BROOKLYN, NY–After years of research and investigation into the cyber-espionage attacks that began with the discovery of Stuxnet and continued with Flame, Duqu and Gauss, there still are many details that are unknown. While researchers have a pretty good handle on many of the tools’ capabilities, experts say that there may be other modules from these weapons still in circulation that have yet to be discovered.
Researchers believe that many of these recent attacks are connected, whether through code re-use, similar targets or other factors, and think that several of them may have been the work of the same team, or at least related groups. Each of the tools seemed to have a different purpose, with Stuxnet targeting a uranium-enrichment facility in Iran, for example, and Gauss being used to monitor financial transactions in specific banks.
And while much has been learned about the attackers’ methods and their target base, researchers say that there may well be pieces of the attack tools that are yet unknown and are still in operation right now.
“There could be a Flame module deployed years ago with the same functionality as Stuxnet,” Roel Schouwenberg, senior security researcher at Kaspersky Lab, said in a talk at the Cyber Security for the Next Generation conference at NYU-Poly here Friday. “We may never know.”
Flame targeted some oil facilities in the Middle East and researchers found some direct links between its code and that of Stuxnet. They also later found commonalities between Flame and Gauss, drawing a straight line from Stuxnet down through Gauss and later tools.
Researchers so far have been able to get a handle on the way these attacks work and prepare defenses for them, but that may not always be the case, Schouwenberg said. The thing that worries him and other researchers is the emergence of an attack using novel techniques for which there are no clear protections.
“Right now I can still sleep at night. But what worries me is when we find an attack that can get by all of the defenses and we can’t find protection for,” he said.
The attackers behind Stuxnet and its descendants have shown remarkable versatility and flexibility in their development methods and have demonstrated that they can develop specific tools for highly specialized targets and succeed in compromising those systems. What comes next is unknown, of course, but there’s no reason to think there aren’t additional attacks ongoing at the moment that could eventually stump researchers.