Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:30 PM
Connect Directly

Duqu 2.0 Attack On Kaspersky Lab Opens Chilling New Chapter In Cyber Espionage

New nation-state campaign with previous ties to Stuxnet spies on security firm's research and anti-cyber spying technologies -- plus participants in Iranian nuclear negotiations and their telecommunications, mobile providers.

A notorious and advanced nation-state cyber espionage group has turned the tables on Kaspersky Lab, a security firm that has closely tracked and studied its movements over the past few years, by quietly infiltrating the company's network to spy on the vendor's latest attack detection technology and its research on advanced attacks.

Kaspersky Lab revealed today that the group behind Duqu -- a cyberspying malware tool first discovered in 2011 and believed to be used for intel-gathering as part of the Stuxnet cyber sabotage attacks on Iran's nuclear facility -- had hacked its way into the company's corporate network in an apparent attempt to gather intelligence on the firm's latest technologies for thwarting attacks by advanced attacks such as Duqu as well Kaspersky's intel on such attacks and groups.

The targeted attack against Kaspersky Lab represents a dramatic shift in the nation-state attack landscape, with a sophisticated attacker successfully going after a security company's technology and research for intel-gathering purposes of its own. This of course is not the first time a nation-state has hacked a security vendor: RSA Security in 2011 and Bit9 in 2013, for example, each were hit by nation-state cyberspies allegedly from China stealing their technologies, but those attacks were stepping-stones to the vendors' high-profile customers, the attackers ultimate targets. This most recent attack, meanwhile, raises fresh concerns about just how security companies can protect their own customers with their technology if that very technology has been exposed to advanced and well-oiled hackers hell-bent on bypassing it.

Symantec, which also has studied the new attacks, says it was not hit by Duqu 2.0. Nor were FireEye and Trend Micro, according to those firms.

"I just want to confirm that unfortunately, we were facing a very serious cyberattack that was found in our corporate network, and the attack was extremely sophisticated," Eugene Kaspersky, CEO of Kaspersky Lab, said in a press conference today. "We have never [seen] anything similar to this attack. This is a new generation of a most likely state-sponsored malware … the attack is very complicated, and it's almost invisible."

He maintained that none of his company's customers nor partners were affected, and that no corporate or financial information was hit -- just its new technology, including Kaspersky's Secure Operating System platform, Kaspersky Fraud Detection, and its Security Network and Anti-API products and services.

"It is stupid to attack a cyber security company. Sooner or later, we'll find out," Kaspersky said today in the press event.

Aside from Kaspersky Lab, Duqu 2.0 has also targeted some 100 victims in Western countries, the Middle East, Russia, and Asia. Some of the targets were involved with the P5+1 meetings and venues associated with the nuclear negotiations with Iran, according to findings by Kaspersky and Symantec.  Among the targets are a telecommunications operator in Europe and one in North Africa, as was a Southeast Asian electronic equipment manufacturer, and machines in the US, UK, Sweden, India, and Hong Kong were found by Symantec to contain a Duqu 2.0 infection.

The telecommunications providers and equipment vendor victims are likely "stepping stones" to the final target, and were exploited for monitoring those individuals' mobile or other communications, according to Symantec.

"To circumvent encryption" to conduct spying, you might want to know the chipset of a mobile carrier, for example, says Vikram Thakur, senior manager of Symantec Security Response.

What sets Duqu 2.0 apart from its predecessor and other attacks is how it hides out: the code runs in the victim computer's memory only, and deletes its tracks on the hard drive. So if a machine is rebooted, the infection is eradicated. Even so, Duqu 2.0 has a remote process for reinfecting a machine if necessary after it's rebooted.

Thakur says the Duqu 2.0 attack on Kaspersky Lab represents a new type of attack by nation-state actors. "I think what we saw with Kaspersky Lab is unprecedented. We have not seen this happen before. We've seen attacks on the security industry -- and at Symantec, we face a lot of attack" attempts, he says. "But we don't believe those attacks are driven by nation-states trying to get a grip on the research we're doing."

"This raises the bar. The security industry has to look over our own shoulders now," Thakur says. "It's not just cybercriminals chasing us at this point. It's distressing and alarming at the same time that people with such resources are trying to monitor upcoming research and technology, because at the end of the day, we're fighting the good fight and trying to reduce the amount of malware on our own customer base."

