Duqu: Updated Targeting Information
I wrote Symantec's original blog post describing the discovery of Duqu. In that blog I use the term "industrial control system manufacturers" and (after discussions with a variety of parties) we want to change that term to "industrial industry manufacturers" to more accurately define where Duqu has been found. We already made this change to our paper.
Finding the correct term can sometimes be a challenge. When we first wrote about Stuxnet, we originally used the term SCADA (supervisory control and data acquisition) and quickly discovered the proper term was "industrial control systems". In the computer security industry, we actually have specific definitions of viruses, worms, and trojans, while the general public often refer to any malware as just a virus. (In an unrelated coincidence we mismarked Duqu as a worm rather than a trojan, which is being corrected; no self-replication routine has been discovered so far.)
However, this change in language to "industrial industry manufacturers" does not change the threat to organizations we believe are at risk. We still have a number of variants of Duqu we have discovered where we do not know the target.
Considering the history of Stuxnet, the potential of the same attackers, and currently known targets, we urge industrial control system manufacturers and any other organizations who provide solutions to industrial facilities to audit their network for Duqu. The command and control IP is a reliable network indicator of Duqu infection for all the variants discovered so far.
In addition, industrial industry targets have not been the sole targets. We have also identified one or more targets outside the industrial industry who provide assets that would aid a future attack.
We will continue to provide updates as we uncover more information.