to target SCADA/industrial control systems, but rather related driver files that provide the malware the ability to download additional components.
Symantec reports that after it retrieves the additional malicious files it is focused on gathering information rather than industrial sabotage.
SophosLabs confirms that the driver files are signed, similar to the drivers used by Stuxnet. In this case the certificate purports to belong to C-Media, a Taiwanese firm known for their embedded audio chipsets.
Signature of driver file:
SHA1 hash of file: A5190A8E01978C903BF1FABCFCBA40D75996D8B9
Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: 3/08/2028 12:59:59 AM
SHA1 hash: A1DB6393916F17E4185509400415C70240B0AE6B
Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: 21/05/2019 12:59:59 AM
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3
Issued to: C-Media Electronics Incorporation
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: 3/08/2012 12:59:59 AM
SHA1 hash: 83F430C7297FBF6C1D910B73414132DB48DBDE9C
This may not be a coincidence, as Stuxnet used certificates that appeared to belong to RealTek and JMicron, two other embedded chip manufacturers in the same neighbourhood.
The mystery remains, however. Were these certificates stolen, or simply generated through compromised certificates to appear to belong to these organizations?
As with Stuxnet, it is too early to determine anything definitive about the who, why or what this malware was designed to do. I can assure you that the security industry will be analyzing these samples diligently to determine their intent.
The US Deputy Defense Secretary William Lynn has revealed that a foreign intelligence agency was behind a hack attack that stole classified information about a top secret weapons system.
According to Aviation Week, the weapons system, which is under development, might have to be redesigned after the files were stolen from a military contractor’s computer network.
Plans and confidential blueprints were included in the haul of 24,000 files said to have been copied by the hackers.
The revelation came to light as William Lynn gave a speech at the National Defense University (NDU) in Washington DC, outlining his department’s “first ever strategy for operating in cyberspace”. Recognising that the problem extended beyond its own networks, the Pentagon is piloting a program to share classified intelligence about threats with select military contractors and their ISPs.
NDU was somehow an appropriate venue for the speech – Lynn told his audience that the National Defense University itself had fallen victim to hackers after its “website and its associated server were recently compromised by an intrusion that turned over system control to an unknown intruder.”
Lynn’s speech contained much jaw-jaw about the nature of cyberwar – and how it could vary from destructive attacks to information theft:
"Tools capable of disrupting or destroying critical networks, causing physical damage, or altering the performance of key systems, exist today. The advent of these tools mark a strategic shift in the cyber threat - a threat that continues to evolve. As a result of this threat, keystrokes originating in one country can impact the other side of the globe in the blink of an eye. In the 21st Century, bits and bytes can be as threatening as bullets and bombs."
"But disruptive and destructive attacks are only one end of a continuum of malicious activity in cyberspace that includes espionage, intellectual property theft, and fraud. Although in the future we are likely to see destructive or disruptive cyber attacks that could have an impact analogous to physical hostilities, the vast majority of malicious cyber activity today does not cross this threshold."
"In looking at the current landscape of malicious activity, the most prevalent cyber threat to date has been exploitation - the theft of information and intellectual property from government and commercial networks."
I have always been nervous of the tendency amongst governments to point fingers at foreign nations and blame them for an internet attack. For instance, Lynn claims that a foreign government was involved in the hack, but does not say which one.
You have to ask yourself, why the reluctance to say which country? And if you don’t know which country, how do you know it was any country?
Of course, the US Deputy Defense Secretary has shown himself to be tight-lipped on matters to do with internet attacks in the past. For instance, he declined to confirm or deny if the USA had been responsible for the Stuxnet virus.
And we shouldn’t be naive. Just because it’s hard to prove that a particular country was behind a particular cyber attack, doesn’t mean that that country is whiter-than-white when it comes to such things.
My suspicion is that all countries are using the internet to their advantage when engaged in espionage – whether it be for political, economic or military ends.
What surprises me, however, is that Lynn claims that these sort of “sophisticated capabilities” (the ability to hack into military contractor computer systems and steal files) is almost exclusively within the abilities of nation states, and that the only thing stopping countries from using the internet to destroy their enemies is the risk of a military counter-attack:
"Today, sophisticated cyber capabilities reside almost exclusively in nation-states. Here, U.S. military power offers a strong deterrent against overtly destructive attacks. Although attribution in cyberspace can be difficult, the risk of discovery and response for a major nation is still too great to risk launching destructive attacks against the United States. We must nevertheless guard against the possibility that circumstances could change, and we will have to defend against a sophisticated adversary who is not deterred from launching a cyber attack."
Of course, terrorists probably wouldn’t fear a counter-attack like this. Why haven’t they launched a destructive strike against the United States? Well, Lynn has an answer for that:
"If a terrorist group gains disruptive or destructive cyber tools, we have to assume they will strike with little hesitation. And it is clear that terrorist groups, as well as rogue states, are intent on acquiring, refining, and expanding their cyber capabilities."
Hmm. So, thank goodness that only governments know how to get their hands on the most dangerous and destructive internet weapons and that the rest of the world just isn’t as sophisticated..
Marine Gen. James Cartwright, Vice Chairman of the Joint Chiefs of Staff, told the press gathered at NDU that he believed a defensive approach to cyberwar is insufficient, and that the current situation of the Pentagon being 90% focused on defensive measures and 10% on offensive, should be reversed.
One thing is clear amongst all this talk – computer security needs to be taken seriously. Cybercriminals, whether state-sponsored or not, are regularly going beyond damaging and defacing websites to stealing sensitive information which could have more than a financial value. You would be foolish to ignore such a threat, and ensure that you have strong defences in place.
Meanwhile, the US Department of Defense says that it is now treating cyberspace as an operational domain – alongside land, air, sea and space. As such, I think we can expect to see more speeches warning about the perils that the United States faces from other nations and terrorist forces.