Kaspersky Lab has unearthed an attack on its corporate network which hit high profile victims in several Western, Middle East and Asian nations, including covert surveillance attempts during the ongoing Iranian nuclear talks.
The Duqu 2.0 malware platform associated with the attacks was exploiting up to three zero-day vulnerabilities, a highly unusually feature that strongly suggests nation-state involvement.
The last remaining zero-day (CVE-2015-2360) was patched by Microsoft on 9 June with the MS15-061 patch after Kaspersky Lab experts reported it.
Malware infections linked to the cyber-spying coincide with P5+1 (a group of six world powers — five permanent members of the UN Security Council, plus Germany) events and venues for high-level meetings between world leaders negotiating a nuclear deal with Iran, with Iranian delegates' hotels seemingly targeted.
Kaspersky Lab detected a cyber-intrusion affecting several of its internal systems in Spring 2015 before and coming across the Duqu 2.0 malware in a subsequent internal investigation. This malware was a "generation ahead" of anything previously seen in the APT world, according to Kaspersky Lab:
The attack exploited zero-day vulnerabilities and after elevating privileges to domain administrator, the malware is spread in the network through MSI (Microsoft Software Installer) files which are commonly used by system administrators to deploy software on remote Windows computers.
The cyberattack didn’t leave behind any disk files or change system settings, making detection extremely difficult.
In addition to the P5+1 events and the attack on Kaspersky Lab, the Duqu 2.0 group targeted the 70th Anniversary event of the liberation of Nazi death camp Auschwitz-Birkenau, an event attended by many foreign dignitaries and politicians.
Spying on diplomatic negotiations is as old as espionage itself. Such snooping gives parties access to information that gives them the edge in negotiations through knowing the other side's position.
The original Duqu is thought to be related to the Stuxnet worm. One strong (but by no means proven) theory is that Duqu was used for reconnaissance against industrial control systems later attacked by Stuxnet.
It's an open secret that the Stuxnet malware was developed as part of a joint US-Israeli cyberweapons programme, codenamed Olympic Games. The NSA and Israel's elite Unit 8200 intelligence corps are therefore primes suspect in the creation of Duqu 2.0.
The attack was carefully planned and seemingly carried out by the same group that was behind the infamous 2011 Duqu APT attack. Kaspersky Lab doesn't name suspects beyond stating it estimates the assault is a nation-state sponsored campaign by skilled hackers who went to great lengths in their attempts to stay under the radar.
"This highly sophisticated attack used up to three zero-day exploits, which is very impressive – the costs must have been very high," said Costin Raiu, director of Kaspersky Lab’s global research & analysis team.
"To stay hidden, the malware resides only in kernel memory, so anti-malware solutions might have problems detecting it. It also doesn’t directly connect to a command-and-control server to receive instructions. Instead, the attackers infect network gateways and firewalls by installing malicious drivers that proxy all traffic from the internal network to the attackers’ command and control servers," he added.
The main goal of the attackers in assaulting Kaspersky Lab was to spy on its technologies, ongoing research and internal processes. No interference with processes or systems was detected, the Russian security software firm reports.
An audit, including source code verification and checking of corporate infrastructure, is ongoing.
The attackers were primarily interested in KL's technologies but they also showed a "high interest" in Kaspersky Lab’s current investigations into advanced targeted attacks.
Kaspersky Lab expressed itself "confident that its clients and partners are safe and that there is no impact on the company’s products, technologies and services".
Symantec has discovered Duqu2 infections on computers in USA, UK, Sweden, India, and Hong Kong. A blog post by it on the spying platform can be found here. CrySySLab, the Hungarian lab that first discovered Duqu 1.0, has an analysis on Duqu 2.0 here. ®