Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Intelligent Machines

New Malware Brings Cyberwar One Step Closer

Stuxnet-like code found on industrial machines in Europe may have performed reconnaissance in preparation for attack.

A newly discovered piece of malicious code dubbed Duqu is closely related to the notorious Stuxnet worm that damaged Iran’s nuclear-enrichment centrifuges last year. Although it has no known target or author, it sets the stage for more industrial and cyberwar attacks, experts say.

Who’s next?: Iran’s Natanz nuclear complex, seen here in a satellite image, was damaged by a computer worm called Stuxnet.

“This is definitely a troubling development on a number of levels,” says Ronald Deibert, director of Citizen Lab, an Internet think-tank at the University of Toronto who leads research on cyberwarfare, censorship, and espionage. “In the context of the militarization of cyberspace, policymakers around the world should be concerned.”

Indeed, the spread of such code could be destabilizing. The Pentagon’s cyberwar strategy, for example, makes clear that computer attacks on industrial and civilian infrastructure like chemical factories or power grids as well as military networks could be regarded as equivalent to a conventional bombing or other attack, if civilians were endangered.

Duqu was described Tuesday by the security firm Symantec, which says the malware’s purpose appears to be gathering intelligence from computerized industrial control systems. It doesn’t do damage, but rather spies on them to gather information relevant to making future attacks.

Symantec researchers wrote that Duqu has circulated for 10 months and is “essentially the precursor to a future Stuxnet-like attack,” but with the target unknown. The code can monitor messages and processes, and look for information including the design of so-called SCADA systems (for “supervisory control and data acquisition”). These are computer systems that are used at industrial plants and power plants to control things like pumps, valves, and other machinery.

The code was originally discovered at a handful of unnamed sites in Europe by an undisclosed research team and given to Symantec for analysis on October 14, the company says.

The Stuxnet worm was highly specific to the Iran’s Natanz facility, where uranium enrichment is conducted in hardened underground bunkers. Iran maintains that Natanz is an entirely peaceful effort to make fuel for nuclear power plants, but some observers fear it may also serve as a bomb-making program.

Stuxnet went far beyond shutting down or disrupting operations. After infecting Seimens-made control systems, it sent out instructions that would damage delicate centrifuges, in which bomb- or reactor-grade uranium is separated from naturally occurring uranium. In a Hollywood touch, the worm also displayed normal information on computer screens so that human operators wouldn’t notice the attacks.

Stuxnet is widely regarded as the most sophisticated piece of malicious software ever created. Earlier this year, the New York Times reported that Stuxnet was tested by Israeli agents on centrifuges at an Israeli site, and pointed to this and other clues that Stuxnet may have been “designed as an American-Israeli project to sabotage the Iranian program.”

But much is not known. “We don’t know what it’s for. The initial speculation is that it was a precursor to the next Stuxnet, but we don’t know anything,” says Bruce Schneier, a cryptologist and security expert. “It is what it is. We don’t know.”

Duqu creates a kind of “back door” that can receive commands from, and deliver information to, a so-called command-and-control server somewhere in India. (That server is not known to have sent out instructions, Symantec says.) The company says the back door stays open for only 36 days, and then the malware deletes itself.

Symantec says its researchers—after sending out a detection tool following the discovery of the code in Europe—have found Duqu on industrial computers “around the globe.” Like Stuxnet, which infected thousands of computers in 155 countries last year, Duqu got aboard victim computers by means of a stolen digital certificate—a cryptographic code that authenticates a piece of software on a target machine. “On the whole, this underscores the critical importance of cyberspace security policy and practices, national, regionally, and internationally,” Deibert says.

The latest Insider Conversation is live! Listen to the story behind the story.

Subscribe today
Already a Premium subscriber? Log in.

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

    Bimonthly digital/PDF edition

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special interest publications

    Discount to MIT Technology Review events

    Special discounts to select partner offerings

    Ad-free web experience

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.