• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

 | 

U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog

 | 

A sophisticated cyberattack hit the International Criminal Court

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber warfare
  • Hacking
  • Intelligence
  • Malware
  • Security
  • Stuxnet & Duqu, update on cyber weapons usage

Stuxnet & Duqu, update on cyber weapons usage

Pierluigi Paganini April 19, 2012

We all know about the malware Stuxnet and Duqu considered unanimously the first examples of cyber weapon developed by a government to silent attacks critical enemy infrastructures. We have written a lot on the topic, we have followed with attention the excellent analysis made by experts of the sector such as Ralph Langner and the researchers of the Kaspersky and Symantec security firms; during last days new updates have been published on the web regarding the two agents trying to explain their status and the mode used to spread them behind the enemy line.

Let’s start with the update on the Stuxnet virus that was implanted to damage Iran’s nuclear program. News of the days is that the operation was conducted by Israeli agents with the collaboration of Iranian spy, who used a corrupt “memory stick.32,” to sabotage the nuclear plant of Natanz infecting machines there according to the declarations of a former and serving U.S. intelligence officials.

In the continuing battle to hold off the Iranian nuclear program, Iranian proxies have also been active in assassinating Iran’s nuclear scientists, these sources said. Key figures of the operations seem to be groups of Iranian dissidents also involved the assassinating of Iran’s nuclear scientists. Of course, the choice to use the human vector to spread the malware is to reach a more efficient diffusion of the virus avoiding it was discovered before to attack the target.

“They said using a person on the ground would greatly increase the probability of computer infection, as opposed to passively waiting for the software to spread through the computer facility. ‘Iranian double agents’ would have helped to target the most vulnerable spots in the system.”

Iran’s intelligence suspected the infiltration of spies inside their plants and arrested an unspecified number of a person accused to have supported the operations related to the diffusion of the Stuxnet Virus.

Who are the Iranian spies that have supported the Israeli operations?

Former and senior U.S. officials believe Iranian support belonged to the Mujahedeen-e-Khalq (People’s Mujahedin of Iran, alias MEK, also PMOI, MKO).

The group is an exile-Iranian organization that advocates the overthrow of the Islamic Republic of Iran, founded in September 5, 1965 by a group of leftist Iranian university students as an Islamic and Marxist political mass movement. MEK was originally devoted to armed struggle against the Shah of Iran, capitalism, and Western imperialism, during the Iran-Iraq War, the group was given refuge by Saddam Hussein and mounted attacks on Iran from within Iraqi territory.  MEK is considered as the military wing of the National Council of Resistance of Iran (NCRI) and has targeted Iranian officials and government facilities in Iran and abroad.

The United States, Canada, Iraq and Iran consider the MEK a terrorist organization. On January 26, 2009, the Council of the European Union removed the MEK from the EU list of organizations it designates as terrorist and United States have received support for intelligence operations against the Iran’s nuclear program in 2002 and 2008.

The report of  from Isssource.com says:

“Former and senior U.S. officials believe nuclear spies belonged to the Mujahedeen-e-Khalq (MEK), which Israel uses to do targeted killings of Iranian nationals, they said. “The MEK is being used as the assassination arm of Israel’s Mossad intelligence service,” said Vince Cannistraro, former head of the CIA’s Counterterrorism. He said the MEK is in charge of executing “the motor attacks on Iranian targets chosen by Israel. They go to Israel for training, and Israel pays them.” Other former agency officials confirmed this.”

We have always sustained the Israeli has worked close to US government and this is true in the specific campaign against Iranian nuclear program at least for the development of the cyber weapons, but  since 2007, five Iranian nuclear scientists have been killed in Iranian territory and the American forces seem to be extraneous to the facts, Israel has used as killer MEK spies well infiltrated in the foreign social context and with a deep knowledge of the activities performed inside the nuclear plants of Iran.

Stuxnet was discovered for the first time by Ukrainian firms VirusBlokAda based in Minsk, that was contacted by Iranian dealer that was having problem with several computers of its clients. Apparently, the computers were constantly turning off and restarting, but the antivirus was not able to detect the agents because Stuxnet used knowledge on zero-day vulnerabilities. Let’s consider also the source code of the agent was also signed using digital certificates by Realtek Semiconductor and JMicron Technology Corp giving the appearance of legitimate software to Microsoft Windows.

