Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (41 page)

By the Spring of 2012, the team at Kaspersky had completed their analysis of Duqu and its servers, but they were sure there was more to the story than had so far been exposed. Even they, however, could not have imagined the discovery they were about to make: that Stuxnet—a program that awed with its boldness and destructive potential—was just an offshoot of a cyberspying operation that was orders of magnitude larger than this single digital weapon.

THE REVELATIONS BEGAN
that April, when a virus began running wild on computers at the Iranian Oil Ministry and the Iranian National Oil Company, wiping out the hard drive of every system it touched. The damage was systematic and complete, destroying gigabytes of data at a time. First, the malware eliminated documents and data files, then it went after system files, zapping core parts of the hard drive to cause them to crash and burn.

It was unclear how many computers were affected, but there were rumors that the destruction had begun on some computers as early as December. No one noticed the trend initially, until it spread and became
impossible to ignore. It also was not clear how long the virus had lurked on machines before it turned destructive, but each time it did, the destruction began around the twentieth day of the month. Iranian officials dubbed it “Wiper” and pointed to the United States and Israel as the source. They insisted, however, that the attack caused no lasting damage, because all of the deleted data had been backed up.

When Raiu and the Kaspersky team got hold of a mirror image of one of the erased hard drives from Iran, it was filled with gibberish. Not only were all of the documents and critical system files gone, any sign of the Wiper malware was erased from the disk too. But one important clue remained—a single reference inside the registry key to a temporary file named ~DF78.tmp that had been created on the system at some point before the destruction began. The file itself was now gone, but its name lingered on, a ghost betraying its former presence. The ~D prefix in its name was a familiar signifier to the researchers by now. It was the same distinctive naming convention that Duqu had used for the temporary files it created on infected machines, as well as the naming convention that Stuxnet used for some of its files.

Had Duqu, or some other program written by the same team, been on the machine before Wiper erased it?
¹
Was Wiper a creation of the same team behind Duqu?

Raiu and his team programmed Kaspersky’s antivirus tools to search for the ~DF78.tmp file—and for good measure, to flag any other temporary file that had a name that began with ~D. They got a number of hits on machines in various countries, but the majority of them showed up on machines in Iran. When they obtained a copy of one of the files—this one named ~DEB93D.tmp—they discovered it was a log for a “sniffer” component that recorded passwords as they flitted across the infected
machine’s local network. With a little digging, they also found a module that appeared to be responsible for creating the sniffer log.
²
It turned out to be one of their most significant finds.

The module didn’t resemble Stuxnet or Duqu and didn’t appear to be Wiper, either—it contained no code for erasing the hard drive of infected machines. They searched their archive to see if anything resembling it had come through their automated reporting system in the past, and to their surprise, module after module popped up, as if they’d just been sitting in the archive waiting to be discovered. They found twenty different files in all, each with odd names like Euphoria, Munch, Limbo, Frog, and Snack. The files all appeared to be plug-ins or components for a related attack.

What intrigued them most, however, was that one of the files had come in through their system in October 2010 and was tagged by the system as a Stuxnet file. At the time, this hadn’t made sense to them because when they had examined the file, it didn’t look anything like Stuxnet. But now when they examined it again they discovered what the two had in common—both files contained a zero-day exploit that they and Symantec had overlooked when they examined Stuxnet two years earlier.

The exploit had been embedded in a part of Stuxnet called Resource 207, which appeared only in the June 2009 version of the attack code, not the 2010 versions—which explained why they had overlooked it before. Most of the Stuxnet files Kaspersky and Symantec examined had come from the 2010 attacks. Very few samples of the 2009 variant had ever been found on infected machines.

Resource 207 contained the code that Stuxnet 2009 used to trick the Autorun feature in Windows machines to spread itself via USB flash drives. But it also contained this overlooked exploit that was now in the new attack code. The exploit gave the attackers escalated privileges on infected machines by exploiting a buffer-overflow vulnerability in the wallpaper feature of Windows. The vulnerability had been a zero day when the attackers created the exploit in February 2009, but by the time they released
Stuxnet four months later that June, Microsoft had patched the hole.
³
When it came time to release the next version of Stuxnet in March 2010, the attackers had eliminated this exploit, along with the Autorun code, and replaced it with the .LNK exploit and two other privilege-escalation exploits that were still zero days at the time.

The discovery of the wallpaper exploit meant that instead of four zero-day exploits—which was already an impressive record—Stuxnet had actually used five zero-day exploits during its lifetime. More important, though, the link between Stuxnet and this new attack provided further evidence that Stuxnet was part of a suite of malicious tools created by the same team.

KASPERSKY’S ALEX GOSTEV
and his team divvied up the twenty modules they had found for this new attack and went to work reverse-engineering them to see how they were connected. They worked day and night, fueled by caffeine and the excitement of knowing they had just uncovered another tool in the Stuxnet arsenal.

At the end of three weeks, they had a digital spy kit on their hands that was larger than anything they had seen before. They dubbed it “Flame,” after the name of one of the main modules in the attack.
⁴

Stuxnet had tipped the scales at 500 kilobytes when compressed, but Flame was at least 20 megabytes with all of its components combined, and consisted of more than 650,000 lines of code. It also had astounding complexity to match its girth. They estimated it would have taken a team of half a dozen programmers at least three years to code it all, and it would
take the entire Kaspersky team years more to completely decipher it. Instead, they settled for deciphering just enough of the code to understand it.

