What each has uncovered are at least seven cyberweapon "launcher" files created from a common software platform. A launcher file is needed to stealthily insert the malicious payload (Stuxnet, for instance) onto a computer, as well as carrying the payload files and encryption keys needed to unfurl them and make them function.
All seven launcher files contain chunks of identical source code, yet differ in small but important ways, according to a Kaspersky Labs study released last week. Just two of those files are known to be used by the Stuxnet program. Two others are related to an espionage software program called Duqu, discovered last fall.
That leaves three launcher files with no known affiliations. While those three could be affiliated with as-yet-undetected variants of Stuxnet or Duqu, they are more likely to be affiliated with undiscovered cyberweapons operating "in the wild" somewhere in cyberspace, researchers say.
Kaspersky's findings are buttressed by researchers at Symantec, which led the deciphering effort on Stuxnet in 2010. The companies' findings imply that Stuxnet's creators are not resting on past deeds, such as the attack on Iran's nuclear fuel manufacturing facilities. Instead, they are apparently churning out new cyberweapons for new missions from that same common software platform, researchers from both firms told the Monitor.
"Stuxnet's creators used a [software] platform to package and deliver it, because they wanted to be able to make many cyberweapons easily and be able to change them rapidly for targeting and attack," says Costin Raiu, director of the global research and analysis team at Kaspersky Labs, in a phone interview from Romania.
"What's going on seems not so much like a weapons factory as much as a super-secret lab that creates experimental cyberweapons," he adds. "It's more like they're making ion cannons or something – but for cyberwar. These are not normal line weapons, but the highest tech possible to wage cyberwar and cybersabotage."