Duqu spies on industrial systems for attack surveillance

An offshoot of the Stuxnet worm has been discovered, which an anonymous lab claims has been used to tee up more sophisticated attacks – like the one seen at an Iranian nuclear facitlity last year.

According to security firm Symantec the new variant is “very similar to Stuxnet” with parts of the threat, dubbed Duqu, said to be “nearly identical”.  This has led to claims that Duqu is being used by the team behind Stuxnet, or at the very least those with access to its code.

However, the purpose of Duqu is fundamentally different.  Duqu has been developed as what appears to be a precursor to a full Stuxnet attack.

Recovered samples show that Duqu is used to gather intelligence data from manufacturers of industrial control systems.  Anything grabbed from these third parties could then be used to attack the real targets, the equivalent of stealing blueprints for an attack.

Design documents are expected to be the basis for a future attack on an industrial control facility, Symantec said in a statement, and it is thought that a highly specific list of organisations is on the hit list.

Duqu is a remote access Trojan (RAT) which deletes itself after 36 days, installing keyloggers and searching for information that could aid further attacks.

One case showed that attackers had failed to nab any information, but details are not available in all the instances.

One set of driver files were reportedly signed with valid digital certificates belonging to a company based in Taiwan.  The certificates were subsequently revoked, and it is thought that they were obtained through theft rather than fraudulent methods.

TechEye spoke to Symantec, which was reluctant to say whether this has increased the chance of further Stuxnet attacks, but due to the Stuxnet team’s success in the past it should be treated seriously.

“It is difficult to say exactly what the risk is as we are only just building a profile of the attackers and what the targets are and so forth,” Orla Cox, Senior manager at Symantec Security Response told TechEye. “But based on the history of Stuxnet attacks this is a well organised group that has performed coordinated attacks in the past.”

“The target is to see how Duqu got onto machines and what the intentions were,” Cox said. “At the moment we need to step back before we see how worried we should be.”

In terms of actual organisations hit by Duqu, Symantec was unable to provide specific details though it could provide some information.

“We can’t give details of which companies were involved, but they were a variety of organisations, mainly manufacturers of industrial control systems,” Symantec said.

“We can confirm that they were based in Europe, however.”

According to Symantec, it is highly probable that a similar method was used to gather intelligence before the original Stuxnet attacks: “It is highly likely something similar was used before Stuxnet, though this particular variety has been seen this year.  In fact it has appeared as recently as Tuesday so it is clear if it is not connected directly to Stuxnet.”