Hackers Installed Sophisticated Malware on U.S. Computers. Why Doesn't Anyone Care?

The worm was designed to gather intelligence on the ongoing Iranian nuclear talks.



For years, cybersecurity hawks have painted grim pictures of a "cyber Pearl Harbor," when sophisticated hackers will be able to infiltrate and commandeer critical U.S. networks to wreak whatever havoc they choose. Yet for some reason, when the most advanced cyber-espionage malware known was discovered on American systems, the usually indefatigable "tough on cyberterror" crowd was quiet.

The malware was made public in June, when Russian software security firm Kaspersky Lab rocked the information-security community by revealing that a powerful computer worm—similar to the 2010 Stuxnet virus—had been unleashed on computers in America and around the world roughly one year prior. The new malware, called "Duqu 2" for its apparent succession to 2011's Duqu worm, alarmed info-security professionals with both its unprecedented strength and audacious targets. For months, attackers deployed frighteningly sophisticated espionage technology to secretly spy on all sorts of parties involved (however tenuously) in the ongoing Iranian nuclear negotiations, including government leaders, telecommunication and electrical-equipment companies, and impartial researchers.

Worms like Stuxnet and Duqu are worlds away from the run-of-the-mill "script kiddie" hacks that take Xbox Live offline or deface the USCENTCOM Twitter account. When executed, this elite class of malware allows external entities to expertly enter almost every cranny of even the best-protected networks, capture stored data and live keystrokes, and even assume control of large-scale industrial targets like nuclear reactors, power plants, and air traffic control systems—often leaving virtually no trace of invasion for months. In other words, Stuxnet-like infections provide the technical means to wreak exactly the kinds of "planes falling out of the sky" doomsday scenarios so beloved by cyber-fearmongers.

While Duqu 2 is built from large portions of the Stuxnet code, the worms are intended for separate missions. Stuxnet, widely believed to be a joint effort between the U.S. and Israel, was developed to infiltrate and remotely shut down Iran's uranium enrichment facilities—a mission that ultimately failed. Still, the remote access and control capabilities Stuxnet pioneered to launch industrial-scale attacks on infrastructure computer systems introduced dark new possibilities for the future of cyberwar.

The Duqu family of attacks, on the other hand, optimizes certain Stuxnet methods to focus on snooping instead of hijacking. The Duqu developers were also interested in Iran, but had no aspiration to sabotage physical factories from within their own networks. Rather, Duqu 2 was designed to gather intelligence on participants to the ongoing Iranian nuclear talks.

Duqu 2 is noteworthy for the unparalleled number of victims it intentionally infected, having compromised computer systems owned or used by Western heads of state, European telecommunications providers, American corporations, and Kaspersky Labs itself. During that time, hackers could freely explore comprised systems for a pervasive surveillance operation on the multilateral nuclear negotiations. Yet the scant and nonactionable details gleaned from this paranoid bugging scheme are surely not worth the tremendous geopolitical cost that comes with it. By targeting a trusted security research center and U.S. computer systems, the Duqu 2 attackers have dangerously crossed an unspoken barrier preventing an all-out global cyber war. 

The choice to attack Kaspersky reveals some things about the Duqu developers. For one thing, they're assholes. As founder Eugene Kaspersky explained on the morning of his company's announcement, security firms like Kaspersky or U.S.-based Symantec are a little bit like medics on the battlefield—whatever the international grudges or corporate chicanery that may motivate malicious online behavior, all groups benefit from the work these firms do to make the Internet more predictable and secure. Hackers of all hats have historically maintained a sort of gentleman's agreement against directly targeting such entities. We see no such honor, but rather an abundance of chutzpah, from the Duqu hackers. Whether they were gripped by a delusional obsession to leave even the most tenuously-related stones unturned or merely competitive jerks desperate to hack into one of the world's most secure systems to prove they could, the Duqu hackers have made it clear that they don't care how many peace-keeping conventions they have to step on in the process.

Targeting American systems is similarly bold. Our world dominance might not be what it used to, but we still have big guns and the world's technology capitol. As far as our intelligence community is concerned, we're the guys who deploy the insane cyberattacks, not the ones targeted. Indeed, the National Security Agency's (NSA) elite "Equation Group" of cyber-espionage developers has been infecting computers around the world, including some within U.S. borders, with similarly-sophisticated malware since 2001.

Because the Equation Group targeted many of the same marks as the Duqu group, it is unlikely that Duqu 2 was the work of the U.S. Which brings us to the awkward elephant lingering about: most people in the intelligence and security communities agree that Duqu 2 was either directly developed or at least indirectly financed by Israel, despite Israel denying culpability.

This tricky geopolitical quandary may explain some of the dulled response to Duqu 2 from Washington. When the latest Seth Rogen romp was allegedly leaked online by hermit programmers in North Korea, everyone in the District ran around like chickens with their feathers on fire clucking about cyberwar and the best form of retaliation. Now that an enormously more destructive technology has been deployed against the U.S. and major European powers, we haven't heard one peep. The bizarre mismatch between the level of political hysteria surrounding each incident and the underlying risk profile of each is a good reminder how power, not reason, drives policy.