recommended reading

Nation-state sponsors learn lesson of too-sophisticated cyber weapons

Pavel Ignatov/

The presumed government sponsors behind a string of targeted attacks on mainly Middle Eastern computers likely are evolving their techniques to hide trademarks that have revealed their work to be a unified campaign, according to computer security researchers. The public’s ability to attribute cyber strikes to a single, organized entity could undermine the covert maneuvers.

During the past year various antivirus analysts have connected Stuxnet, a cyber sabotage tool allegedly authored by Israel and the United States to disable Iran's nuclear program, with other malicious software also thought to be state-sponsored. Unlike Stuxnet, the others are designed to scavenge intelligence from adversary computers without necessarily disrupting operations. After Stuxnet was first discovered in 2010, Russia-based Kaspersky Lab, U.S. company Symantec and other international research groups came across the other bugs.  

Although Stuxnet and its related espionage weapons are sophisticated in performance, whoever constructed them used similar stealth tactics too many times, the analysts have found.

"These common links have allowed us to tie things together, and I don't think these nation-states will make the same mistakes going forward," Roel Schouwenberg, a Kaspersky senior antivirus researcher, told U.S. Chamber of Commerce members at a summit Thursday.

Researchers were able to match up Stuxnet with an intelligence-gathering worm called Duqu, uncovered during fall 2011, partly because the two used the same injection techniques and feigned harmlessness by stealing legitimate digital signatures. "If you want an analogy, Duqu and Stuxnet are like Windows and Office. Both are from Microsoft, although different people might have worked on them," stated one Kaspersky assessment.

When Kaspersky researchers later unearthed a supersized cyberspy tool called Flame, they traced its origins to the group that orchestrated Duqu, and therefore also to Stuxnet, by recognizing that both viruses used the same tool to erase certain data, among other similarities.

This summer, studies mapped the underpinnings of Gauss, the first government-sponsored virus known to be hacking bank accounts, to the hallmarks of Flame.

Analysis in June "resulted in the discovery of a new, previously unknown malware platform that uses a modular structure resembling that of Flame, a similar code base and system for communicating to [command-and-control] servers, as well as numerous other similarities to Flame," Kaspersky researchers explained. The parallels "make us believe Gauss was created by the same ‘factory’ which produced Flame. This indicates it is most likely a nation-state–sponsored operation."

Most recently, researchers linked Flame with a suite of three as-yet-unidentified viruses -- all four of which were handled by the same command-and-control server.

Schouwenberg expects state-supported malicious software -- no matter the government sponsor -- will advance not only by diversifying but also by corrupting computer hardware so that victims must replace entire machines to eliminate the infection.

"A nightmare scenario is that you will need to replace your computer to get rid of the threat" on future generations of cyber weapons, he said.

(Image via Pavel Ignatov/

Threatwatch Alert

Network intrusion / Software vulnerability

Hundreds of Thousands of Job Seekers' Information May Have Been Compromised by Hackers

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.