Entries in Stuxnet (7)


Stuxnet-Linked Cyber Weapon Hits Lebanon

iStockphoto/Thinkstock(WASHINGTON) -- A new cyber weapon believed to be linked by code to the infamous Stuxnet worm has been discovered stealing banking information in Lebanon, according to Moscow-based cyber security firm Kaspersky Labs.

The new malware, dubbed Gauss for an in-code reference to a German mathematician, is designed to “steal and monitor data from clients of several Lebanese banks,” among other nefarious abilities. The code also includes some kind of “special warhead” that is so well encrypted that Kaspersky has been unable to identify it.

Of the more than 2,500 instances of Gauss infections in the Middle East, more than 1,600 of them were discovered in Lebanon and nearly 500 in Israel, Kaspersky said in a blog post.

Kaspersky researchers said they discovered Gauss while investigating Flame, a massive espionage program revealed in May that was able to record nearly everything done on an infected computer, including real-world conversations that took place near it.

Kaspersky researchers had previously linked specific portions of code in Flame to Stuxnet, believed to be the first-ever true cyberweapon to do actual physical damage to its target, an Iranian nuclear facility, and Duqu, a surveillance worm based on Stuxnet. Now the Russian researchers said they believe Gauss to be related to those three as well.

“After looking at Stuxnet, Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same ‘factory’ or ‘factories,’” the blog post said.

Kaspersky and several other cyber security firms said that Stuxnet and its kin are so sophisticated and required such a commitment of time and expertise that a nation-state was most likely behind their creations. A 2010 Congressional report on Stuxnet put the U.S. and Israel at the top of a short list of probable suspects and the New York Times reported Stuxnet was developed by the two countries as part of a wave of cyber aimed at Iran.

Peter Boogaard, a spokesperson for the U.S. Department of Homeland Security, said the agency is “coordinating with our federal and private sector partners to analyze” Gauss and is “working with organizations that could potentially be affected.”

Kaspersky said that while a vast majority of the infections they’ve detected were centered in Lebanon, there were a few instances of Gauss detected on computer systems in the U.S. and the total number of infections is still unknown.

Copyright 2012 ABC News Radio


Government's Swift Response to Cyberweapon Stuxnet 

Hemera/Thinkstock(WASHINGTON) -- An Iranian nuclear facility may have taken the brunt of the cyber superweapon Stuxnet believed to be built in part by the U.S., but the American government was concerned enough with its spread to a facility back home that a fast response team was deployed to deal with an infection, according to a new report from the Department of Homeland Security.

The report, released Thursday by the DHS’s Industrial Control Systems Computer Emergency Readiness Team (ICS-CERT), gives scant details on the incident, except to say that after Stuxnet was discovered on thousands of computer systems around the world in 2010, a DHS team “conducted an onsite incident response deployment to a manufacturing facility infected with the Stuxnet malware and helped the organization identify all infected systems and eradicate the malware from their control system network.”

The worm was found on “all their engineering workstations as well as several other machines connected to the manufacturing control systems network,” the report said.

The DHS declined to identify the facility, but whatever it was, it was unlikely to have been in real danger from Stuxnet, as the malware was designed to be an extremely precise weapon that only targeted a specific system related to Iran’s nuclear enrichment and harmlessly floated through other computer networks, according to researchers who have dissected the worm. A spokesperson for the DHS told ABC News that the worm “did not impact control processes or operations of the manufacturing company.”

But a cyber expert with Russia-based Kaspersky Labs, which analyzed Stuxnet, said that just the presence of the worm on U.S. industrial systems meant things could have gone “very wrong.”

“This very clearly shows the inherent danger of cyber weapons, especially when they function autonomously,” Kaspersky Labs senior researcher Roel Schouwenberg told ABC News.

When it was discovered in 2010, Stuxnet was considered the most sophisticated cyber weapon in history, capable of physically altering or damaging critical industrial control systems -- the same systems that are used in everything from water treatment plants to the electrical grid and nuclear facilities all over the world.

Cyber experts, as well as a Congressional report published in late 2010, said that Stuxnet was most likely developed by a nation-state and put the U.S. and Israel at the top of a short list of nations capable of such a feat. The New York Times reported earlier this year that Stuxnet had been one tool developed in a joint U.S.-Israeli cyber war waged on Iran.

