Sunday, October 23, 2011

Boomerang! Is the Pentagon Field-Testing 'Son of Stuxnet'?



When the cybersecurity firm Symantec announced they had discovered a sophisticated Trojan which shared many of the characteristics of the Stuxnet virus, I wondered: was the Pentagon and/or their Israeli partners in crime field-testing insidious new spyware?

According to researchers, the malicious program was dubbed "Duqu" because it creates files with the prefix "~DQ." It is a remote access Trojan (RAT) that "is essentially the precursor to a future Stuxnet-like attack." Mark that carefully.

In simple terms, a Trojan is malicious software that appears to perform a desirable function prior to its installation but in fact, steals information from users spoofed into installing it, oftentimes via viral email attachments.

In the hands of enterprising security agencies, or criminals (the two are functionally synonymous), Trojans are primarily deployed for data theft, industrial or financial espionage, keystroke logging (surveillance) or the capture of screenshots which may reveal proprietary information.

"The threat" Symantec averred, "was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered."

The malware, which began popping-up on the networks of several European firms, captured lists of running processes, account and domain information, network drives, user keystrokes and screenshots from active sessions and did so by using a valid, not a forged certificate, stolen from the Taipei-based firm, C-Media.

Whereas Stuxnet, believed to be a co-production of U.S. and Israeli cyber-saboteurs, was a weaponized virus programmed to destroy Iran's civilian nuclear power infrastructure by targeting centrifuges that enrich uranium, Duqu is a stealthy bit of spy kit that filches data from manufacturers who produce systems that control oil pipelines, water systems and other critical infrastructure.

Sergey Golovanov, a malware expert at Kaspersky Labs told Forbes that Duqu is "is likely the brainchild of a government security apparatus. And it's that government's best work yet."

Speaking from Moscow, Golovanov told Forbes in a telephone interview that "right now were are pretty sure that it is the next generation of Stuxnet."

"We are pretty sure that Duqu is a government cyber tool and are 70% sure it is coming from the same source as Stuxnet," Golovanov said.

"The victims' computer systems were infected several days ago. Whatever it is," Golovanov noted, "it is still in those systems, and still scanning for information. But what exactly it is scanning for, we don't know. It could be gathering internal information for encryption devices. We only know that it is data mining right now, but we don't know what kind of data and to what end it is collecting it."

Whom, pray tell, would have "access to Stuxnet source code"?

While no government has claimed ownership of Stuxnet, IT experts told Forbes "with 100% certainty it was a government agency who created it."

Suspects include cryptologists at the National Security Agency, or as is more likely given the outsourcing of intelligence work by the secret state, a combination of designers drawn from NSA, "black world" privateers from large defense firms along with specialists from Israel's cryptologic division, Unit 8200, operating from the Israeli nuclear weapons lab at the Dimona complex, as The New York Times disclosed.

Analyst George Smith noted: "Stuxnet was widely distributed to many computer security experts. Many of them do contract work for government agencies, labor that would perhaps require a variety of security clearances and which would involve doing what would be seen by others to be black hat in nature. When that happened all bets were off."

Smith averred, "once a thing is in world circulation it is not protected or proprietary property."

While one cannot demonstrably prove that Duqu is the product of one or another secret state satrapy, one can reasonably inquire: who has the means, motive and opportunity for launching this particular bit of nastiness into the wild?

"Duqu's purpose," Symantec researchers inform us, "is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party."

In other words, while Stuxnet was programmed to destroy industrial systems, Duqu is an espionage tool that will enable attackers "looking for information such as design documents that could help them mount a future attack on an industrial control facility."

Although it can be argued, as Smith does, that "source code for malware has never been secure," and "always becomes something coveted by many, often in direct proportion to its fame," it also can't be ruled out that military-intelligence agencies or corporate clones with more than a dog or two in the "cyberwar" hunt wouldn't be very interested in obtaining a Trojan that clips "industrial design" information from friend and foe alike.

