recommended reading

Nation-state sponsors learn lesson of too-sophisticated cyber weapons

Pavel Ignatov/

The presumed government sponsors behind a string of targeted attacks on mainly Middle Eastern computers likely are evolving their techniques to hide trademarks that have revealed their work to be a unified campaign, according to computer security researchers. The public’s ability to attribute cyber strikes to a single, organized entity could undermine the covert maneuvers.

During the past year various antivirus analysts have connected Stuxnet, a cyber sabotage tool allegedly authored by Israel and the United States to disable Iran's nuclear program, with other malicious software also thought to be state-sponsored. Unlike Stuxnet, the others are designed to scavenge intelligence from adversary computers without necessarily disrupting operations. After Stuxnet was first discovered in 2010, Russia-based Kaspersky Lab, U.S. company Symantec and other international research groups came across the other bugs.  

Although Stuxnet and its related espionage weapons are sophisticated in performance, whoever constructed them used similar stealth tactics too many times, the analysts have found.

"These common links have allowed us to tie things together, and I don't think these nation-states will make the same mistakes going forward," Roel Schouwenberg, a Kaspersky senior antivirus researcher, told U.S. Chamber of Commerce members at a summit Thursday.

Researchers were able to match up Stuxnet with an intelligence-gathering worm called Duqu, uncovered during fall 2011, partly because the two used the same injection techniques and feigned harmlessness by stealing legitimate digital signatures. "If you want an analogy, Duqu and Stuxnet are like Windows and Office. Both are from Microsoft, although different people might have worked on them," stated one Kaspersky assessment.

When Kaspersky researchers later unearthed a supersized cyberspy tool called Flame, they traced its origins to the group that orchestrated Duqu, and therefore also to Stuxnet, by recognizing that both viruses used the same tool to erase certain data, among other similarities.

This summer, studies mapped the underpinnings of Gauss, the first government-sponsored virus known to be hacking bank accounts, to the hallmarks of Flame.

Analysis in June "resulted in the discovery of a new, previously unknown malware platform that uses a modular structure resembling that of Flame, a similar code base and system for communicating to [command-and-control] servers, as well as numerous other similarities to Flame," Kaspersky researchers explained. The parallels "make us believe Gauss was created by the same ‘factory’ which produced Flame. This indicates it is most likely a nation-state–sponsored operation."

Most recently, researchers linked Flame with a suite of three as-yet-unidentified viruses -- all four of which were handled by the same command-and-control server.

Schouwenberg expects state-supported malicious software -- no matter the government sponsor -- will advance not only by diversifying but also by corrupting computer hardware so that victims must replace entire machines to eliminate the infection.

"A nightmare scenario is that you will need to replace your computer to get rid of the threat" on future generations of cyber weapons, he said.

(Image via Pavel Ignatov/

Threatwatch Alert

Credential-stealing malware / User accounts compromised / Software vulnerability

Android Malware Infects More than 1M Phones, Adds 13,000 Devices a Day

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.