Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:11 PM
Connect Directly

Same Toolkit Spawned Stuxnet, Duqu, And Other Campaigns

New Kaspersky Lab research nails down platform used for the targeted attacks, but not all researchers are sold that the exploits are all interrelated

There's one thing most Stuxnet researchers now agree on: Stuxnet and Duqu came from the same code base. And now new research backs up that theory as well as reveals that at least three additional and unrelated exploits were written from the same platform, which has been christened "Tilded" by researchers at Kaspersky Lab.

Kaspersky researchers say at least three other projects besides Duqu and Stuxnet were created with Tilded -- named for the developers' penchant for using file names that start with a tilde symbol and the letter "d" -- including a spyware module that dates back to 2007 and 2008. But still no real evidence points to the actors behind Stuxnet, Duqu, or the other attacks using the Tilded, the researchers say.

Meanwhile, other likely exploits have yet to be discovered from the same platform, researchers say.

"We don't know who the attackers are, but what we can say from all the evidence is that they are quite well-organized ... we're talking about professional software developers working in four or five different teams and each team taking care of one of the modules," says Costin Raiu, director of the global research and analysis team at Kaspersky Lab. And their focus appears to entail sabotage of some type, he says, with the support of a nation-state and with the goal of cyberespionage.

But neither Kaspersky nor Symantec, which have led much of the research into Stuxnet and Duqu, can confirm in their research the million-dollar question of just who is behind the two attack campaigns, despite heavy speculation that it's the handiwork of the U.S. and Israel attempting to derail Iran's nuclear enrichment program.

Security expert Tom Parker says while Duqu and Stuxnet could be related, that doesn't mean they are necessarily the same operation. "The missions of Stuxnet and Duqu were different: One was reconnaissance [Duqu], and the other was a proactive agent [Stuxnet]," says Parker, chief technology officer at FusionX. "I don't think there is any information technology analysis of the similarities in the code to suggest that [they are from the same operation]."

And Don Jackson, senior security researcher at Dell Secureworks, says while Kaspersky's new research basically reinforces his theory that Stuxnet and Duqu were written with the same kit, it doesn't prove they were written by the same authors. He argues that code-sharing is not as effective in attribution in malware nowadays due to the wide availability of crimeware kits. "You need to focus more on the operational parameters," he says. "What was in common with the two is that they were generated by the same kit. Now we have a name for that kit," Jackson says.

That doesn't necessarily mean they go together, however, he says. Jackson contends that Duqu was not used for reconnaissance for Stuxnet, a conclusion that Kaspersky has drawn and Symantec has suggested. "I don't believe Duqu was used as reconnaissance for Stuxnet. In fact, based on our understanding of all the findings to date, it's contraindicated," he says.

For one thing, Duqu appears to be younger than Stuxnet, according to Jackson. "If the development of the Tilded kit follows the general evolutionary pattern of development of software in general, and of practically all similar malware kits more specifically, then Duqu is younger than Stuxnet based on the common code. This is supported by analysis of incident time lines and other artifacts, such as compiler and code-signing time stamps," etc., he says.

Liam O Murchu, manager of operations for Symantec Security Response, says while Stuxnet and Duqu use the same code base, the real link is the loader file that Kaspersky studied: It's one file on the disk of an infected machine that is not encrypted. And while Murchu can't reveal details about Duqu victims, he says Duqu was targeting similar types of companies, possibly for a future Stuxnet attack. "I can say that all the companies Duqu [hit] had something useful to the business of Stuxnet," Murchu says.

And it's likely the attackers behind Duqu and Stuxnet are still operating under different attack campaigns. "They are likely still operating and reconfiguring and recompiling it to avoid security products or researchers," he says. "There could be attacks going on right now that we are not aware of."

[Lessons learned from the Stuxnet-Duqu link. See Four Takeaways From The Stuxnet-Duqu Connection.]

Meanwhile, there are several missing pieces to the Stuxnet and Duqu puzzle. First, there's "Stars," a cyberattack the Iranian government claims hit its nuclear facility in April. Researchers at first dismissed the news as either a hoax or common malware, according to Kaspersky's Raiu, but later discovered that Duqu contains a photo showing the collision of two galaxies, indicating a possible connection with Stars.

"We think that many targets in Iran were specific versions of Duqu, and that may be one of the missing pieces of the puzzle," he says.

Another question is that one of the components for the Duqu command-and-control (C&C) servers was written in a programming language that the researchers had never seen before. "It was a very curious procedural language .. we don't know why they chose to write it in a different language, and we don't know what this language is," Raiu says. "Solving this [may] help us understand who created the communication module, or if different groups don't know about one another," for example, he says.

Still a mystery, too, is how the Duqu attackers hacked the systems they used as C&C servers. "All of the computers belong to people and organizations unrelated to Duqu and had been hacked," he says. "We need a good explanation of how they accessed them."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-17
A heap based buffer overflow issue exists in GNU LibreDWG 0.10.2641 via htmlwescape ../../programs/escape.c:97.
PUBLISHED: 2021-05-17
A null pointer deference issue exists in GNU LibreDWG 0.10.2641 via output_TEXT ../../programs/dwg2SVG.c:114, which causes a denial of service (application crash).
PUBLISHED: 2021-05-17
A heab based buffer overflow issue exists in GNU LibreDWG 0.10.2641 via htmlescape ../../programs/escape.c:46.
PUBLISHED: 2021-05-17
A null pointer dereference issue exists in GNU LibreDWG 0.10.2641 via htmlescape ../../programs/escape.c:29. which causes a denial of service (application crash).
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10.2641 via htmlescape ../../programs/escape.c:48.