Black Programs

The circulation of malicious code such as Duqu's is highly destabilizing. Considering that the U.S. Defense Department now considers computer sabotage originating in another country the equivalent to an act of war for which a military response is appropriate, the world is on dangerous new ground.

Speaking with MIT's Technology Review, Ronald Deibert, the director of Citizen Lab, a University of Toronto think tank that researches cyberwarfare, censorship and espionage, told the publication that "in the context of the militarization of cyberspace, policymakers around the world should be concerned."

Indeed, given the fact that it is the United States that is now the biggest proliferator in the so-called cyber "arms race," and that billions of dollars are being spent by Washington to secure such weapons, recent history is not encouraging.

With shades of 9/11, the anthrax mailings and the Iraq invasion as a backdrop, one cannot rule out that a provocative act assigned to an "official enemy" by ruling elites just might originate from inside the U.S. security complex itself and serve as a convenient pretext for some future war.

A hint of what the Pentagon is up to came in the form of a controlled leak to The Washington Post.

Last spring, we were informed that "the Pentagon has developed a list of cyber-weapons and -tools, including viruses that can sabotage an adversary's critical networks, to streamline how the United States engages in computer warfare."

The list of "approved weapons" or "fires" are indicative of the military's intention to integrate "cyberwar" capabilities into its overall military doctrine.

According to Ellen Nakashima, the "classified list of capabilities has been in use for several months and has been approved by other agencies, including the CIA."

The Post reported that the new "framework clarifies, for instance, that the military needs presidential authorization to penetrate a foreign computer network and leave a cyber-virus that can be activated later."

On the other hand, and here's where Duqu may enter the frame, the "military does not need such approval, however, to penetrate foreign networks for a variety of other activities. These include studying the cyber-capabilities of adversaries or examining how power plants or other networks operate."

Additionally, Nakashima wrote, Pentagon cyberwarriors "can also, without presidential authorization, leave beacons to mark spots for later targeting by viruses, the official said."

As part of Washington's on-going commitment to the rule of law and human rights, as the recent due process-free drone assassination of American citizen Anwar Al-Awlaki, followed by that of his teenage son and the revenge killing of former Libyan leader Muammar Qaddafi by--surprise!--Al Qaeda-linked militias funded by the CIA clearly demonstrate, the "use of any cyber-weapon would have to be proportional to the threat, not inflict undue collateral damage and avoid civilian casualties."

Try selling that to the more than 3,600 people killed or injured by CIA drone strikes, as Pakistan Body Count reported, since our Nobel laureate ascended to his Oval Office throne.

As George Mason University researchers Jerry Brito and Tate Watkins described in their recent paper, Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy, despite overheated "rhetoric of 'cyber doom' employed by proponents of increased federal intervention," there is a lack of "clear evidence of a serious threat that can be verified by the public."

However, as Brito and Watkins warned, "the United States may be witnessing a bout of threat inflation similar to that seen in the run-up to the Iraq War," one where "a cyber-industrial complex is emerging, much like the military-industrial complex of the Cold War. This complex may serve to not only supply cybersecurity solutions to the federal government, but to drum up demand for them as well."

A "demand" which will inevitably feed the production, proliferation and deployment of a host of viral attack tools (Stuxnet) and assorted spybots (Duqu) that can and will be used by America's shadow warriors and well-connected corporate spies seeking to get a leg-up on the competition.

While evidence of "a serious threat" may be lacking, and while proponents of increased "cybersecurity" spending advanced "no evidence ... that opponents have 'mapped vulnerabilities' and 'planned attacks'," Brito and Watkins noted there is growing evidence these are precisely the policies being pursued by Washington.

Why might that be the case?

As a declining imperialist Empire possessing formidable military and technological capabilities, researcher Stephen Graham has pointed out in Cities Under Siege: The New Military Urbanism, the United States has embarked on a multibillion dollar program "to militarize the world's global electronic infrastructures" with a stated aim to "gain access to, and control over, any and all networked computers, anywhere on Earth."

