Researchers Uncover U.S. Footprints in Mysterious Cyber Warfare Tools

The U.S. used the Stuxnet trojan to attack Iran in 2010.

Attack workflow for Flame controllers (Symantec)

Kaspersky Lab and Symantec have teamed up to peel apart the United States’ cyber warfare efforts. So far, they have uncovered the command and control systems behind the sophisticated malware as well as three previously unknown chunks of malicious code possibly related to alleged American cyber superbugs Flame and Duqu.

Reuters reports that researchers from the security firms discovered how the malware was disseminated–through an outwardly innocent-seeming content management system (CMS) named Newsforyou:

It was designed to look like a common program for managing content on websites, which was likely done in a bid to disguise its real purpose from hosting providers or investigators so that the operation would not be compromised, Kaspersky said in its report.

Newsforyou handled four types of malicious software: Flame and programs code-named SP, SPE and IP, according to both firms. Neither firm has obtained samples of the other three pieces of malware.

According to Symantec, Newsforyou allowed attackers to “upload packages of code, to deliver to compromised computers, and to download packages containing stolen client data.” Symantec writes that the mystery chunks of code were “likely unknown variants” on Flame but could have been “totally distinct malware.”

More intriguing, researchers uncovered nicknames for a handful of programmers who worked on the malware over the course of the last six years or so:

The attackers were not thorough enough, however, as a file revealing the entire history of the server‘s setup was available. In addition, a limited set of encrypted records in the database revealed that compromised computers had been connecting from the Middle East. We were also able to recover the nicknames of four authors—D***, H*****, O******, and R***—who had worked on the code at various stages and on differing aspects of the project, which appear to have been written as far back as 2006.

Symantec and Kaspersky have an additional mystery for which they seek the public’s help–this mysterious encoded password: 27934e96d90d06818674b98bec7230fa.

Researchers say they have attempted “brute-force” cracks of the hashed code, to no avail. If you’re up for a juicy password cracking challenge that may also put you on a government watchlist, hit them up on Twitter.

Researchers Uncover U.S. Footprints in Mysterious Cyber Warfare Tools