Et Tu, DuQu?

If Symantec and F-Secure are correct and DuQu was written by the same people who created Stuxnet, then that means that the U.S. government is behind it. But Idaho National Lab, who some people think created the Stuxnet virus and which hosts ICS-CERT's Security Operations Center didn't have a copy of the malware. They had to ask Symantec and McAfee to share their sample. The key question to ask in this puzzle is who has access to the Stuxnet source code? This post claims that Anonymous released the Stuxnet source code back in February however according to Mikko Hyponnen's latest post on DuQu that's not correct. Binaries were released into the wild but not the source code. Ralph Langner, who has done some of the best work on Stuxnet to date, has also told me privately that the source code has never been released. At best, some work has been done in reverse-engineering it. Knowing Ralph's singular focus on Stuxnet, if the source code was in the wild, he'd be the first person to grab a copy.

So if you believe the party line (which I don't) that the U.S. with the help of Israel created Stuxnet, then the U.S. is also the creator of DuQu. If we stay with that chain of reasoning, then as we learn more about DuQu and its use, an entirely different conclusion may be reached which points to an actor other than the U.S. DuQu was apparently involved in stealing information from an ICS manufacturer. Why would the U.S. use the Stuxnet source code to create a RAT to steal information from Industrial Control System (ICS) manufacturers? It already has access to most of the corporations who develop these systems through the National SCADA Testbed Project run by 3 U.S. national labs, including INL. At least one Command & Control server was hosted in India. Why would the U.S. pick India and not China, our favorite cyber adversary?

It's too early to know what DuQu is for, and no one knows where it came from, but facts are facts. The source code for Stuxnet isn't available in the wild, and if the same group is responsible for both pieces of malware, and you believe that the U.S. is behind Stuxnet, then you need to own the logical conclusion of that belief. If the facts around DuQu, now or in the future, point away from the U.S. then you need to re-consider whether the U.S. was ever involved in Stuxnet at all. After all, take a look at the part of the world that McAfee has identified as being DuQu's target area.

There are lots of nation states for whom this part of the world has significant appeal and who would benefit from a sophisticated info-stealing virus; in some cases much more than the U.S.

Comments