Thursday, June 11, 2015

The new Duqu

We have a new malware problem, called Duqu. Actually, Duqu is a few years old, but the newest iteration is proving to be particularly pesky. Like its close relative Stuxnet (the virus designed to screw with Iran's nuclear laboratories), this one appears to be the work of a nation.
WSJ reported this particular version may have been used to spy on the P5+1 talks with Iran on nuclear development. Dubbed ‘Duqu 2.0,’ the malware may have gathered audio, video, documents and communications from computers used by talk participants.
Ars Technica has more:
Developers planted several false flags in the malware to give the appearance its origins were in Eastern Europe or China. But as the Kaspersky researchers delved further into the 100 modules that encompass the platform, they discovered it was an updated version of Duqu, the malware discovered in late 2011 with code directly derived from Stuxnet. Evidence later suggested Duqu was used to spy on Iran's efforts to develop nuclear material and keep tabs on the country's trade relationships.
A "false flag" injected into malware code? Actually, that very possibility was discussed in one of the Snowden documents.

The Russian anti-malware firm Kaspersky reports that Duqu was specifically designed to target Kaspersky itself
In addition to the P5+1 events and the attack on Kaspersky Lab, the Duqu 2.0 group targeted the 70th Anniversary event of the liberation of Nazi death camp Auschwitz-Birkenau, an event attended by many foreign dignitaries and politicians.
Let's confront the elephant in the room. If Duqu is the work of a nation, and if it derives from Stuxnet, then whodunnit?
It's an open secret that the Stuxnet malware was developed as part of a joint US-Israeli cyberweapons programme, codenamed Olympic Games. The NSA and Israel's elite Unit 8200 intelligence corps are therefore primes suspect in the creation of Duqu 2.0.
Israel's Unit 8200 is the obvious culprit.

Intriguingly, the entire German parliament has been hit by a similar malware attack.
Trojans introduced to the Bundestag network are still working and are still sending data from the internal network to an unknown destination, several anonymous parliament sources told German publication Der Spiegel.

In May, parliament IT specialists discovered hackers were trying to infiltrate the network. So far, they have been unable to mitigate the attack.
Some Germans suspect that the Russian foreign intelligence service SVR is behind the attack.
Russia also gets the blame here and here. I would counsel the Germans to be wary of false flags -- after all, Duqu 2.0 was meant to appear to be the work of "eastern Europeans." So far, I've seen no stories indicating that the German malware (which does not appear to have a name yet) bears a morphological resemblance to Stuxnet.

3 comments:

Anonymous said...

->
"the German malware"
German ?
->

Joseph Cannon said...

I meant the malware used in the German incident. Are you suggesting that the BND was spying on the German parliament?

Anonymous said...

->
Thanks, for clearing that.
No, I was not suggesting anything.
->