The MiniDuke malware publicised last week and thought to be linked to state-backed espionage has been circulating for nearly two years, a new analysis by security firm Bitdefender has discovered.
The version revealed last week by Kaspersky Lab to have successfully targeted 23 mostly European countries had been operating for a matter of weeks or months, continuing its work until only days before the firm went public.
Now Bitdefender has discovered an older sample that dates back as far as 20 June 2011, confirming the suspicion that MiniDuke was likely to have been around for some time.
At the weekend, the company said it had discovered MiniDuke samples from May 2012 so the malware is gradually getting older, the period of compromise longer, its succcess in stealing documents and data from its targets potentially greater.
Judging from the target list, the assumption has been that the backdoor malware was devised by either the Chinese or Russians, although the possibility of it being the work of Russian programmers working for Israel has also been raised.
Bitdefender’s analysis puts us no nearer an answer; the recent version set its time using a Chinese time server while the older 2011 variant used a US Navy server, although these details are hardly convincing clues.
More likely, "the switch from a US Navy clock to a Chinese clock suggests the malware’s designers are simply throwing up a smoke cloud as to their identity,” said Bitdefender’s chief security strategist, Catalin Cosoi.
“MiniDuke was clearly designed as a cyber-espionage tool to specifically target key sensitive government data,” he agreed. “This casts a degree of doubt on who designed MiniDuke.”
The older version does appear to be less complex, however, eschewing the recent variant’s more complex command and control (C&C), which backed up its low-key use of Twitter accounts with locations for new instructions served via Google.
The firm had traced one still exiting Twitter account to a server with no files on it.
“This is probably because the malware sample is so old that the command and control server is no longer active,” said Bitdefender.
A clutch of suspected cyberweapons have been discovered since Stuxnet two and a half years ago. Since then none has been tied to a single country in a way that can't be refuted, which adds to their ultimate mystery.