Cyber-spawn Duqu 2.0: Was Malware Infection ‘Patient Zero’ Mapped?

Cybersecurity_MerrillCollegeofJournalismKaspersky Lab reported this morning a next-generation version of Duqu malware infected the information security company’s network.

Duqu is a known reconnaissance malware. Its complexity suggests it was written by a nation-state. The malware appears closely affiliated with the cyber weapon malware Stuxnet.

WSJ reported this particular version may have been used to spy on the P5+1 talks with Iran on nuclear development. Dubbed ‘Duqu 2.0,’ the malware may have gathered audio, video, documents and communications from computers used by talk participants.

Ars Technica reported in depth on Kaspersky’s discovery of the malware and its attributes. What’s really remarkable in this iteration is its residence in memory. It only exists as a copy on a drive at the first point of infection in a network, and can be wiped remotely to destroy evidence of its occupation.

The infosec firm killed the malware in their networked devices by mimicking a power outage. They detached from their network suspect devices believed to contain an infecting copy.

Kaspersky’s Patient Zero was a non-technical employee in Asia. Duqu 2.0 wiped traces of its own insertion from the PC’s drive.

Neither WSJ or Ars Technica noted Kaspersky’s network must have been subject to a program like TREASUREMAP.

…Because the rest of the data remained intact on the PC and its security patches were fully up to date, researchers suspect the employee received a highly targeted spear phishing e-mail that led to a website containing a zero-day exploit. … (bold mine – source: Ars Technica)

How was a single non-technical point of contact in Asia identified as a target for an infected email? Continue reading

Stuxnet and the Poisons that Open Your Eyes

Poison_EUstdimage-Wikipedia_200px_mod2Playwright August Strindberg wrote, “…There are poisons that blind you, and poisons that open your eyes.

We’ve been blinded for decades by complacency and stupidity, as well as our trust. Most Americans still naively believe that our government acts responsibly and effectively as a whole (though not necessarily its individual parts).

By effectively, I mean Americans believed their government would not deliberately launch a military attack that could affect civilians — including Americans — as collateral damage. Such a toll would be minimized substantively. Yesterday’s celebration related to the P5+1 interim agreement regarding Iran’s nuclear development program will lull most Americans into deeper complacency. The existing system worked, right?

But U.S. cyber warfare to date proves otherwise. The government has chosen to deliberately poison the digital waters so that all are contaminated, far beyond the intended initial target.

There’s very little chance of escaping the poison, either. The ubiquity of U.S. standards in hardware and software technology has ensured this. The entire framework — the stack of computing and communications from network to user applications — has been affected.

• Network: Communications pathways have been tapped, either to obtain specific content, or obtain a mirror copy of all content traveling through it. It matters not whether telecom network, or internal enterprise networks.

• Security Layer: Gatekeeping encryption has been undermined by backdoors and weakened standards, as well as security certificates offering handshake validation
between systems.

• Operating Systems: Backdoors have been obtained, knowingly or unknowingly on the part of OS developers, using vulnerabilities and design flaws. Not even Linux can be trusted at this point (Linux progenitor Linus Torvalds has not been smart enough to offer a dead man’s switch notification.)

• User Applications: Malware has embedded itself in applications, knowingly or unknowingly on the part of app developers.

End-to-end, top-to-bottom and back again, everything digital has been touched in one layer of the framework or another, under the guise of defending us against terrorism and cyber warfare.

Further, the government watchdogs entrusted to prevent or repair damage have become part and parcel of the problem, in such a way that they cannot effectively be seen to defend the public’s interests, whether those of individual citizens or corporations. The National Institute of Standards and Technology has overseen the establishment and implementation of weak encryption standards for example; it has also taken testimony [PDF] from computing and communications framework hardware and software providers, in essence hearing where the continued weak spots will be for future compromise.

The fox is watching the hen house, in other words, asking for testimony pointing out the weakest patches installed on the hen house door.

The dispersion of cyber poison was restricted only in the most cursory fashion.

Stuxnet’s key target appears to have been Iran’s Natanz nuclear facility, aiming at its SCADA equipment, but it spread far beyond and into the private sector as disclosed by Chevron. The only protection against it is the specificity of its end target, rendering the rest of the malware injected but inert. It’s still out there.

