recommended reading

Nation-state sponsors learn lesson of too-sophisticated cyber weapons

Pavel Ignatov/

The presumed government sponsors behind a string of targeted attacks on mainly Middle Eastern computers likely are evolving their techniques to hide trademarks that have revealed their work to be a unified campaign, according to computer security researchers. The public’s ability to attribute cyber strikes to a single, organized entity could undermine the covert maneuvers.

During the past year various antivirus analysts have connected Stuxnet, a cyber sabotage tool allegedly authored by Israel and the United States to disable Iran's nuclear program, with other malicious software also thought to be state-sponsored. Unlike Stuxnet, the others are designed to scavenge intelligence from adversary computers without necessarily disrupting operations. After Stuxnet was first discovered in 2010, Russia-based Kaspersky Lab, U.S. company Symantec and other international research groups came across the other bugs.  

Although Stuxnet and its related espionage weapons are sophisticated in performance, whoever constructed them used similar stealth tactics too many times, the analysts have found.

"These common links have allowed us to tie things together, and I don't think these nation-states will make the same mistakes going forward," Roel Schouwenberg, a Kaspersky senior antivirus researcher, told U.S. Chamber of Commerce members at a summit Thursday.

Researchers were able to match up Stuxnet with an intelligence-gathering worm called Duqu, uncovered during fall 2011, partly because the two used the same injection techniques and feigned harmlessness by stealing legitimate digital signatures. "If you want an analogy, Duqu and Stuxnet are like Windows and Office. Both are from Microsoft, although different people might have worked on them," stated one Kaspersky assessment.

When Kaspersky researchers later unearthed a supersized cyberspy tool called Flame, they traced its origins to the group that orchestrated Duqu, and therefore also to Stuxnet, by recognizing that both viruses used the same tool to erase certain data, among other similarities.

This summer, studies mapped the underpinnings of Gauss, the first government-sponsored virus known to be hacking bank accounts, to the hallmarks of Flame.

Analysis in June "resulted in the discovery of a new, previously unknown malware platform that uses a modular structure resembling that of Flame, a similar code base and system for communicating to [command-and-control] servers, as well as numerous other similarities to Flame," Kaspersky researchers explained. The parallels "make us believe Gauss was created by the same ‘factory’ which produced Flame. This indicates it is most likely a nation-state–sponsored operation."

Most recently, researchers linked Flame with a suite of three as-yet-unidentified viruses -- all four of which were handled by the same command-and-control server.

Schouwenberg expects state-supported malicious software -- no matter the government sponsor -- will advance not only by diversifying but also by corrupting computer hardware so that victims must replace entire machines to eliminate the infection.

"A nightmare scenario is that you will need to replace your computer to get rid of the threat" on future generations of cyber weapons, he said.

(Image via Pavel Ignatov/

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.