Researcher Traces Stuxnet/Duqu Timeline Back to 2006

Friday, December 02, 2011



Cyber warfare expert and researcher John Bumgarner claims to have traced the Stuxnet and Duqu virus timelines back as far as 2006, an assertion that would mean the malware has been active for much longer than previously suspected.

The Stuxnet virus, first identified in 2010 by German researcher Ralph Langner, is a highly sophisticated designer-virus that wreaks havoc with SCADA systems which provide operations control for critical infrastructure and production networks.

The initial attacks are thought to have caused severe damage to Iranian uranium enrichment facilities, setting back the nation's nuclear weapons program by as much as several years.

Iran is still struggling with the aftermath of the Stuxnet virus attacks more than a year after the infestation was discovered. The virus specifically targeted Siemens PLCs used to control uranium enrichment centrifuges.

While Duqu is similar in may respects to Stuxnet, some research team have concluded that its main purpose is to harvest data, not affect physical control systems such as those impacted by Stuxnet.

Other researchers are working under the assumption that Duqu is still in development, and that the authors are working to perfect the malware prior to unleashing its full potential - such as the delivery of a potentially devastating payload.

According to reports, Bumgarner's timeline is as follows:

  • May 2006 - Engineers compile code for a component of Stuxnet that will allow them to attack programmable logic controllers, or PLCs, manufactured by Siemens of Germany. Iran's nuclear program uses Siemens PLCs to control the gas centrifuges in its uranium enrichment facilities.
  • 2007 - Duqu, a data-stealing piece of malware, is deployed at targeted sites in Iran and some of its allies, including Sudan.
  • Late 2007 - Engineers write the code for the "digital bomb" component of Stuxnet, allowing those behind the attack to force the gas centrifuges to rotate at faster-than-normal speeds, which is what damaged the sensitive equipment when the cyber weapon was eventually deployed.
  • November 2008 - Conficker appears, starts to spread rapidly.
  • December 2008 - Actors behind Stuxnet start running, a website appealing to soccer fans that will eventually be used to cloak traffic traveling between machines infected with Stuxnet and the server controlling them.
  • January 2009 - They start running, which will be used for the same purpose.
  • January 2009 - Spread of Conficker peaks and engineers continue writing code for key components of Stuxnet.
  • March 2009 - Conficker Variant C is deployed. This version will be used to deliver Stuxnet to Iran.
  • April 1, 2009 - Attackers begin to deploy Stuxnet to Iran on the 30th anniversary of the declaration of an Islamic republic in Iran.
  • January 2010 - Operators of Stuxnet accelerate program by adding new malware components that make it spread faster and also make it more dangerous.
  • March 2010 - Stuxnet operators add additional components to the malware to make it even more powerful.
  • June 2010 - Computer security firm VirusBlokAda identifies Stuxnet as a piece of malware after reviewing a sample that was found in Iran.
  • July 2010 - Cyber security blogger Brian Krebs breaks news of Stuxnet on his website.
  • November 2010 - Iran President Mahmoud Ahmadinejad discloses that a cyber weapon had damaged gas centrifuges at his nation's uranium enrichment facility. "They did a bad thing. Fortunately our experts discovered that," he said.


Possibly Related Articles:
Viruses & Malware
SCADA malware Attack conficker Iran Stuxnet Headlines Siemens Programmable Logic Controllers DUQU John Bumgarner
Post Rating I Like this!
Matthijs R. Koot The Reuters article states: "His claims have not been independently confirmed."

Richard Stiennon, for one, states: "I don't buy it. Too circumstantial." [1]

It would be great of Bumgarner shares his evidence and does a write-up of his interpretation(s).

Anthony M. Freed Not a bad idea to defer to Richard on this one - at least until Bumgarner releases some more details... But then, it would not surprise me if work on Stuxnet and Duqu started right after 9/11...
Matthijs R. Koot "The entire thing is probably bullfrak." Why? Read @pr0f_srs' reflection on Bumgarner's claims:
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.