After Stuxnet two other highly sophisticated cyber espionage weapons, Duqu and Flame, were discovered on computer networks in Iran and the Middle East and were found to share code with Stuxnet -- leading researchers to believe all three were developed by teams that at least had access to each other’s original work.

The report also revealed that between 2009 and 2011, U.S. CERT experienced a dramatic increase in reported incidents of possible cyber attacks on critical infrastructure facilities -- from just nine in 2009 to 198 in 2011.

There were 248 total incidents but only 17 were serious enough to prompt the DHS to send fast response teams to the facilities to deal with the problem hands-on.

For each year, the energy or water sectors combined reported a majority of incidents, but DHS said that sophisticated “spear-phishing attacks” had targeted unsuspecting workers in the nuclear, government and chemical sectors as well.

“ICS-CERT and the [industrial control system] community have worked together successfully to identify and mitigate malicious cyber activity in critical infrastructure assets, but much remains to be done,” the report says. “Sophisticated and targeted cyber intrusions against [industrial control systems] across multiple critical infrastructure sectors continue to increase.”

Copyright 2012 ABC News Radio


'Proof' Links Flame, Stuxnet Super Cyber Weapons: Researchers

iStockPhoto/Thinkstock(WASHINGTON) -- Researchers say they have uncovered "proof" linking the authors of the Flame cyber espionage program to Stuxnet, the most powerful offensive cyber weapon ever developed -- both of which are believed to have targeted Iran.

Analysts at the Russia-based cyber security firm Kaspersky Labs, which was the first to uncover Flame and had previously analyzed Stuxnet, wrote in a blog post today that they had found the "missing link" between Flame and Stuxnet: a specific piece of code that appears to have been used in both programs.

Flame, a highly advanced "toolkit" of cyber espionage programs capable of watching virtually everything on an infected computer, was discovered last month on computers in the Middle East and Iran and had apparently been spying on those systems for years. Stuxnet, an offensive cyber weapon designed to physically alter its intended target, was discovered in 2010 after it reportedly infiltrated and managed to damage an Iranian nuclear enrichment facility -- an unprecedented feat.

In both cases, cyber security experts that analyzed the programs' code determined that due to similarities in cost, time requirement and apparent target, it was likely they had each been developed under the direction of a nation-state, leading to speculation the U.S. or Israel may be involved. However, the same experts quickly noted that Flame's code architecture was vastly different from Stuxnet's and determined that while both could have come from the same nation-state, they were not likely written together.

But now Kaspersky Labs says the two cyber tools appear to have been developed in tandem and a section of code directly from Flame was used in an early 2009 version of Stuxnet, meaning that the two development teams overlapped in their work at least for a little while, even if they appear to have gone their separate ways in 2010 when newer versions of the programs appeared.

"We believed that the two teams only had access to some common resources, [but] that didn't show any true collaboration," Kaspersky Labs senior researcher Roel Schouwenberg told ABC News. "However, now it turns out that the Stuxnet team initially used Flame to kickstart the project. That proves collaboration and takes the connection between the two teams to a whole new level."

After Stuxnet's discovery, a Congressional report in December 2010 put the U.S. and Israel on a short list of countries believed to be capable of carrying out that attack -- a list that also included Russia, China, the U.K. and France. A month later, The New York Times reported Stuxnet may have been the result of a joint U.S., Israeli project to undermine Iran's nuclear program.

Five different U.S. government agencies declined to comment to ABC News about allegations they were involved in Flame and the Israeli government has reportedly denied any link to the virus.

News of the new connection between the two programs came just days after a U.S.-based cyber security firm, Symantec, reported Flame appears to have been given a "suicide" command that would wipe any trace of it from an infected computer.

Copyright 2012 ABC News Radio


Israel Behind Largest Cyber Spy Weapon Ever?

iStockPhoto/Thinkstock(WASHINGTON) -- A top Israeli official hinted Tuesday that his country could be behind the most sophisticated cyber espionage program ever developed, known as Flame, which infiltrated and spied on computer systems throughout the Middle East, including those in Iran, for the past two years.