Duqu, a “sibling” cyber weapon, was intended for widespread distribution, its aims two-fold. It delivered attack payload capability, but it also delivered espionage capability.

• Ditto for Flame, yet another “sibling” cyber weapon, likewise intended for widespread distribution, with attack payload and espionage capability.

There could be more than these, waiting yet to be discovered.

In the case of both Duqu and Flame, there is a command-and-control network of servers still in operation, still communicating with instances of these two malware cyber weapons. The servers’ locations are global — yet another indicator of the planners’/developers’ intention that these weapons be dispersed widely.

Poison everything, everywhere.

But our eyes are open now. We can see the poisoners fingerprints on the work they’ve done, and the work they intend to do. Continue reading

Side by Side: Timeline of NSA’s Communications Collection and Cyber Attacks

In all the reporting and subsequent hubbub about the National Security Administration’s ongoing collection of communications, two things stood out as worthy of additional attention:

— Collection may have been focused on corporate metadata;

— Timing of NSA’s access to communications/software/social media firms occurred alongside major cyber assault events, particularly the release of Stuxnet, Flame, and Duqu.

Let’s compare timelines; keep in mind these are not complete.



Cyber Attacks


Access to MSFT servers acquired


Stuxnet 0.5 discovered in wild


File name of Flame’s main component observed


Access to Yahoo servers acquired

All 2008 (into 2009)

Adobe applications suffer from 6+ challenges throughout the year, including attacks on Tibetan Government in Exile via Adobe products.


Stuxnet 0.5 “ends” calls home


Access to Google servers acquired


Operation Aurora attacks begin; dozens of large corporations confirming they were targets.


Access to Facebook servers acquired


Date Stuxnet version 1.001 compiled


Stuxnet 0.5 terminates infection process


Access to PalTalk servers acquired


Operation Aurora attacks continue through Dec 2009


Google discloses existence of Operation Aurora, said attacks began in mid-December 2009


Iranian physicist killed by motorcycle bomb


Flame operating in wild


Date Stuxnet version 1.100 compiled


Date Stuxnet version 1.101 compiled


Langner first heard about Stuxnet


DHS, INL, US congressperson informed about threat posed by “Stuxnet-inspired malware”


Access to YouTube servers acquired


Iranian scientist killed by car bomb


Access to Skype servers acquired


AOL announces agreement to buy HuffingtonPost


Access to AOL servers acquired


Duqu worm discovered


Flame identified


Date on/about “suicide” command issued to Flame-infected machines


Stuxnet versions 1.X terminate infection processes


Access to Apple servers acquired (date NA)

Again, this is not everything that could be added about Stuxnet, Flame, and Duqu, nor is it everything related to the NSA’s communications collection processes. Feel free to share in comments any observations or additional data points that might be of interest.

Please also note the two deaths in 2010; Stuxnet and its sibling applications were not the only efforts made to halt nuclear proliferation in Iran. These two events cast a different light on the surrounding cyber attacks.

Lastly, file this under “dog not barking”:

Why aren’t any large corporations making a substantive case to their customers that they are offended by the NSA’s breach of their private communications through their communications providers?

Obama’s “Zoo Animal” Broke Free and “Crossed the Rubicon”

At the bottom of it all has been the Bomb. For the first time in our history, the President was given sole and unconstrained authority over all possible uses of the Bomb.


Every executive encroachment or abuse was liable to justification from this one supreme power.

If the President has the sole authority to launch nation-destroying weapons, he has license to use every other power at his disposal that might safeguard that supreme necessity. If he says he needs other and lesser powers, how can Congress or the courts discern whether he needs them when they have no supervisory role over the basis of the claim he is making? To challenge his authority anywhere is to threaten the one great authority.

–Garry Wills, Bomb Power

I suppose I’ll eventually get around to discussing how the series of condoned leaks portraying President Obama as the Deciderer all rest on the pathetic but true fact that he is only borrowing George Bush’s claim to that title.

But for now, I want to focus on the one part of David Sanger’s mixed-metahpor saturated installment in the Deciderer 2.0 series that rings most true:

Mr. Obama, according to participants in the many Situation Room meetings on Olympic Games, was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade. He repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons — even under the most careful and limited circumstances — could enable other countries, terrorists or hackers to justify their own attacks.

