Skip to main content

Kaspersky: Stuxnet and Duqu had same developers, started as early as 2007


The Stuxnet worm may go down in history as one of the first known instances of cyber warfare, since it appears to have been crafted specifically to disrupt Iran’s ambitions to refine weapons-grade uranium. Earlier this year, the related Duqu worm appeared—although it appears to have a different, unknown purpose. Although there has been speculation that Stuxnet and Duqu are related, Kaspersky security researcher Alexander Gostev says the two worms have to have been developed by the same team—and they may have gotten started as early as 2007.

“There were a number of projects involving programs based on the ‘Tilded’ platform throughout the period 2007-2011,” Gostav wrote. “Stuxnet and Duqu are two of them—there could have been others, which for now remain unknown.”

Researches refer to the worm platform as “Tilded” because of the authors’ propensity for starting file names with “~d.” But the similarities are much deeper, with the worms sharing the same fundamental architecture. Through analyzing drivers—including some unusual (and potentially unique) finds associated with Duqu infections—Kaspersky concludes the platform got started as a single-driver effort in 2007 or 2008, and got its most significant modifications in mid-2010. Kaspersky’s analysis also concludes there was “at least” on other spyware module built on the same platform back in 2007 or 2008.

Duqu/Stuxnet evolution

The Stuxnet worm set off a frenzy of speculation amongst security researchers because of its complexity. Where most malware packages together a small set of functions around a small set of exploits so they can get into the wild quickly, Stuxnet contains more than 4,000 functions and functionality specifically targeting industrial control equipment—in fact, Stuxnet is so specific that it likely was crafted only to target Iran’s nuclear enrichment facilities. Duqu sports a similar complexity, and researchers at the Budapest University of Technology and Economics CrySyS lab (who discovered Duqu) speculate it is designed to steal industrial control design materials.

Some industry watchers have speculated that Stuxnet and Duqu may be the work of state-sponsored malware development efforts, with Israel and the United States often considered possible sources for the Stuxnet worm.

Editors' Recommendations