Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:11 PM
Connect Directly

Same Toolkit Spawned Stuxnet, Duqu, And Other Campaigns

New Kaspersky Lab research nails down platform used for the targeted attacks, but not all researchers are sold that the exploits are all interrelated

There's one thing most Stuxnet researchers now agree on: Stuxnet and Duqu came from the same code base. And now new research backs up that theory as well as reveals that at least three additional and unrelated exploits were written from the same platform, which has been christened "Tilded" by researchers at Kaspersky Lab.

Kaspersky researchers say at least three other projects besides Duqu and Stuxnet were created with Tilded -- named for the developers' penchant for using file names that start with a tilde symbol and the letter "d" -- including a spyware module that dates back to 2007 and 2008. But still no real evidence points to the actors behind Stuxnet, Duqu, or the other attacks using the Tilded, the researchers say.

Meanwhile, other likely exploits have yet to be discovered from the same platform, researchers say.

"We don't know who the attackers are, but what we can say from all the evidence is that they are quite well-organized ... we're talking about professional software developers working in four or five different teams and each team taking care of one of the modules," says Costin Raiu, director of the global research and analysis team at Kaspersky Lab. And their focus appears to entail sabotage of some type, he says, with the support of a nation-state and with the goal of cyberespionage.

But neither Kaspersky nor Symantec, which have led much of the research into Stuxnet and Duqu, can confirm in their research the million-dollar question of just who is behind the two attack campaigns, despite heavy speculation that it's the handiwork of the U.S. and Israel attempting to derail Iran's nuclear enrichment program.

Security expert Tom Parker says while Duqu and Stuxnet could be related, that doesn't mean they are necessarily the same operation. "The missions of Stuxnet and Duqu were different: One was reconnaissance [Duqu], and the other was a proactive agent [Stuxnet]," says Parker, chief technology officer at FusionX. "I don't think there is any information technology analysis of the similarities in the code to suggest that [they are from the same operation]."

And Don Jackson, senior security researcher at Dell Secureworks, says while Kaspersky's new research basically reinforces his theory that Stuxnet and Duqu were written with the same kit, it doesn't prove they were written by the same authors. He argues that code-sharing is not as effective in attribution in malware nowadays due to the wide availability of crimeware kits. "You need to focus more on the operational parameters," he says. "What was in common with the two is that they were generated by the same kit. Now we have a name for that kit," Jackson says.

That doesn't necessarily mean they go together, however, he says. Jackson contends that Duqu was not used for reconnaissance for Stuxnet, a conclusion that Kaspersky has drawn and Symantec has suggested. "I don't believe Duqu was used as reconnaissance for Stuxnet. In fact, based on our understanding of all the findings to date, it's contraindicated," he says.

For one thing, Duqu appears to be younger than Stuxnet, according to Jackson. "If the development of the Tilded kit follows the general evolutionary pattern of development of software in general, and of practically all similar malware kits more specifically, then Duqu is younger than Stuxnet based on the common code. This is supported by analysis of incident time lines and other artifacts, such as compiler and code-signing time stamps," etc., he says.

Liam O Murchu, manager of operations for Symantec Security Response, says while Stuxnet and Duqu use the same code base, the real link is the loader file that Kaspersky studied: It's one file on the disk of an infected machine that is not encrypted. And while Murchu can't reveal details about Duqu victims, he says Duqu was targeting similar types of companies, possibly for a future Stuxnet attack. "I can say that all the companies Duqu [hit] had something useful to the business of Stuxnet," Murchu says.

And it's likely the attackers behind Duqu and Stuxnet are still operating under different attack campaigns. "They are likely still operating and reconfiguring and recompiling it to avoid security products or researchers," he says. "There could be attacks going on right now that we are not aware of."

[Lessons learned from the Stuxnet-Duqu link. See Four Takeaways From The Stuxnet-Duqu Connection.]

Meanwhile, there are several missing pieces to the Stuxnet and Duqu puzzle. First, there's "Stars," a cyberattack the Iranian government claims hit its nuclear facility in April. Researchers at first dismissed the news as either a hoax or common malware, according to Kaspersky's Raiu, but later discovered that Duqu contains a photo showing the collision of two galaxies, indicating a possible connection with Stars.

"We think that many targets in Iran were specific versions of Duqu, and that may be one of the missing pieces of the puzzle," he says.

Another question is that one of the components for the Duqu command-and-control (C&C) servers was written in a programming language that the researchers had never seen before. "It was a very curious procedural language .. we don't know why they chose to write it in a different language, and we don't know what this language is," Raiu says. "Solving this [may] help us understand who created the communication module, or if different groups don't know about one another," for example, he says.

Still a mystery, too, is how the Duqu attackers hacked the systems they used as C&C servers. "All of the computers belong to people and organizations unrelated to Duqu and had been hacked," he says. "We need a good explanation of how they accessed them."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW07 allows an attacker to change some special parameters without authentication. This issue affects: WAGO 750-852 version FW07 and prior versions. WAGO 750-880/xxx-xxx version FW07 and prior versions. WAGO 750-881 ve...
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW03 allows an attacker to change the settings of the devices by sending specifically constructed requests without authentication This issue affects: WAGO 750-362 version FW03 and prior versions. WAGO 750-363 version ...
PUBLISHED: 2020-09-30
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local user with specialized access to obtain sensitive information from a detailed technical error message. This information could be used in further attacks against the system. IBM X-Force ID: 185370.
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.