“We discussed the irony, more than once,” one of his aides said. Another said that the administration was resistant to developing a “grand theory for a weapon whose possibilities they were still discovering.” Yet Mr. Obama concluded that when it came to stopping Iran, the United States had no other choice.

With cyberwar, with drones, and (to a lesser extent) with the embrace of the terrorists’ transnational methods to fight terrorists, Obama has crossed into uncharted territory of the sort Wills explored in his book, Bomb Power. These changes are likely a step beyond the Bomb Power paradigm, whatever that entails.

Yet Obama has only barely begun to think through the ramifications of these tools. He has, instead, focused on the near and overblown threats of Iran and AQAP, not seeing both the strategic implications of even those choices, much less the implications of the sort Wills describes arose in the wake of our use of a nuclear bomb.

The President has embraced waging extralegal war using drones from the Oval Office. The President has embraced using easily manipulable code to wage physical war. What are the implications of these decisions?

Oh sure, Obama started paying attention after the fact. A year ago, he rolled out a “National Strategy for Cyberspace,” calling for international cooperation to enforce responsible behavior of the sort we have already violated.  Even more recently, DOD has been tinkering with our rules of engagement.

But there are signs it is already too late, the battle lines have been drawn. Continue reading

Foreign Policy’s “False Flag”

Wikipedia defines “false flag operations” as “covert operations designed to deceive the public in such a way that the operations appear as though they are being carried out by other entities.” Unpacking such an operation would require explaining clearly the target audience(s) of the deception and the purpose of it.

But Mark Perry doesn’t describe that structure in his Foreign Policy story, titled “False Flag,” asserting that members of Jundallah were recruited by Mossad agents pretending to be CIA officers.

According to two U.S. intelligence officials, the Israelis, flush with American dollars and toting U.S. passports, posed as CIA officers in recruiting Jundallah operatives — what is commonly referred to as a “false flag” operation.

The memos, as described by the sources, one of whom has read them and another who is intimately familiar with the case, investigated and debunked reports from 2007 and 2008 accusing the CIA, at the direction of the White House, of covertly supporting Jundallah — a Pakistan-based Sunni extremist organization. Jundallah, according to the U.S. government and published reports, is responsible for assassinating Iranian government officials and killing Iranian women and children.

But while the memos show that the United States had barred even the most incidental contact with Jundallah, according to both intelligence officers, the same was not true for Israel’s Mossad. The memos also detail CIA field reports saying that Israel’s recruiting activities occurred under the nose of U.S. intelligence officers, most notably in London, the capital of one of Israel’s ostensible allies, where Mossad officers posing as CIA operatives met with Jundallah officials. [my emphasis]

Explaining that structure would seem all the more important in a story–apparently in the works for a year and a half–published at the precise moment the Americans are trying to deny any involvement in the ongoing assassinations of Iranian scientists.

The problem is all the more real given the ambiguity of Perry’s language. When he says the Israelis were “flush with American dollars,” does he mean they got the dollars from America, or only that they were–as dollars are in common usage–American? When he notes that the recruitment “occurred under the nose of U.S. intelligence officers,” is that meant to suggest that it did so with their assent?

The ambiguity in Perry’s article is more significant given that, while he describes George Bush “going ballistic” when he was briefed on the op, Perry also provides evidence that at least some at the top officials in Bush’s Administration didn’t seem to care all that much.

A senior administration official vowed to “take the gloves off” with Israel, according to a U.S. intelligence officer. But the United States did nothing — a result that the officer attributed to “political and bureaucratic inertia.”

“In the end,” the officer noted, “it was just easier to do nothing than to, you know, rock the boat.” Even so, at least for a short time, this same officer noted, the Mossad operation sparked a divisive debate among Bush’s national security team, pitting those who wondered “just whose side these guys [in Israel] are on” against those who argued that “the enemy of my enemy is my friend.”

Furthermore, while Perry references earlier stories covering Jundallah, he doesn’t even consider the role of JSOC in this false flag operation, even though one of them–Sy Hersh’s–specifically describes the involvement of JSOC in such ops.

