Vaporous Voids: Questions Remain About Duqu 2.0 Malware

Cybersecurity_MerrillCollegeofJournalismThe use of stolen Foxconn digital certificates in Duqu 2.0 gnaws at me, but I can’t put my finger on what exactly disturbs me. As detailed as reporting has been, there’s not enough information about this malware’s creation. Nor is there enough detail about its targeting of Kaspersky Lab and the P5+1 talks with Iran.

Kaspersky Lab carefully managed release of Duqu 2.0 news — from information security firm’s initial post and an op-ed, through the first wave of media reports. There’s surely information withheld from the public, about which no other entities know besides Kaspersky Lab and the hackers.

Is it withheld information that nags, leaving vaporous voids in the story’s context? Possibly.

But there are other puzzle pieces floating around without a home, parts that fit into a multi-dimensional image. They may fit into this story if enough information emerges.

Putting aside how much Duqu 2.0 hurts trust in certificates, how did hackers steal any from Foxconn? Did the hackers break into Foxconn’s network? Did they intercept communications to/from Foxconn? Did they hack another certificate authority?

If they broke into Foxconn, did they use the same approach the NSA used to hack Syria — with success this time? You may recall the NSA try to hack Syria’s communications in 2012, by inserting an exploit into a router. But in doing so, the NSA bricked the router. Because the device was DOA, the NSA could not undo its work and left evidence of hacking behind. The router’s crash took out Syria’s internet. Rapid recovery of service preoccupied the Syrians so much that they didn’t investigate the cause of the crash.

The NSA was ready to deny the operation, though, should the Syrians discover the hack:

…Back at TAO’s operations center, the tension was broken with a joke that contained more than a little truth: “If we get caught, we can always point the finger at Israel.”

Did the NSA’s attempted hack of Syria in 2012 provide direction along with added incentive for Duqu 2.0? The failed Syria hack demonstrated evidence must disappear with loss of power should an attempt crash a device — but the malware must have adequate persistence in targeted network. NSA’s readiness to blame Israel for the failed Syria hack may also have encouraged a fuck-you approach to hacking the P5+1 Iran talks.

WIRED’s Kim Zetter noted Taiwan as a common factor among other recent malware attacks relying on certificates. If the hackers broke into Foxconn, did they also break into other equipment manufacturers located in Taiwan at the same time, or using the same approach?

Which might make one wonder if hackers used a cut to an undersea cable serving Taiwan to that end. Such submarine communication line cuts have increased in number over the last handful of years. Cable APCN-2 experienced two major disruptions between March 2014 and February 2015, characterized as cuts or fiber breaks, though the cable is supposed to have self-healing capabilities.

The installation of a new undersea cable (APG) serving East Asia also offered an opportunity for access, perhaps during installation. This cable’s service began in 3Q2014, ahead of the Foxconn certificate theft, believed to have happened in early 2015.

And what of Foxconn’s information security? Hackers known as SwaggSec broke into the company in late 2011/early 2012, stealing a large quantity of corporate information to post online. Didn’t this breach encourage better security? Or were employees compromised after their information had been released online?

Electronic device manufacturers and certificate authority companies had already been on notice about lax security since 2012. A nation-state-sponsored hack was blamed for the theft of 200 certificates that year after discovery of Duqu 1.0. Considering the increase in malware attacks using stolen certificates since 2011, it seems odd certificates weren’t more secure.

All these unanswered questions about Duqu 2.0 combined with other dangling disconnects leave me still curious, but uneasy.

Blogger since 2002, political activist since 2003, geek since birth. Opinions informed by mixed-race, multi-ethnic, cis-female condition, further shaped by kind friends of all persuasions. Sci-tech frenemy, wannabe artist, decent cook, determined author, successful troublemaker. Mother of invention and two excessively smart-assed young adult kids. Attended School of Hard Knocks; Rather Unfortunate Smallish Private Business School in Midwest; Affordable Mid-State Community College w/evening classes. Self-employed at Tiny Consulting Business; previously at Large-ish Chemical Company with HQ in Midwest in multiple marginalizing corporate drone roles, and at Rather Big IT Service Provider as a project manager, preceded by a motley assortment of gigs before the gig economy was a thing. Blogging experience includes a personal blog at the original blogs.salon.com, managing editor for a state-based news site, and a stint at Firedoglake before landing here at emptywheel as technology’s less-virginal-but-still-accursed Cassandra.
6 replies
  1. galljdaj says:

