Analysis of the Stuxnet Cyber Weapon Family and Dragonfly

Pierluigi Paganini August 04, 2014

Cyber weapons like Stuxnet will only grow in prevalence, use and sophistication and it is therefore in the interest of national security to develop advanced mitigation techniques and capabilities.

The progenitor of Duqu, Flame and Gauss are reported as the authors of STUXNET. As illustrated, the trend of advancements between these four cyber weapons suggests a push for more sophisticated cyber weapons in conjunction with advanced defensive capabilities to mitigate use of cyber weapons against the US and her allies. The DRAGONFLY campaign targeted Industrial Control Systems in active espionage and intelligence gathering and the attribution of this campaign to Russia raises the question of whether or not the world is actively engaged in the next phase of cyber weapons development.

The analysis of the results shows a pattern in sophistication along a degenerative trend within the STUXNET family of cyber weapons. The cyber weapons STUXNET, Duqu, Flame and Gauss reveal a trend of decreasing sophistication in tactics and development while maintaining the sophistication in deployment and propagation, though Flame is anomalous in that it shows a relative increase in sophistication of development. The analytical methodology used is based upon cursory knowledge of the omnibus technology given the lack of definitive knowledge available in terms of source code, true goals behind the deployment, and confirmed reports of effects such as at the Iranian nuclear facility targeted by STUXNET.

Stuxnet family

The term ‘cyber weapon’ (CW) is arguably difficult to define (Carr, 2012), yet definitions must be put into place at the onset of any discussion of technology considered ‘omnibus,’ or cyber technology with a multi-faceted ‘payload.’ For purposes of analysis the term omnibus will refer to cyber weapons. That is to say that a malicious software (malware) may be referred to as omnibus when containing sophisticated methodology in development and deployment as well as delivering multiple, advanced payloads (termed ‘warheads by Israel National News (Sheva, 2010)). To further refine the definition, the reference of weapon should be treated similarly to any other weapon in the other four domains of warfare (land, sea, air and space) though the fifth domain of warfare, cyber, naturally has its own unique dimensions.

The legalities and ethics of cyber war are also important in terms of the determination of CW status, that is the weapon may or may not comply with the few international standards in place in regards to cyber war. The NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE) used the Russia/Georgia war as the case study for its, “Cyber Attacks Against Georgia: Legal Lessons Defined” paper (Carr, 2011). Two issues in law arose from this CCDCOE case study, “justice to war” and “justice in war.” (Carr, 2011)

The pertinence of “justice to war” is critical in classifying the malware as CW or not. While it could be argued that “justice in war” regulates methods of the deployment of CW in cyber-attacks (CW’s may be used in a supportive role for ground forces or in tandem with engagement as a separate attack vector), this may allow a broader use of CW status to any malware used in an active war. For the purposes of this analysis the focus will be on the use of CW’s when no war has been declared.

STUXNET is the first recorded instance of malware worthy of CW status. Kelley attributes STUXNET to the US and Israel (Kelley, 2013) and states that the attack on the Iranian reactor was far more important than previously thought. This supports the thesis that the ramifications of deploying CW’s, regardless of who created and/or deployed them results in an outcome far beyond what any can fathom. This aspect of deploying CW’s is analogous to any malware or software, i.e. Knowing the what, who and how it effects targets.

Gauss is similar to STUXNET, relying on similar lines of the source code of STUXNET (Ferran, 2012). Gauss is the latest of the four CW’s being analyzed, with Flame and DUQU preceding Gauss. The largest similarity between each of these is not only the states attributed for the creation and deployment of them (US and Israel) but also the researchers who discovered and conducted the attribution (Kaspersky Labs).

The DRAGONFLY campaign is attributed to Russia, and may have used similar engineering to the STUXNET family of CW’s. Confusion exists on how to classify STUXNET and the CW family that resulted (DUQU, Flame and Gauss, in that order), but some say STUXNET was a worm (Sheva, 2010), DUQU was a surveillance capable worm (Fox News, 2011), Flame is thought to be a Trojan-worm (Prince, 2012) and Gauss may contain this worm aspect in the method of propagation.

Kaspersky teams had linked Flame to STUXNET and Duqu, and it was during their analysis of Flame that they discovered Gauss (Ferran, 2012). Gauss was capable of live-feed espionage, recording live conversations that took place near an infected computer (Ferran, 2012). Each CW in this family had an espionage component. It is likely that one of the two warheads found in STUXNET, specifically one reported as capable of effecting water, gas, and electric systems (Sheva, 2010) increases the risk of a counter strike against the US and Israel targeting these types of Industrial Control Systems (ICS’s), regardless of accuracy in attribution. DRAGONFLY maybe this counter strike against ICS given reports of attribution of STUXNET and the family of CW’s that followed:

Matrices

Calculations

Results

I have contacted Ian for a few questions that I share with you:

Q:  What is the main takeaway from your research?

A:  Based on the analysis of the STUXNET cyber weapon family, which is known to include Duqu, Flame and Gauss, there is a trend of degeneration in the dimensions I’ve isolated.  This doesn’t mean that they aren’t cyber weapons, or that they weren’t effective in doing what they set out to do, but that as the family grew (so to speak) the legality of deployment declined while the ethics remained in a grey zone.  According to my analysis the overall sophistication shows Stuxnet as the most sophisticated with Flame secondary to sophistication.  This results from the signatures that were gleaned from Stuxnet and applied to Flame.

Q: What in your results surprised you the most?

A: From what I’ve found Stuxnet is more closely related to Duqu while Gauss and Flame are more closely related to each other. To me this suggests that the authors realized signatures were being created from Stuxnet so they worked to modify the source code even more.

Q:  Who do you attribute to these weapons?

A:  Honestly I don’t know.  I realize that the US and Israel are the usual suspects given the targeting of the Middle East and speculation on the use of one of these cyber weapons to target terrorist financing, but I choose not to speculate.  If I’ve learned anything from my short time in the field it’s that attribution is the most difficult problem to tackle, especially when you base it on analysis of the source code and it involves a zero-day.

Q:  What happens next?  Where do we go from here?  Has the threat landscape changed in terms of APT’s?

A:  Right, so, the biggest step to take is also the most important and most difficult.  This is hardening the ICS and actively working to shift the defensive posture to a pro-active one.  I realize ‘proactive defense’ is a big buzzword, but ‘buzzword’ is a buzzword.  The fact is we need to push for automated defense research, with clear definitions of redundancy in operations to prevent what I called “exploding” which launches unauthorized attacks against outside systems and “imploding” which effectively shuts down the system it’s supposed to be protecting.  I definitely think the threat landscape has changed.  It seems like we are seeing more and more APT’s in terms of Iron Dome developers being hacked along with the Dragonfly campaign.  This has always been a dynamic environment, but as I’ve begun to see: the anomalies are being replaced with recognizable patterns.

[adrotate banner=”9″] [adrotate banner=”12″]

Ian Malloy

Security Affairs – (cyber weapon, Stuxnet)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment