Son of Stuxnet could usher in a new chapter in cyber warfare
I wrote a year ago that Stuxnet demonstrated the difficulties and dangers of offensive cyber warfare. The weapons are too difficult to control to make them effective tools for legitimate warfare.
I have changed my opinion somewhat since then. Yes, there have been nearly 50,000 reported infections by the worm outside of the apparent targets in Iranian uranium processing plants, but its apparent success in disrupting those processors without resorting to bombs or bullets and lack of serious collateral damage from the unplanned infections makes it hard to argue with the fact that Stuxnet worked.
Duqu is no 'hydrogen bomb,' but is part of the new cyber threat
But the arrival of Son of Stuxnet is a serious reminder that sophisticated malware is a dangerous commodity. Like a bomb, whether it is a threat or a defense depends on who controls it. And the public has no idea who is behind Duqu.
Duqu, discovered in the wild in October, appears to share genetic material with the groundbreaking Stuxnet worm, which tells us a little something about its authors, although the new worm appears to be a tool for espionage rather than a weapon.
“Duqu is not Stuxnet, but its structure and design philosophy are very similar to those of Stuxnet,” an academic research paper published by Symantec concluded. “At this point in time, we do not know more about their relationship, but we believe that the creator of Duqu had access to the source code of Stuxnet.”
Symantec researchers characterized Duqu as a “precursor to the next Stuxnet” and said that it appears to be conducting research and reconnaissance operations against targets. “The attackers intend to use this capability to gather intelligence from a private entity to aid future attacks on a third party.”
Stuxnet is a serious piece of malware. By all accounts it is the product of a well-financed team that had the time and resources to gather detailed intelligence about its target and craft a complex program to seek it out, observe it and sabotage it. These developers are likely to have kept close tabs on their source code, and the logical assumption is that the authors of Duqu, if not the same, are at least cooperating with the Stuxnet authors.
If Duqu is gathering information in preparation for future attacks, its targets should tell us something about who released it. The original Stuxnet specifically targeted Iranian facilities, leading to the widespread assumption that it was created by the United States or Israel, or maybe both. So far, little information has been released about the distribution of Duqu infections. And given the propensity of worms to spread, this might not tell us much about who it is intended to spy on.
Although offensive cyber warfare clearly is possible and might even be a responsible way to conduct military operations, Stuxnet and Son still illustrate the dangers of this new military domain.
“Whoever did Stuxnet should have learned a big lesson from it,” former presidential adviser Richard Clarke said in a recent interview. Without an effective way for its controllers to kill it, it inevitably will be exposed, becoming a double-edged sword.
Cyber weapons can spread like land mines, and when used as espionage tools it is likely that they eventually will be detected and analyzed by researchers, eventually limiting their effectiveness and possibly becoming an embarrassment to the owners. All of which means that in cyber war, we should continue to focus heavily on a robust defense.