And as for the suggestion that since Obama took over, such cooperation between the US and Israel has been dramatically curtailed? The claim that the US and Israel have only been cooperating on operations that “are highly technical in nature and do not involve covert actions targeting Iran’s infrastructure or political or military leadership” would first of all seem to be a stretch given that StuxNet and Duqu are all about infrastructure. It would also seem to gloss the apparent role that drones have had in targeting these scientists (Iran has captured some Israeli drones, in addition to the American ones, but most of the airspace involved would require US acquiescence). Add in the recent border incident between Iran and Pakistan involving claimed Jundallah members (the border area isn’t exactly Israel’s backyard), it seems the Obama Administration is, at best, looking the other way.

Israelis and Americans have long hidden behind each other when working with Iranians, going back at least to the Iran-Contra ops that Dick Cheney had a fondness for. Hiding behind Israelis lets American officials pretend we’re not doing the taboo things we’re doing. Hiding behind Americans lets Iranian partners working with Israelis pretend they aren’t working with the Zionist enemy. That false flag business works in many different directions, after all.

Mind you, whatever the other purposes of this “false flag” story, its publication at this point in time just stripped Jundallah partners of the ability to deny they’re working with Israel, with all the probably dangerous consequences that will have.

Ahmed Warsame and StuxNet

Back in November, I suggested one intended purpose of the detainee provisions in the Defense Authorization is to require a paper trail that would make it a little harder for the Administration to disappear detainees on floating prisons. The bill:

  • Requires written procedures outlining how the Administration decides who counts as a terrorist
  • Requires regular briefings on which groups and individuals the Administration considers to be covered by the AUMF
  • Requires the Administration submit waivers whenever it deviates from presumptive military detention

These are imperfect controls, certainly. But they do seem like efforts to bureaucratize the existing, arbitrary, detention regime, in which the President just makes shit up and tells big parts of Congress–including the Armed Services Committees, who presumably have an interest in making sure the President doesn’t make the military break the law–after the fact.

I suggested this effort to impose bureaucratic controls was, in part, a reaction to the Ahmed Warsame treatment, in which it appears that the Armed Services Committees learned Obama had declared war against parts of al-Shabaab and used that declaration as justification to float Warsame around on a ship for two months. (It appears that the Intelligence Committees, but not the Armed Services Committees, got briefed in this case, though Admiral McRaven was testifying about floating prisons as it was happening). [Update: I may be mistaken about what Lindsey Graham’s language about making sure the AUMF covered this action meant, so italicized language may be incorrect.]

This is not to say the ASCs are going to limit what the President does–just make sure they know about it and make sure the military has legal cover for what they’re doing.

With that in mind, take a look at Robert Chesney’s review of the new cyberwar authorization in the Defense Authorization, which reads:


Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests, subject to—

(1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and

(2) the War Powers Resolution (50 U.S.C. 1541 et seq.).

Chesney’s interpretation of this troubling language is that by requiring a Presidential statement in some cases, it will force interagency consultation before, say, DOD launches a cyberwar on Iran. (Oh wait, too late.)

Continue reading

Emptywheel Twitterverse
bmaz RT @ncardozo: Ever wanted to see a National Security Letter? Today, for the first time ever, you can, thanks to @nickcalyx! https://t.co/Cr
emptywheel FBI fought release of this NSL for longer than they've had an NSB. https://t.co/TAVniKh93K https://t.co/aQgy1j2nQF
emptywheel RT @ncardozo: Ever wanted to see a National Security Letter? Today, for the first time ever, you can, thanks to @nickcalyx! https://t.co/Cr
emptywheel RT @just_security: Israel has suspended diplomatic contact with EU bodies engaged in Israel-Palestine peace efforts https://t.co/78RYVmiuOI
emptywheel @Pachacutec_ You did see this, I hope? https://t.co/tIAdD3HI6B @bmaz
bmaz @mike_stark welp, we shall have to disagree then. Gotta go defend some criminals!
bmaz @mike_stark That is why I am so adamant in the face of the general public thinking they are doing great work of some kind. Not so much!
bmaz @mike_stark Most people don't get to see from the vantage point I do. A tool for abuse is about all I really see from these artifices.
bmaz .@SteveKornacki @KagroX Uh, isn't this more a function of defense than Christie/State/Elections? Speedy trial rights and all that, you know.
emptywheel DOJ will prosecute someone for this leak. https://t.co/197Vwly8VZ
bmaz @mike_stark Right. And it REALLY eats into free speech+expression too. Tarek Mehanna, Holy Land, etc. Criminalizes thought as much as crime
November 2015
« Oct