Although neither Kaspersky nor Symantec would share their theories on just which nation is behind Duqu, many experts say the more likely culprit is Israel, although attribution can be tricky in the cloak-and-dagger world of nation-state spying.

Eugene Kaspersky said he's sure the attackers were studying and watching his company's work. "I'm pretty sure they were watching … information related to our virus research and technologies in how we find malware, how we process this malware, and which kind of malware is manually processed," he said.

Kaspersky Lab today also published a detailed technical report on Duqu 2.0, which deployed three zero-day exploits, including one patched by Microsoft yesterday (CVE-2015-2360), CVE-2014-6324, and a third still-unknown exploit that hit the first victim at Kaspersky. That third bug remains a mystery: the attackers wiped the victim's browser history and inbox, to hide the initial phishing attack.

"All we can say now is that probably [it] was a highly targeted spear-phishing campaign, containing a link to a malicious website with exploit. We suppose this could be a CVE-2014-4148 exploit that allowed the attackers to jump directly into kernel mode from a Word Document, which was apparently also used by the Duqu attackers last year," says Kurt Baumgartner, principal security researcher at Kaspersky Lab.

The second exploit used after the initial attack vector that hit "patient zero" at Kaspersky exploited a bug that lets an unprivileged domain user become a domain administrator. The third was the newly patched CVE-2015-2360, a Windows bug in the kernel mode-driver that manages memory and validates input from users; the flaw lets an attacker install his own programs, view and change or delete data, and create new user accounts with high privileges.

The attack on Kaspersky Lab had been underway for months before it was finally detected early this year while the company was testing a prototype of its anti-APT product. Duqu 2.0, which obtains domain administrator privileges on its victim, spreads via Microsoft Software Installer as a way to hide in plain sight, and flies under the radar with well-masked communications to its command-and-control infrastructure.

"They [Duqu 2.0 attackers] were able to merge their traffic along with common communications" so it would blend in, Thakur says.

The Duqu attackers, who haven't been seen in action by Kaspersky since March 2012, began this latest attack campaign sometime in the fall of 2013.

Nothing 'Critical' Exposed

Kaspersky officials maintain that their intellectual property exposed in the attack doesn't hurt the integrity of their products. There was nothing "critical to the operation of the company's products"  exposed in the attack, Baumgartner says.

But security experts say the attacks are a dangerous precedent for security.

"It's a worrying thing that most likely a state backed group attacked a private company in a different country, or even countries. It is even more worrying that such attacks might also happen to other security companies. This cannot just be harmful to the global computer security, but introduces trust issues," says Boldizsar Bencsath, security expert at the Budapest University of Technology and Economics'  Laboratory of Cryptography and Systems. "How a single user should select a security product? How security companies should handle these type of events?"

Bencsath, whose team discovered the very first variant of Duqu, says Kaspersky Lab was "brave" to give details of the attack on its own infrastructure. He says his team has found no evidence of Duqu 2.0 infections at its site, and posted a blog on the new variant today.

Kaspersky Lab hasn't seen any ties to the so-called Equation Group -- thought by many in the industry to be the US National Security Agency -- and Duqu 2.0, although there were indications of some ties with Stuxnet.

 "While the two groups, Duqu and Equation, might have cooperated in the past, it seems they are now separate – for instance, one victim of Duqu 2.0 was infected by both the Equation Group and Duqu at the same time, indicating the two entities are different and competing for information from their victims," Kaspersky's Baumgartner says.

Duqu 2.0 is still active, he says, despite being outed. 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/12/2015 | 9:40:11 PM
Pull the Plug
Isn't it time to call a spade a spade and pull the plug on China? If China is so important to our mega billionares, then let them fix China and when it's fixed reconnect them!
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
A potential vulnerability has been identified in HPE OneView Global Dashboard release 2.31 which could lead to a local disclosure of privileged information. HPE has provided an update to OneView Global Dashboard. The issue is resolved in 2.32.
PUBLISHED: 2021-06-24
Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 1...
PUBLISHED: 2021-06-24
URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.
PUBLISHED: 2021-06-24
The vgacon subsystem in the Linux kernel before 5.8.10 mishandles software scrollback. There is a vgacon_scrolldelta out-of-bounds read, aka CID-973c096f6a85.
PUBLISHED: 2021-06-24
A vulnerability in agent program of HelpU remote control solution could allow an authenticated remote attacker to execute arbitrary commands This vulnerability is due to insufficient input santization when communicating customer process.