Graham writes that "the sorts of on-the-ground realities that result from attacks on ordinary civilian infrastructure are far from the abstract niceties portrayed in military theory."

Indeed, as "the experiences of Iraq and Gaza forcefully remind us," robotized drone attacks and already-existent cyberwar capabilities buried in CIA and Pentagon black programs demonstrate that "the euphemisms of theory distract from the hard fact that targeting essential infrastructure in highly urbanized societies kills the weak, the old and the ill just as surely as carpet bombing."

A Glimpse Inside the Complex

In the wake of the HBGary hack by Anonymous earlier this year, the secrecy-shredding web site Public Intelligence released a 2009 Defense Department contract proposal from the firm.

Among other things, it revealed that the Pentagon is standing-up offensive programs that "examine the architecture, engineering, functionality, interface and interoperability of Cyber Warfare systems, services and capabilities at the tactical, operational and strategic levels, to include all enabling technologies."

HBGary, and one can assume other juiced defense contractors, are planning "operations and requirements analysis, concept formulation and development, feasibility demonstrations and operational support."

"This will include," according to the leaked proposal, "efforts to analyze and engineer operational, functional and system requirements in order to establish national, theater and force level architecture and engineering plans, interface and systems specifications and definitions, implementation, including hardware acquisition for turnkey systems."

Indeed, the company will "perform analyses of existing and emerging Operational and Functional Requirements at the force, theater, Combatant Commands (COCOM) and national levels to support the formulation, development and assessment of doctrine, strategy, plans, concepts of operations, and tactics, techniques and procedures in order to provide the full spectrum of Cyber Warfare and enabling capabilities to the warfighter."

During the course of their analysis Symantec learned that Duqu "uses HTTP and HTTPS to communicate with a command-and-control (C&C) server that at the time of writing is still operational."

"The attackers were able to download additional executables through the C&C server, including an infostealer that can perform actions such as enumerating the network, recording keystrokes, and gathering system information. The information is logged to a lightly encrypted and compressed local file, which then must be exfiltrated out."

To where, and more importantly by whom was that information "exfiltrated" is of course, the $64,000 question.

A working hypothesis may be provided by additional documents published by Public Intelligence.

According to a cyberwar proposal to the Pentagon by General Dynamics and HBGary, "Project C" is described as a program for the development "of a software application targeting the Windows XP Operating System that, when executed, loads and enables a covert kernel-mode implant that will exfiltrate a file from disk (or other remotely called commands) over a connected serial port to a remote device."

We're informed that Project C's "primary objectives" was the design of an implant "that is clearly able to exfiltrate an on-disk file, opening of the CD tray, blinking of the keyboard lights, opening and deleting a file, and a memory buffer exfiltration over a connected serial line to a collection station."

"As part of the exploit delivery package," HBGary and General Dynamics told their prospective customers, presumably the NSA, that "a usermode trojan will assist in the loading of the implant, which will clearly demonstrate the full capability of the implant."

Duqu, according to Symantec researchers, "uses a custom C&C protocol, primarily downloading or uploading what appear to be JPG files. However, in addition to transferring dummy JPG files, additional data for exfiltration is encrypted and sent, and likewise received."

While we don't know which firms were involved in the design of Stuxnet and now, Duqu, we do know thanks to Anonymous that HBGary had a Stuxnet copy, shared it amongst themselves and quite plausibly, given what we've learned about Duqu, Stuxnet source code may have been related to the above-mentioned "Project C."

Kevin Haley, Symantec's director of product management told The Register that "the people behind Stuxnet are not done. They've continued to do different things. This was not a one-shot deal."

1 comment:

Bruce said...

Thanks, Tom. Great little article. Are we getting the meaning of "Full Spectrum Dominance" yet?