Last week Duqu, a new Trojan, became known to us readily coined by security experts and media as Stuxnet 2.0. Stuxnet and Duque, however, probably are only the tip of the iceberg and the precursors of new attack scenarios, which will keep us busy from now on.
It was the special characteristic of Stuxnet that the attack did not occur at the level of popular operating systems. Stuxnet targeted the control systems of industrial plants. The alleged target was the control technology of Iran's nuclear power plants. They are used for instance to control the speed of motors in many industrial plants.
According to the available information the Siemens Simatic S - an essential component for frequency conversion - was affected in particular. They are used for example to control the speed of motors and many industrial plants.
Both the authors of Stuxnet and their sponsors have not been uncovered, nor has been their actual intention. At least to the general public it remained unknown. After a closer look at the way the Stuxnet attacks had been carried out, it however becomes rather clear, that that they can be considered as something which is known as an APT (Advanced Persistent Threat).
Such attacks are carried out selectively and over a longer period using various attacking techniques. To smuggle Stuxnet into the systems alone, the organization in the background had to exploite vulnerabilities in other systems.
The recently discovered Duque is a new Trojan with some worm-functionality. Its relationship to Stuxnet is evident as parts of the Stuxnet code are used. Duque is classified as APT too. It can safely be assumed that the attacker behind Duque has to be looked for among governmental agencies.
Unlike Stuxnet Duque seems to be only the precursor for the real attack. Its job was to gather information which it has sent to a server in India. This server has since been taken down. Duque also had a limited life time. The goal of Duque seems to be to gather information for a new wave of attacks.
It becomes clear that the risks in IT have reached a new level. It's no longer just about access to data. It is about the intrusion into industrial plants like power generation facilities or others to takeover control.
Stuxnet was reportedly transported via infected USB drives. Increased networking also opens up new, more direct routes. IT security concepts have to deal with all systems and all communication channels – not in all cases it appears useful to link systems via networks.
Some kind of healthy suspicion is therefore appropriate.
Moreover it is important to note that even the digital certificates can no longer be trusted to the same extent as before. The attacks on DigiNotar and probably more CAs (Certificate Authorities, issuers of digital certificates which are used for example for SSL or for code-security) as well as the attacks via Stuxnet (where stolen certificates were used) indicate that we need to deal with this issue more seriously.
This includes the need for a more effective protection of private keys and of the use of digital certificates, in order to enable a faster reaction. However, before you begin implementing individual measures, you need to know what objects actually have to be protected and what the risks are.