The Kaspersky team had seen a lot of digital spy tools over the years—many of them believed to be nation-state tools from China—but this one rewrote the book. If James Bond’s Q Branch had a digital armory, Flame would have been part of it. It came with a cornucopia of spy gadgetry aimed at collecting intelligence from victims in a multitude of ways. Among them was one module that siphoned documents from infected machines, and another that recorded keystrokes and captured screenshots every fifteen to sixty seconds. A third module surreptitiously engaged an infected computer’s internal microphone to eavesdrop on conversations in its vicinity. A fourth module used the computer’s Bluetooth function to swipe data from any discoverable smartphones and other Bluetooth-enabled devices in the area.

Flame appeared to be a multipurpose espionage tool created to meet every need, depending on the mission. Not every victim got the full Flame treatment, though. Each component was installed as needed. A 6 MB starter kit got loaded onto many infected machines first, which included a back door through which the attackers could install new spy modules from their command server at will.
⁵

The infrastructure set up to support Flame was also massive and like nothing the researchers had seen before. They found at least eighty domains operating as command servers in Germany, the Netherlands, Switzerland, and elsewhere through which the attackers controlled infected machines and collected siphoned documents from them.
⁶
The attackers had likely set up so many domains in order to manage different operations and groups of victims separately.

They used various fake identities to register the domains—Ivan Blix, Paolo Calzaretta, Traian Lucescu—and purchased some of them with prepaid credit cards so they couldn’t be traced. The Kaspersky researchers got traffic for about thirty of the domains redirected to a sinkhole that they controlled, and as soon as it was set up, infected machines in Iran and around the world began calling in. Stolen files intended for the attackers also poured in, though the files were encrypted so the researchers weren’t able to see what the attackers were stealing.

After adding signatures for Flame to Kaspersky’s antivirus tools, infections showed up on several hundred machines. Iran, no surprise, was at the top of the list. At least 189 machines were infected there. But there were also 98 victims in the Palestinian Territories, and about 30 victims each in Sudan and Syria.

While Kaspersky was still examining Flame’s modules, Bencsáth in Hungary contacted Raiu with news of a suspicious file found in Iran that someone had sent him. They had become well acquainted with Bencsáth when they had worked on Duqu, so it wasn’t unusual for him to contact them. The file he had received from Iran turned out to be one of the same modules Raiu and his team had already been examining. Bencsáth also passed the file to Chien at Symantec, who began to examine the threat in parallel with Kaspersky. When the Symantec researchers added signatures to their antivirus engine to detect it, they uncovered more victims in Austria, Hungary, Lebanon, Russia, the United Arab Emirates, and Hong Kong.

More than 1,000 victims were eventually uncovered, many more than the 36 victims Duqu was known to have hit, although nowhere near the more than 100,000 machines that Stuxnet had struck. But that’s because unlike Stuxnet, Flame couldn’t spread automatically. All of its spreading mechanisms worked only when deployed and commanded by the attackers. So while the majority of Stuxnet’s victims were collateral damage, everyone Flame hit was presumably an intended target. Raiu suspected the victims were infected in groups, based on whatever mission the attackers were conducting at the time.

There was no discernable pattern to the pool of victims—Flame targeted individuals, private companies, government agencies, and academic institutions. But it wasn’t difficult to see what types of files the attackers were after, since the malware contained a list of file extensions it sought, including Microsoft Word documents, PowerPoint presentations, and Excel files. But also high on the list were AutoCAD drawings, which had been targeted by Duqu as well. Flame, notably, was also looking to steal digital certificates.

Although Flame had a long list of files it was seeking, it didn’t steal every file it found. Instead, it extracted 1 KB of text from each and transmitted it back to one of the command servers. From there it was likely passed to another location, where Raiu suspected the attackers had a supercomputer set up to sift through all the text samples that came in and determine which files the attackers wanted to grab in full. Notably, a year later when the NSA documents leaked by Edward Snowden were published, they described a system codenamed TURBINE that was designed to do something very similar to this. (See
this page
.)

With such an elaborate operation set up for Flame, it was no surprise that the attack had been around for a while. The earliest infection uncovered, on a machine in Europe, occurred in December 2007.
⁷
A machine in Dubai was struck in April 2008. Some of the domains the attackers used for their command servers were also registered around this time. A handful of others were registered in 2009 and 2010, but the majority were registered in 2011, after Stuxnet was exposed. All of this meant that Flame had been active in the wild infecting systems for at least five years before it was discovered and was active during the same time that Stuxnet and Duqu were being developed and unleashed.

A clear picture was beginning to emerge of a digital arsenal filled with spy tools and weapons created to attack not just Iran’s nuclear program
but other targets as well. Two separate platforms had been used to create the malicious code discovered so far. One was the Flame platform, upon which the massive Flame spy tool had been built. The other was the Tilde-d platform, upon which Duqu had been built. The Flame platform was much more dense and complex than the Tilde-d platform, and had therefore probably been created in parallel by a different team. Both platforms, however, were used to develop Stuxnet at various stages.

Raiu surmised that the development of Flame likely began in 2005 or 2006, due to the fact that some of the custom code the attackers wrote for their command servers had been developed in December 2006.
⁸
Development of the spy tool likely reached maturity in early 2007. The earliest known dates for Duqu were August 2007, when one of Duqu’s droppers was compiled, and November 2008, when Duqu’s infostealer showed the first signs of being in the wild.