Cybersecurity researchers have found a piece of malware on computer systems in Europe that bears startling similarities to Stuxnet, the mysterious virus that was used to sabotage Iran’s nuclear program, and it appears to have been designed to secretly gather intelligence.
In a new paper, U.S.-based researchers at Symantec say that the code – dubbed Duqu — was written by whoever unleashed Stuxnet, or perhaps by someone who had access to the computer language underlying it. The new code was written to capture information that can help “mount a future attack on an industrial control facility.”
“Duqu is essentially the precursor to a future Stuxnet-like attack,” the paper said.
Although the codes share similar traits, they differ in significant ways. Stuxnet’s payload was designed specifically to disrupt the machines that controlled the speed of centrifuges in a uranium enrichment plant in Iran. Duqu is designed to capture data such as computer keystrokes (including, say, passwords) and system information.
The discovery of the code by a lab in Europe is a reminder, said Kevin Haley, security response director for Symantec, that “the groups or organizations behind these attacks are not going to stop at one. They are going to do another.”
Other researchers are expressing caution.
“This is all typical computer network espionage, which Stuxnet clearly was not,” said Dmitri Alperovitch, an independent security researcher.
The new code — dubbed Duqu because it creates files with the prefix ~DQ — has been found so far in a handful of European manufacturers of industrial control systems. Security experts are continuing to analyze new variants.
Symantec’s technical paper can be found here.