The presumed government sponsors behind a string of targeted attacks on mainly Middle Eastern computers likely are evolving their techniques to hide trademarks that have revealed their work to be a unified campaign, according to computer security researchers. The public’s ability to attribute cyber strikes to a single, organized entity could undermine the covert maneuvers.
During the past year various antivirus analysts have connected Stuxnet, a cyber sabotage tool allegedly authored by Israel and the United States to disable Iran's nuclear program, with other malicious software also thought to be state-sponsored. Unlike Stuxnet, the others are designed to scavenge intelligence from adversary computers without necessarily disrupting operations. After Stuxnet was first discovered in 2010, Russia-based Kaspersky Lab, U.S. company Symantec and other international research groups came across the other bugs.
Although Stuxnet and its related espionage weapons are sophisticated in performance, whoever constructed them used similar stealth tactics too many times, the analysts have found.
"These common links have allowed us to tie things together, and I don't think these nation-states will make the same mistakes going forward," Roel Schouwenberg, a Kaspersky senior antivirus researcher, told U.S. Chamber of Commerce members at a summit Thursday.
Researchers were able to match up Stuxnet with an intelligence-gathering worm called Duqu, uncovered during fall 2011, partly because the two used the same injection techniques and feigned harmlessness by stealing legitimate digital signatures. "If you want an analogy, Duqu and Stuxnet are like Windows and Office. Both are from Microsoft, although different people might have worked on them," stated one Kaspersky assessment.
When Kaspersky researchers later unearthed a supersized cyberspy tool called Flame, they traced its origins to the group that orchestrated Duqu, and therefore also to Stuxnet, by recognizing that both viruses used the same tool to erase certain data, among other similarities.
This summer, studies mapped the underpinnings of Gauss, the first government-sponsored virus known to be hacking bank accounts, to the hallmarks of Flame.
Analysis in June "resulted in the discovery of a new, previously unknown malware platform that uses a modular structure resembling that of Flame, a similar code base and system for communicating to [command-and-control] servers, as well as numerous other similarities to Flame," Kaspersky researchers explained. The parallels "make us believe Gauss was created by the same ‘factory’ which produced Flame. This indicates it is most likely a nation-state–sponsored operation."
Most recently, researchers linked Flame with a suite of three as-yet-unidentified viruses -- all four of which were handled by the same command-and-control server.
Schouwenberg expects state-supported malicious software -- no matter the government sponsor -- will advance not only by diversifying but also by corrupting computer hardware so that victims must replace entire machines to eliminate the infection.
"A nightmare scenario is that you will need to replace your computer to get rid of the threat" on future generations of cyber weapons, he said.