Stuxnet was a perfect example of cyber weapon developed to surgical select its targets remaining uncovered and avoiding to infected not target machines. With Stuxnet was, in fact, introduced a new concept of malware, a broad-spectrum deadly weapon capable of hitting in a silent and surgical mode an high number of objectives located anywhere on the planet.

The researchers of the major antivirus companies have identified Stuxnet as the progenitor of another malware, Duqu, it also classified as a cyber weapon developed by a government commitment. Duqu is quite different from its relative, it has a modular structure like Stuxnet but it isn’t equipped with modules for SCADA systems attack. It is only able to steal information from the host system.

On March 2012 a new instance of Duqu has been isolated in a variant designed to evade detection mechanism of antivirus products and other security systems, its the source code appears to be reshuffled and compiled with a different set of options and it also contains a different subroutine for decrypting the configuration block and loading the malware’s body. A similar operation has been already observed in October 2011. Of course, also the references to C&C server are changed because all old structures were shut down on Oct. 20, 2011.

Duqu is so still operating, in the last week, several instances are creating several in the Philippines where Duqu malware is infecting several computers spreading hidden in documents such as Microsoft Word files. The emergency is high according to Kaspersky Lab because the malware may begin to affect newly industrialized countries in Asia, including the Philippines that is one of the major IT outsourcing service providers.

“The spread of Duqu in the Philippines could have dire effects on its multibillion-dollar outsourcing business,”

Kaspersky Lab said in a statement.

Kaspersky’s director of global research & analysis, Costin Raiu with his team, gathered evidence that shows that behind the Stuxnet and Duqu there is the same development team that has used a common platform to build the malware, but what is really interesting and new is that the researcher is convinced that the same framework has been also used to create at least three other pieces of malware.

We are dealing with an application that consists of several modules each responsible for a specific function to perform. The behavior of the malware to be produced is given by the way in which these modules are made to interact with the same agent. We are facing with a powerful a weapon for the following reasons:

  • Mutable and non-deterministic behavior of the final agent resultant of the module used.
  • Possibility of development of additional modules designed for specific categories of targets .
  • Opportunities for collaboration of multiple groups of developer component of different organizations. Having a common platform it is possible in the future to create a real library of modules, functions that can be called like in any other program to infect specific objectives.

Costin Raiu said

“It’s like a Lego set. You can assemble the components into anything: a robot or a house or a tank,”

The statement is the perfect synthesis of the key concept behind the new cyber weapons, just as with Lego you can dial any “shape” of malware assembling the individual components in a manner to be able to attack a specific target. Researchers with Kaspersky have named the platform “Tilded” because many of the files in Duqu and Stuxnet have names beginning with the tilde symbol “~” and the letter “d.”

Let’s also consider that in the past malware have been already used for sabotage purpose and intelligence purposes, in the 1980s, the United States had considerable success installing viruses inside the Soviet military-industrial structure, a process still continuing with China.

“We put in bugs inside the Soviet computers to feedback satellite information that had been ‘leeched’ off hard drives, in the Soviet Defense Ministry and others,” said a former U.S. intelligence official.

Also during Desert Storm, the CIA and the British Government Communication Headquarters (GCHQ) have used malware agents to attack Iraq’s computers deploying a Command & Control server in the enemy infrastructures. CIA operatives, working in Jordan, infiltrated bugs into hardware smuggled across the border and into Baghdad. In that occasion, the compromised devices weren’t used due to the beginning US air strikes that destroyed Saddam’s command and control network, including the buildings where the infected computer hardware was deployed.

What we expect from the future?

For sure we will assist to the born of a new version of the existing agents equipped with more sophisticated modules that include new features and that are also able to avoid antivirus detection.

We will face with also the development of new malware based on the same platform and with the creation of new sophisticated platform used as malware factory.

The war is began!

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Duqu, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

China CIA Critical infrastructures Cyber attacks cyber weapon cyber weapons digital certificates duqu Espionage Hackers Intelligence Iran Iranian nuclear program Sabotage stuxnet Tilded virus warfare zero-day vulnerabilities

you might also like

Pierluigi Paganini July 07, 2025
Taiwan flags security risks in popular Chinese apps after official probe
Read more
Pierluigi Paganini July 07, 2025
U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    New Batavia spyware targets Russian industrial enterprises

    Uncategorized / July 07, 2025

    Taiwan flags security risks in popular Chinese apps after official probe

    Security / July 07, 2025

    U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 07, 2025

    Hunters International ransomware gang shuts down and offers free decryption keys to all victims

    Cyber Crime / July 06, 2025

    SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

    Security / July 06, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT