Duqu 2.0 Attack On Kaspersky Lab Opens Chilling New Chapter In Cyber Espionage

A notorious and advanced nation-state cyber espionage group has turned the tables on Kaspersky Lab, a security firm that has closely tracked and studied its movements over the past few years, by quietly infiltrating the company's network to spy on the vendor's latest attack detection technology and its research on advanced attacks.

Kaspersky Lab revealed today that the group behind Duqu -- a cyberspying malware tool first discovered in 2011 and believed to be used for intel-gathering as part of the Stuxnet cyber sabotage attacks on Iran's nuclear facility -- had hacked its way into the company's corporate network in an apparent attempt to gather intelligence on the firm's latest technologies for thwarting attacks by advanced attacks such as Duqu as well Kaspersky's intel on such attacks and groups.

The targeted attack against Kaspersky Lab represents a dramatic shift in the nation-state attack landscape, with a sophisticated attacker successfully going after a security company's technology and research for intel-gathering purposes of its own. This of course is not the first time a nation-state has hacked a security vendor: RSA Security in 2011 and Bit9 in 2013, for example, each were hit by nation-state cyberspies allegedly from China stealing their technologies, but those attacks were stepping-stones to the vendors' high-profile customers, the attackers ultimate targets. This most recent attack, meanwhile, raises fresh concerns about just how security companies can protect their own customers with their technology if that very technology has been exposed to advanced and well-oiled hackers hell-bent on bypassing it.

Symantec, which also has studied the new attacks, says it was not hit by Duqu 2.0. Nor were FireEye and Trend Micro, according to those firms.

"I just want to confirm that unfortunately, we were facing a very serious cyberattack that was found in our corporate network, and the attack was extremely sophisticated," Eugene Kaspersky, CEO of Kaspersky Lab, said in a press conference today. "We have never [seen] anything similar to this attack. This is a new generation of a most likely state-sponsored malware … the attack is very complicated, and it's almost invisible."

He maintained that none of his company's customers nor partners were affected, and that no corporate or financial information was hit -- just its new technology, including Kaspersky's Secure Operating System platform, Kaspersky Fraud Detection, and its Security Network and Anti-API products and services.

"It is stupid to attack a cyber security company. Sooner or later, we'll find out," Kaspersky said today in the press event.

Aside from Kaspersky Lab, Duqu 2.0 has also targeted some 100 victims in Western countries, the Middle East, Russia, and Asia. Some of the targets were involved with the P5+1 meetings and venues associated with the nuclear negotiations with Iran, according to findings by Kaspersky and Symantec.  Among the targets are a telecommunications operator in Europe and one in North Africa, as was a Southeast Asian electronic equipment manufacturer, and machines in the US, UK, Sweden, India, and Hong Kong were found by Symantec to contain a Duqu 2.0 infection.

The telecommunications providers and equipment vendor victims are likely "stepping stones" to the final target, and were exploited for monitoring those individuals' mobile or other communications, according to Symantec.

"To circumvent encryption" to conduct spying, you might want to know the chipset of a mobile carrier, for example, says Vikram Thakur, senior manager of Symantec Security Response.

What sets Duqu 2.0 apart from its predecessor and other attacks is how it hides out: the code runs in the victim computer's memory only, and deletes its tracks on the hard drive. So if a machine is rebooted, the infection is eradicated. Even so, Duqu 2.0 has a remote process for reinfecting a machine if necessary after it's rebooted.

Thakur says the Duqu 2.0 attack on Kaspersky Lab represents a new type of attack by nation-state actors. "I think what we saw with Kaspersky Lab is unprecedented. We have not seen this happen before. We've seen attacks on the security industry -- and at Symantec, we face a lot of attack" attempts, he says. "But we don't believe those attacks are driven by nation-states trying to get a grip on the research we're doing."

"This raises the bar. The security industry has to look over our own shoulders now," Thakur says. "It's not just cybercriminals chasing us at this point. It's distressing and alarming at the same time that people with such resources are trying to monitor upcoming research and technology, because at the end of the day, we're fighting the good fight and trying to reduce the amount of malware on our own customer base."

Although neither Kaspersky nor Symantec would share their theories on just which nation is behind Duqu, many experts say the more likely culprit is Israel, although attribution can be tricky in the cloak-and-dagger world of nation-state spying.

Eugene Kaspersky said he's sure the attackers were studying and watching his company's work. "I'm pretty sure they were watching … information related to our virus research and technologies in how we find malware, how we process this malware, and which kind of malware is manually processed," he said.

Kaspersky Lab today also published a detailed technical report on Duqu 2.0, which deployed three zero-day exploits, including one patched by Microsoft yesterday (CVE-2015-2360), CVE-2014-6324, and a third still-unknown exploit that hit the first victim at Kaspersky. That third bug remains a mystery: the attackers wiped the victim's browser history and inbox, to hide the initial phishing attack.

"All we can say now is that probably [it] was a highly targeted spear-phishing campaign, containing a link to a malicious website with exploit. We suppose this could be a CVE-2014-4148 exploit that allowed the attackers to jump directly into kernel mode from a Word Document, which was apparently also used by the Duqu attackers last year," says Kurt Baumgartner, principal security researcher at Kaspersky Lab.

The second exploit used after the initial attack vector that hit "patient zero" at Kaspersky exploited a bug that lets an unprivileged domain user become a domain administrator. The third was the newly patched CVE-2015-2360, a Windows bug in the kernel mode-driver that manages memory and validates input from users; the flaw lets an attacker install his own programs, view and change or delete data, and create new user accounts with high privileges.

The attack on Kaspersky Lab had been underway for months before it was finally detected early this year while the company was testing a prototype of its anti-APT product. Duqu 2.0, which obtains domain administrator privileges on its victim, spreads via Microsoft Software Installer as a way to hide in plain sight, and flies under the radar with well-masked communications to its command-and-control infrastructure.

"They [Duqu 2.0 attackers] were able to merge their traffic along with common communications" so it would blend in, Thakur says.

The Duqu attackers, who haven't been seen in action by Kaspersky since March 2012, began this latest attack campaign sometime in the fall of 2013.

Nothing 'Critical' Exposed

Kaspersky officials maintain that their intellectual property exposed in the attack doesn't hurt the integrity of their products. There was nothing "critical to the operation of the company's products"  exposed in the attack, Baumgartner says.

But security experts say the attacks are a dangerous precedent for security.

"It's a worrying thing that most likely a state backed group attacked a private company in a different country, or even countries. It is even more worrying that such attacks might also happen to other security companies. This cannot just be harmful to the global computer security, but introduces trust issues," says Boldizsar Bencsath, security expert at the Budapest University of Technology and Economics'  Laboratory of Cryptography and Systems. "How a single user should select a security product? How security companies should handle these type of events?"

Bencsath, whose team discovered the very first variant of Duqu, says Kaspersky Lab was "brave" to give details of the attack on its own infrastructure. He says his team has found no evidence of Duqu 2.0 infections at its site, and posted a blog on the new variant today.

Kaspersky Lab hasn't seen any ties to the so-called Equation Group -- thought by many in the industry to be the US National Security Agency -- and Duqu 2.0, although there were indications of some ties with Stuxnet.

 "While the two groups, Duqu and Equation, might have cooperated in the past, it seems they are now separate – for instance, one victim of Duqu 2.0 was infected by both the Equation Group and Duqu at the same time, indicating the two entities are different and competing for information from their victims," Kaspersky's Baumgartner says.

Duqu 2.0 is still active, he says, despite being outed.