There were reports this week about the discovery of a new "variant" of the Stuxnet worm that was discovered last year. According to news reports like this one at ABC News and one at the New York Times, the new threat - dubbed W32.Duqu by the security company Symantec - is nearly identical to Stuxnet but it apparently has a different purpose.
Instead of being used to attack an industrial control system, W32.Duqu seems to be designed to carry out surveillance to identify system vulnerabilities that can be attacked in the future. As described by Symantec in its security response note (PDF):
"Duqu’s purpose is to gather intelligence data and assets from entities such as industrial control system manufacturers in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility."
In addition, Symantec reports that W32.Duqu is highly targeted toward specific organizations that possessed particular IT systems, and is designed to stay active for only 36 days and then remove itself.
Symantec also reports that W32.Duqu, which it rates as a very low risk, may have been active as early as December of last year, although it was discovered only recently.
The New York Times article says that W32.Duqu "... could not have been written without having access to the original [Stuxnet] programmer’s instructions" since the original Stuxnet code was never made public.
Vikram Thakur, principle security response manager at Symantec, is quoted in the Times as saying in regard to W32.Duqu:
"This is extremely sophisticated, this is cutting edge."
However, after reading an article published about a week ago in PC World, one cannot help wonder why the programmers behind Stuxnet and W32.Duqu needed to resort to any level of sophistication.
According to the PC World article, industrial control systems seem to be chock-full of IT security holes of varying degrees of operational consequence. In fact, the discovery of Stuxnet last year seems to have sparked major interest in the IT security community to find security holes in various manufacturers' industrial control systems, which the PC World article says, number possibly in the hundreds.
Given the general speculation that the creators of Stuxnet and W32.Duqu are a national security service - those of the US and Israel are frequently mentioned - a conspiracy theorist might think that one purpose of the worm is to highlight the poor-level of IT security in industrial control systems.
But I'm not a conspiracy theorist.
Photo: iStockphoto
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.
