Researchers Uncover Threat Actor Supergroup Linked to Stuxnet, Flame, Duqu

Luana Pascu

April 23, 2019

Researchers Uncover Threat Actor Supergroup Linked to Stuxnet, Flame, Duqu

Could critical infrastructure attacks be making a comeback? Or did these invisible threats never leave in the first place? Extensive research reveals that as many as four threat actors many have been involved in creating Stuxnet, the sophisticated computer worm that demolished Iran’s nuclear infrastructure in 2007. In light of recent discoveries about similarities in malware samples, cyber espionage appears to be a growing threat that can hide for years before its discovered.

Initially identified as a cyber espionage collaboration between the US and Israel, the Stuxnet hacking operation seems to have included Flame and Duqu variants, with research pointing to a fourth malware team involved in developing Stuxnet.

The discovery was made by Juan Andres Guerrero-Saade and Silas Cutler, researchers at Alphabet’s Chronicle Security who were investigating the GossipGirl Supra Threat Actor (STA) cluster. They used YARA to scan code collected over the years in the VirusTotal database to look for any connection between Stuxnet and other malware samples.

The researchers identified Flowershop, operating since 2002, and Flame 2.0, which was believed to have been disabled by its Israeli creators. According to the researchers, the malware was never killed off. Instead its creators made it harder to detect.

“The value of this recent finding is twofold: First, it suggests that yet another team with its own malware platform was involved in the early development of Stuxnet. And secondly, it supports the view that Stuxnet is in fact the product of a modular development framework meant to enable collaboration among diverse, independent threat actors,” reads the technical analysis. “Our recent findings, alongside the outstanding body of previously reported technical analysis on this threat, would place the ‘Flowershop team’ alongside Equation, Flame, and Duqu as those involved in tooling the different phases of Stuxnet as an operation active perhaps as early as 2006. Perhaps the most apt metaphor for Stuxnet is that of a ‘plane built as its being flown’.”

Cybercriminal organizations know that critical infrastructures such as water, energy, transportation, telecommunications and hospitals are vulnerable: a perfect target for a nation-state attack that wants to cripple a country and possibly cause physical harm. According to Bitdefender researchers, ransomware is one of the top threats targeting critical infrastructures. Even though it’s one of the most profitable malware attacks, Bitdefender researchers say it is currently “plateauing,” while more exploits are expected to occur in the IoT ecosystem. Critical infrastructures now include connected devices so hackers will look into monetizing their weaknesses through third-party vulnerabilities and software glitches, especially in the medical field, while network-level exploits will be more prevalent in the banking sector.  


Contact an expert



Luana Pascu

From a young age, Luana knew she wanted to become a writer. After having addressed topics such as NFC, startups, and tech innovation, she has now shifted focus to internet security, with a keen interest in smart homes and IoT threats. Luana is a supporter of women in tech and has a passion for entrepreneurship, technology, and startup culture.

View all posts

You might also like