Categories: Security

Analysis of the Stuxnet Cyber Weapon Family and Dragonfly

Cyber weapons like Stuxnet will only grow in prevalence, use and sophistication and it is therefore in the interest of national security to develop advanced mitigation techniques and capabilities.

The progenitor of Duqu, Flame and Gauss are reported as the authors of STUXNET. As illustrated, the trend of advancements between these four cyber weapons suggests a push for more sophisticated cyber weapons in conjunction with advanced defensive capabilities to mitigate use of cyber weapons against the US and her allies. The DRAGONFLY campaign targeted Industrial Control Systems in active espionage and intelligence gathering and the attribution of this campaign to Russia raises the question of whether or not the world is actively engaged in the next phase of cyber weapons development.

The analysis of the results shows a pattern in sophistication along a degenerative trend within the STUXNET family of cyber weapons. The cyber weapons STUXNET, Duqu, Flame and Gauss reveal a trend of decreasing sophistication in tactics and development while maintaining the sophistication in deployment and propagation, though Flame is anomalous in that it shows a relative increase in sophistication of development. The analytical methodology used is based upon cursory knowledge of the omnibus technology given the lack of definitive knowledge available in terms of source code, true goals behind the deployment, and confirmed reports of effects such as at the Iranian nuclear facility targeted by STUXNET.

The term ‘cyber weapon’ (CW) is arguably difficult to define (Carr, 2012), yet definitions must be put into place at the onset of any discussion of technology considered ‘omnibus,’ or cyber technology with a multi-faceted ‘payload.’ For purposes of analysis the term omnibus will refer to cyber weapons. That is to say that a malicious software (malware) may be referred to as omnibus when containing sophisticated methodology in development and deployment as well as delivering multiple, advanced payloads (termed ‘warheads by Israel National News (Sheva, 2010)). To further refine the definition, the reference of weapon should be treated similarly to any other weapon in the other four domains of warfare (land, sea, air and space) though the fifth domain of warfare, cyber, naturally has its own unique dimensions.

The legalities and ethics of cyber war are also important in terms of the determination of CW status, that is the weapon may or may not comply with the few international standards in place in regards to cyber war. The NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE) used the Russia/Georgia war as the case study for its, “Cyber Attacks Against Georgia: Legal Lessons Defined” paper (Carr, 2011). Two issues in law arose from this CCDCOE case study, “justice to war” and “justice in war.” (Carr, 2011)

The pertinence of “justice to war” is critical in classifying the malware as CW or not. While it could be argued that “justice in war” regulates methods of the deployment of CW in cyber-attacks (CW’s may be used in a supportive role for ground forces or in tandem with engagement as a separate attack vector), this may allow a broader use of CW status to any malware used in an active war. For the purposes of this analysis the focus will be on the use of CW’s when no war has been declared.

STUXNET is the first recorded instance of malware worthy of CW status. Kelley attributes STUXNET to the US and Israel (Kelley, 2013) and states that the attack on the Iranian reactor was far more important than previously thought. This supports the thesis that the ramifications of deploying CW’s, regardless of who created and/or deployed them results in an outcome far beyond what any can fathom. This aspect of deploying CW’s is analogous to any malware or software, i.e. Knowing the what, who and how it effects targets.

Gauss is similar to STUXNET, relying on similar lines of the source code of STUXNET (Ferran, 2012). Gauss is the latest of the four CW’s being analyzed, with Flame and DUQU preceding Gauss. The largest similarity between each of these is not only the states attributed for the creation and deployment of them (US and Israel) but also the researchers who discovered and conducted the attribution (Kaspersky Labs).

The DRAGONFLY campaign is attributed to Russia, and may have used similar engineering to the STUXNET family of CW’s. Confusion exists on how to classify STUXNET and the CW family that resulted (DUQU, Flame and Gauss, in that order), but some say STUXNET was a worm (Sheva, 2010), DUQU was a surveillance capable worm (Fox News, 2011), Flame is thought to be a Trojan-worm (Prince, 2012) and Gauss may contain this worm aspect in the method of propagation.

Kaspersky teams had linked Flame to STUXNET and Duqu, and it was during their analysis of Flame that they discovered Gauss (Ferran, 2012). Gauss was capable of live-feed espionage, recording live conversations that took place near an infected computer (Ferran, 2012). Each CW in this family had an espionage component. It is likely that one of the two warheads found in STUXNET, specifically one reported as capable of effecting water, gas, and electric systems (Sheva, 2010) increases the risk of a counter strike against the US and Israel targeting these types of Industrial Control Systems (ICS’s), regardless of accuracy in attribution. DRAGONFLY maybe this counter strike against ICS given reports of attribution of STUXNET and the family of CW’s that followed:

Matrices

Calculations

Results

I have contacted Ian for a few questions that I share with you:

Q:  What is the main takeaway from your research?

A:  Based on the analysis of the STUXNET cyber weapon family, which is known to include Duqu, Flame and Gauss, there is a trend of degeneration in the dimensions I’ve isolated.  This doesn’t mean that they aren’t cyber weapons, or that they weren’t effective in doing what they set out to do, but that as the family grew (so to speak) the legality of deployment declined while the ethics remained in a grey zone.  According to my analysis the overall sophistication shows Stuxnet as the most sophisticated with Flame secondary to sophistication.  This results from the signatures that were gleaned from Stuxnet and applied to Flame.

Q: What in your results surprised you the most?

A: From what I’ve found Stuxnet is more closely related to Duqu while Gauss and Flame are more closely related to each other. To me this suggests that the authors realized signatures were being created from Stuxnet so they worked to modify the source code even more.

Q:  Who do you attribute to these weapons?

A:  Honestly I don’t know.  I realize that the US and Israel are the usual suspects given the targeting of the Middle East and speculation on the use of one of these cyber weapons to target terrorist financing, but I choose not to speculate.  If I’ve learned anything from my short time in the field it’s that attribution is the most difficult problem to tackle, especially when you base it on analysis of the source code and it involves a zero-day.

Q:  What happens next?  Where do we go from here?  Has the threat landscape changed in terms of APT’s?

A:  Right, so, the biggest step to take is also the most important and most difficult.  This is hardening the ICS and actively working to shift the defensive posture to a pro-active one.  I realize ‘proactive defense’ is a big buzzword, but ‘buzzword’ is a buzzword.  The fact is we need to push for automated defense research, with clear definitions of redundancy in operations to prevent what I called “exploding” which launches unauthorized attacks against outside systems and “imploding” which effectively shuts down the system it’s supposed to be protecting.  I definitely think the threat landscape has changed.  It seems like we are seeing more and more APT’s in terms of Iron Dome developers being hacked along with the Dragonfly campaign.  This has always been a dynamic environment, but as I’ve begun to see: the anomalies are being replaced with recognizable patterns.

[adrotate banner=”9″] [adrotate banner=”12″]

Ian Malloy

Security Affairs – (cyber weapon, Stuxnet)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

2 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

15 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

22 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.