"Whoever sees the Iranian threat as a serious threat would be likely to take different steps, including these, in order to hurt them," Israel's vice prime minister Moshe Yaalon told Israel's Army Radio on Tuesday, referring to the cyber attack. "Israel is blessed to be a nation possessing superior technology. These achievements of ours open up all kinds of possibilities for us."

Flame, also known as sKyWIper, is a veritable "toolkit" of cyber spying programs that is capable of remotely taking screenshots while the computer user works, recording audio conversations through the computer's own microphone, intercepting keyboard inputs and wiping data, among other sophisticated capabilities, according to cyber security experts. The code has been active for two years and has infected dozens of computers throughout the Middle East, mostly in Iran.

Three cyber security firms, both in the U.S. and abroad, that have begun to analyze Flame said the code is unprecedented in complexity and, due to its sheer sophistication, was most likely developed by a hacking team working under the direction of a nation-state.

"We can't pinpoint who is actually behind it, but we can narrow the list of potential actors," Vikram Thakur, a manager at Symantec, told ABC News Monday. "It's a project that's been out for years, and flown under the radar. It is extremely well funded."

One of the cyber security companies that has analyzed Flame, the Russia-based Kaspersky Labs, said that the malware was discovered only after sensitive information began suddenly disappearing from computer networks in the Middle East. The wiping program turned out to be just one arm of Flame.

Iran's government cyber security response team acknowledged the breech in an online posting Monday, which described the malware's capabilities and said that its methods and functionality made Iranian experts believe it had a "close relation" to Stuxnet, another highly sophisticated cyber weapon discovered in 2010 that appeared to target and damage an Iranian nuclear enrichment facility. Israel was suspected of being behind that attack and the Israeli government has repeatedly declined to comment on those allegations.

Analysis from Kaspersky and the Hungary-based cryptology lab Crysys shows that the code used in Flame is so much bigger and so different from that used in Stuxnet that it is unlikely the two were developed by the same group of hackers, but their reports did not discount the possibility that the same nation could have funded and directed both attacks, considering the common target.

So far, researchers in the U.S. and abroad have said Flame appears to only be used for spying purposes, rather than being used to cause physical damage to systems, like Stuxnet. Still, Kaspersky Labs said in a blog post, "such highly flexible malware can be used to deploy specific attack modules" that could target a country's critical infrastructure and there could also be variations of the code that have yet to be discovered.

Further analysis of the complex Flame code by several cyber security firms is ongoing.

Copyright 2012 ABC News Radio


Son of Stuxnet? Researchers Warn of Impending Cyber Attack

Jupiterimages/Thinkstock(MOUNTAINVIEW, Calif.) -- A new computer virus using "nearly identical" parts of the cyber superweapon Stuxnet has been detected on computer systems in Europe and is believed to be a precursor to a new Stuxnet-like attack, a major U.S.-based cyber security company said Tuesday.

Stuxnet was a highly sophisticated computer worm that was discovered last year and was thought to have successfully targeted and disrupted systems at a nuclear enrichment plant in Iran. At the time, U.S. officials said the worm's unprecedented complexity and potential ability to physically sabotage industrial control systems -- which run everything from water plants to the power grid in the U.S. and in many countries around the world -- marked a new era in cyber warfare.

Though no group claimed responsibility for the Stuxnet worm, several cyber security experts have said it is likely a nation-state created it and that the U.S. and Israel were on a short list of possible culprits.

Whoever it was, the same group may be at it again, researchers said, as the authors of the new virus apparently had access to original Stuxnet code that was never made public.

The new threat, discovered by the Europe-based research lab dubbed "Duqu," is not designed to physically affect industrial systems like Stuxnet was, but apparently is only used to gather information on potential targets that could be helpful in a future cyber attack, cyber security giant Symantec said in a report Tuesday.

"Duqu shares a great deal of code with Stuxnet; however, the payload is completely different," Symantec said in a blog post.

Duqu is designed to record key strokes and gather other system information at companies in the industrial control system field and then send that information back to whomever planted the bug, Symantec said.

