Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Information Unleashed

Beyond Stuxnet and Duqu: Security Implications to Our Infrastructure

Created: 26 Oct 2011 • Updated: 29 Mar 2012
Michael Parker's picture
+3 3 Votes
Login to vote

“The son of Stuxnet.”

That is what the news is calling Duqu [dyü-kyü], which Symantec released information about last week.

It would make a great movie, if the ramifications weren’t so serious. Going beyond Stuxent and Duqu, we see the increased opportunity for threats from the cyber world to impact our physical one – moving from espionage to sabotage. These types of attacks are very focused, whether on specific pieces of equipment called controllers, in the case of Stuxnet, or on critical information from suppliers to industrial facilities, like Duqu.

The ability to compromise industrial facilities or the devices within, present real concerns and dangers where our livelihood and prosperity may sit in the balance, as the recent flurry of headlines about the possibility of predator drones being hacked showed us. While we hope we never have to face such a security issue, hope is not a strategy where such critical systems reside.

Therefore, the advent of Duqu brings three key implications to mind.

1. These Attacks Aren’t Going Away
It is barely 15 months since Stuxnet was first discovered, and we find ourselves discussing yet another such threat. In fact, it appears that Duqu may have been written by the same authors, or those that have access to the Stuxnet source code. And once again, a stolen private key was used. That certificate has since been revoked. In general, attacks are getting more targeted and toxic.

2. These Attacks Are Getting Smarter
While Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT), it does appear to be smarter in a few ways. First, it is not self-replicating. It is more targeted, as if attempting to keep a lower profile. Second, Duqu tracked how many days it was on each machine, only staying for 36 days. Then, it would delete itself. And how it got on those machines remains in question. It seems the creators of Duqu learned from Stuxnet, hiding its tracks for entry, and deleting itself sooner. And third, Symantec has already found multiple additional variants of Duqu since Symantec published its findings (PDF). In fact, Duqu is an active threat that Symantec continues to track.

3. Security Is Everyone’s Responsibility
With the explosion of devices, systems, users, and access, the Chief Information Security Officer (CISO) cannot deliver security for organizations alone. From a controller for a critical piece of infrastructure, to data shared on smart phones, to the new intelligence systems running in our next generation vehicles, security has become everyone’s responsibility and has to be considered at every juncture. From the manufacturing floor, to the website, to the data center, security must be a priority across an organization. Implementing a host lock-down policy is a critical step for hardening against malware infiltration. But that is only one step in a connected world that shows no signs of slowing down.

Duqu brings a renewed spotlight to that very discussion. It’s a healthy one to have now, rather than after experiencing direct ramifications from such a threat.

For more information on Duqu, its implications, and how to protect yourself, please see these additional resources:

Webcast – Review of Duqu and how to protect against it

Blog Posting – Symantec Security Response Overview on Duqu

Analysis Paper – Symantec’s Dossier on Duqu (PDF)