Stuxnet copycat hackers move to Belgium

Powered by SC Magazine
 

Hacking operation moves after Indian raid.

Hackers used a server in Belgium to collect data stolen from machines infected with the Duqu computer virus, after authorities shut down another rogue collection system in India, according to security experts.

Governments and security experts around the globe are working to unlock the secrets of the elusive malware, which some say could be the next big cyber threat after the Stuxnet virus that was believed to have infected Iran's nuclear program.

Researchers at Symantec said they had identified a sample of Duqu that was configured to communicate with a specific server at Combell Group, Belgium's largest web-hosting company.

Hackers frequently use or lease servers at data centers to manage their malicious activities, without the knowledge of the data center operator. Symantec said in a report on its website on Tuesday that it had notified Combell that the server was being used for malicious activity.

Combell Group said it shut down that server on Thursday in response to a query about the matter from Reuters.

"We investigated the case," Combell Business Development Manager Tom De Bast told Reuters. "We decided to shut down the server immediately."

News of Duqu first surfaced two weeks ago after researchers at Hungary's Laboratory of Cryptography and System Security found a computer virus that contained code similar to Stuxnet. Early analysis suggested Duqu was developed by hackers to help lay the groundwork for attacks on critical infrastructure such as power plants, oil refineries and pipelines.

Indian authorities last month seized computer equipment from a data center in Mumbai, after Symantec reported that one of its servers was communicating with computers infected with Duqu.

"Looks fishy"

One of Brussels-based Combell's employees, who did not want to be identified as they were not authorized to speak for the company, said on Wednesday evening that the server had been running continuously for about a week and was leased through October 27 next year.

"It looks fishy," he said, adding that somebody controlling the machine appeared to be intentionally deleting data that would log details about its communications. "It's weird. The mail log itself has almost no entries. I think they are deleting data so they don't leave traces."

John Bumgarner, chief technology officer of the U.S. Cyber Consequences Unit, also said that the server looked suspicious because it was running far fewer programs than its neighbors in the Combell data center.

He said that when the hackers moved their server from India to Belgium, they also modified the original technique used to communicate with computers infected by Duqu. This shift made it harder for companies to detect infected machines based on previous communication patterns.

Researchers at Symantec have said they believe Duqu may have been developed by the same engineers who built Stuxnet because some of the source code in the software is the same.

Other researchers disagree, saying the hackers could have reverse engineered the code for Stuxnet.

Stuxnet is believed to have crippled centrifuges that Iran uses to enrich uranium for what the United States and some European nations have charged is a covert nuclear weapons program.

(Reporting by Jim Finkle. Additional reporting by Edward Krudy; Editing by Maureen Bavdek, Tim Dobbyn and Carol Bishopric)


Stuxnet copycat hackers move to Belgium
 
 
 
Top Stories
Matching databases to Linux distros
Reviewed: OS-repository DBMSs, MariaDB vs MySQL.
 
Coalition's NBN cost-benefit study finds in favour of MTM
FTTP costs too much, would take too long.
 
Who'd have picked a BlackBerry for the Internet of Things?
[Blog] BlackBerry has a more secure future in the physical world.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  71%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  11%
 
Denial of service attacks
  6%
 
Insider threats
  10%
TOTAL VOTES: 762

Vote