If successful, the information gleaned from those companies through Duqu could be used in a future attack on any industrial control system in the world where the companies' products are used -- from a power plant in Europe to an oil rig in the Gulf of Mexico.

"Right now it's in the reconnaissance stage, you could say," Symantec senior director for Security Technology and Response, Gerry Egan, told ABC News. "[But] there's a clear indication an attack is being planned."

Duqu is also not designed to spread on its own, so researchers believe its targets were the computer systems it had already infiltrated, Egan said.

The Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team issued an alert Tuesday to "critical infrastructure owners and operators" on Duqu, urging them to take steps to secure their systems.

"The extent of the threat posed by [Duqu] is currently being evaluated," the alert says.

Another cyber security company, F-Secure Security Labs, also examined Duqu and said on its website that parts of its code were so similar to Stuxnet that its virus-detection system believed it was dealing with the same virus over again.

A representative for Symantec said they were made aware of the new threat after the unnamed European research lab forwarded them a sample of the code along with their analysis comparing it with Stuxnet, which Symantec then confirmed. McAfee Labs, another cyber security power player, said they too had been given a sample of the Duqu code for analysis.

"One thing for sure is the Stuxnet team is still active..." McAfee said on its website.

Copyright 2011 ABC News Radio


Russian Cyber Security Mogul's Son Kidnapped: Report

Alexey SAZONOV/AFP/Getty Images(MOSCOW) -- The son of the founder of one of the world's largest cyber security firms, Russia's Kaspersky Lab, has been kidnapped, according to a Russian news report.

The original report, published by the Russian language website Life News, said the 20-year-old Moscow University student and son of multi-millionaire software developer Evgeny Kaspersky was abducted Tuesday and kidnappers were demanding 3 million Euros for his release.

In a statement on the company website, Kaspersky Lab did not deny reports of Ivan Kaspersky's kidnapping, but asked the media not to speculate on the case.

"Eugene [Evgeny] Kaspersky continues his day-to-day work at the company, and has stated that the unconfirmed information being spread at the moment is harmful for the company," the statement said.

Life News later reported the son had been released after the ransom was paid, but a spokesperson for Kaspersky Labs echoed their previous statement to ABC News, referring to that information as another unconfirmed report.

Representatives for the Moscow police were not immediately available for comment, but a spokesperson for Russia's Interior Minister told Russia's state news organization RIA Novosti said the ministry and Moscow police were "checking information" about the reported kidnapping.

An employee for Moscow University told Russia's Pravda news publication that investigators had already been to the school asking about the young Kaspersky, "but we do not know anything."

Last year Evgeny Kaspersky was awarded "CEO of the Year" by England's SC Magazine. The company operates in 100 countries for more than 300 million customers, according to the Kaspersky Lab website.

Kaspersky Lab was among several major cyber security companies to analyze Stuxnet, the revolutionary computer worm that allegedly attacked an Iranian nuclear facility in 2010. They heralded the worm as "a working -- and fearsome -- prototype of a cyber-weapon, that will lead to the creation of a new arms race in the world."

Copyright 2011 ABC News Radio


Report: Worm Used Against Iran's Nuclear Program Tested In Israel

Photo Courtesy - ATTA KENARE/AFP/Getty Images(JERUSALEM) -- The computer virus that reportedly wiped out one-fifth of Iran's nuclear centrifuges was tested in Israel, according to a report in The New York Times.

Covert testing of the bug known as the Stuxnet worm took place at Israel's alleged nuclear weapons facility in Dimona, the Times reported, and was a joint project with the United States. Unnamed American sources say Israel built centrifuges nearly identical to those at Iran's Natanz nuclear facility and then tested the virus to make sure they malfunctioned.

Israeli officials are refusing to comment on the report.  

Iran's nuclear centrifuges have been plagued with breakdowns over the last few years. Iranian President Mahmoud Ahmadinejad recently blamed malicious software for the problems. Sources told the Times that the Stuxnet worm appears to have been the biggest factor in setting back the country's nuclear program.

The worm -- which causes the nuclear centrifuges to spin wildly out of control -- is considered the most sophisticated cyber-weapon ever deployed.

Copyright 2011 ABC News Radio

ABC News Radio