    Well rayne, The simple answer is what I see going on, ‘there is no such thing as a safe computer that is on-line or using remote equipment. The only way I can stop the ‘intrusions’ is to take mine off line. Any commands can and do get thwarted, added to, deleted, copied, or ways I still don’t realize corrupt for some bit of knowledge. To me its clear Our Govt is totally corrupt, and has transferred the skills or methods to many corporations and individuals that are more than happy to join the party of skimming off the top of the Peoples Resources.

    The cat came out of the microsoft bag with the statement, ‘… all we need is roughly 2 Billion People in the World… .’ Look at all the Policies around the World Targeting People for removal! From simple murdering to benign cutting off of resources like education, food, water, retirements, and medicines. The Structures that many rely on are being destroyed by removal of the wealth and funding from the Majority of Peoples in most Nations. Look at what the US is trying to do the the ‘bad example’ Venezuela!

  2. Joanne Leon says:

    “leave me still curious, but uneasy.”

    You said it. Undermining encryption. Undermining certs. Not that I expect perfection. There’s no such thing as perfect security. But what we know from Snowden docs reveals a complete and utter disregard for the net. I never saw one word in what was reported that had anything to do with defense or any concern for the well being of billions of users of the most .. well we all know what the internet means for the world and the real benefits and nearly unlimited potential for good that it has.

    I think Kaspersky put it well here. He speculates quite a bit about who did this but the last few paragraphs make it clear who he thinks it probably is. What he describes here also shows a clash of cultures. Using the internet, eagerly, as a battlefield, goes against the grain of the people who built it out, whether that’s the infrastructure, the applications, the ecommerce aspect, over the past 20 years. There are many, many of us who did our small or big parts. No doubt some sold out and don’t really care if it’s wrecked by warmongers. But hopefully, many more do care.

    Various intelligence services seem to be treating the Internet like a battleground in a war, potentially creating new risks for hundreds of millions of people. We protect those people in the face of such risks, but we’d much prefer it if there were no ‘war’ in the first place. Thankfully in this case, though attacked, we weren’t injured; but generally speaking, deliberately attacking medics on a battleground is simply despicable and disgraceful.

    Could we please have a win for the good (and much less flush with cash) guys for once? Frankly, I’m not all that confident. Uneasy is putting it lightly because there’s a very big war machine and an empire in decline, very eager to make this their territory and their feeding trough for decades to come. I’m not sure where Kaspersky falls on the good guy/bad guy spectrum but I do know the very genuine guy who fixes our computers (guy with a 1980s Toyota, a small shop cluttered w/ bits of hardware, who practically lives in the shop & we’re not sure how he makes enough for a living but seems able to answer any question or fix any viable software or hardware issue that’s worth fixing) loaded it on my machine and said hands down, they’re the best.

    • Rayne says:

      Spot on, JL. This was an offensive without regard for blowback. I’m sure if asked the parties would claim Stuxnet and Duqu were defensive, but these malware were first designed to take out incomplete systems, not completed nuclear weapons.

      Having worked long enough in IT, this is what a non-diverse working environment looks like: the team aims toward a single goal, are hyper-competitive about achieving that single benchmark of success, and they engage in groupthink to crush anything in their way.

      They don’t ask, Are there side effects? Will there be collateral damage? What are the risks once this goal is achieved?

      And while locked into this groupthink, the hive mind forgets that each of the members and sponsors have other, individual agendas. The US as a participant went into this believing it had brought along faithful companions who would never bite them.

      But those faithful companions also believe that they are entitled to do anything and everything to ensure their own aims, up to and including the utter compromise of every electronic device requiring either network attachment or software. And they used what they saw as the US giving them an opening to build permanent insurance.

      This use of certs from Foxconn, which makes/assembles as much as 40% of personal electronics, is a massive fuck-you to the world. If this absolute contamination of all things electronic is what the Bush administration intended when they authorized the program launching Stuxnet et familia, they deserve punishment, like life in exile to Antarctic or the Sahara desert. Maybe one of those ugly black sites they were so fond of in their day.

Comments are closed.