Moscow-based antivirus firm Kaspersky Lab, famous for uncovering state-sponsored cyberattacks, today dropped its biggest bombshell yet: Its own computer networks were hit by state-sponsored hackers, probably working for Israeli intelligence or the U.S. National Security Agency. The same malware also attacked hotels that hosted ongoing top-level negotiations to curb Iran's nuclear program.
"It's almost a mix of Alien, Terminator and Predator, in terms of Hollywood," Kaspersky Lab CEO Eugene Kaspersky, at a press conference in London today, said of the malware that ran undetected through his own company for months. "It's a new generation of, most probably, state-sponsored malware."
Kaspersky Lab has never attributed an attack to a specific nation-state. But it said this new malware bore unmistakable similarities to Duqu, a worm found stealing files related to industrial-control systems in 2011.
Kaspersky researchers call the new bug "Duqu 2.0." Duqu itself had clear ties to Stuxnet, the malware developed by the NSA and Israeli intelligence that attacked and crippled an Iranian nuclear-fuel processing plant in 2010.
"This is a relative, a next generation, of Duqu," Eugene Kaspersky said in the press conference. "Most probably, it was made by the same people, or they shared the code with someone else."
Eugene Kaspersky said that the Duqu 2.0 worm had roamed through his company's systems for several months, looking for information related to malware research and development of anti-malware technologies.
"It was not interested in financials or in corporate data," he said. "It wanted to know what kind of malware we're working on right now."
"That's the bad news," Eugene Kaspersky added. "But on the other hand, I'm happy. It's proof that our company is high on the list of technologies and research."
Reports in the American media have tried to establish links between Kaspersky Lab and the Russian government, a link that the company denies. The company was given the contract to oversee cybersecurity at the 2014 Winter Olympics in Sochi, Russia, but has also disclosed state-sponsored attacks that have most likely originated with the Kremlin. Tom's Guide has reviewed Kaspersky Lab antivirus products several times, and has found them to be very good.
In a separate report released today, U.S. antivirus giant Symantec said it too had concluded that the new bug was "an evolution of the older Duqu worm." The Hungarian academic research facility CrySys Lab, which discovered the original Duqu, reached the same conclusion in its own report. Neither chose to identify a particular nation as responsible for Duqu 2.0.
Symantec said Duqu 2.0 had hit "a European telecoms operator, a North African telecoms operator and a South East Asian electronic equipment manufacturer," as well as other targets in "the U.S., U.K., Sweden, India and Hong Kong." Kaspersky Lab said that, other than itself, the main targets had been "events and venues" related to the "P5 + 1" negotiations with Iran over limiting the country's controversial nuclear program.
In a report today, The Wall Street Journal quoted a Kaspersky Lab researcher as saying the targets were three unspecified European hotels that had hosted the negotiations, which involve representatives from the United States, Britain, France, Germany, Russia, China, Iran and the European Union.
Slouching towards Jerusalem, not Fort Meade
Told by a reporter that the Journal had linked Duqu 2.0 to Israel (on the assumption that Duqu itself was created by Israel, not the United States), Eugene Kaspersky seemed surprised.
"All we have is technical attribution," he replied. "It was most probably the same people, or in cooperation with the same people, that made Duqu."
The Israeli connection is intriguing because Kaspersky Lab also reported that Duqu 2.0 was used to attack organizations linked to the 70th-anniversary commemoration of the liberation of the Auschwitz extermination camp from the Nazis, observed this past January.
Buried deep in Kaspersky Lab's 50-page technical report on Duqu 2.0 are hints that Israeli hackers, or at least hackers based in a Middle Eastern country that observes the same time zone and work week as Israel, are behind the malware.
"During our 2011 analysis [of the first Duqu], we noticed that the logs collected from some of the proxies indicated the attackers appear to work less on Fridays and didn't appear to work at all on Saturdays, with their regular work week starting on Sunday," the report says. "The compilation timestamps in the binaries seemed to suggest a time zone of GMT+2 or GMT+3."
The reports says Duqu 2.0 was written "in almost perfect English," but that the code contains "a minor mistake indicating the involvement of non-native speakers" — a misspelling of "exceeded" as "excceeded."
The Duqu 2.0 code contains references to well-known Russian and Chinese state-sponsored malware, which the Kaspersky Lab report dismisses as deliberately planted clues designed to lead investigators awry.
"Such false flags are relatively easy to spot," the report says, "especially when the attacker is extremely careful not to make any other mistakes."
Perhaps most interestingly, Kaspersky Lab insists repeatedly that the Duqu 2.0 creators are not part of the Equation Group, a different state-sponsored group, uncovered by Kaspersky Lab earlier this year, that is widely assumed to be part of the National Security Agency.
"The philosophy and way of thinking of the Duqu 2.0 group ... surpasses even the Equation Group — supposedly the 'crème de la crème' in this sphere," a FAQ about Duqu 2.0 posted online by Kaspersky Lab states.
"One of the victims appears to have been infected both by the Equation Group and by the Duqu group at the same time," the Kaspersky Lab technical report says. "This suggests the two entities are different and competing with each other to obtain information from this victim."
A gun that can be fired only once
The attackers used three zero-day exploits— malware exploiting software vulnerabilities that have not been publicly disclosed or fixed — to penetrate Kaspersky's systems. Two of the holes were patched last fall, after the Kaspersky intrusion apparently began, while the third was patched by Microsoft only yesterday.
"That is why we're having this conference now," Eugene Kaspersky said today in London. "We had to wait for the patch."
Asked by a reporter how long Kaspersky Lab had to wait, he responded, "I'm not comfortable with that question. It was the usual Microsoft reaction time."
By itself, the presence of three zero-day exploits would almost be enough to confirm Duqu 2.0 as the work of a government intelligence agency. Zero-day exploits are expensive to discover, expensive to buy and can be used for only a brief window of time before defenders shut them down. The Stuxnet worm, for example, had four Windows zero-days, and a fifth for Siemens industrial-control software.
Ghost in the machine
Duqu 2.0 is extraordinary, Eugene Kaspersky and Kaspersky Lab researchers said, because it resides entirely in the RAM, or working memory, of an infected machine. It does not leave any traces on the hard drive or in the Windows Registry. If a server or computer is turned off, the malware disappears, but the machine will be re-infected as soon as it connects to an infected one on the local network.
"It spreads through the network pretending to be a system administrator," Eugene Kaspersky said. "It's almost not possible to see it, because there are no disk files created, no Registry changes. It's invisible, very aggressive, very effective."
MORE: Best Antivirus Software
The malware was detected on Kaspersky Lab's systems in February, after Eugene Kaspersky and his top researchers returned from his company's Security Analyst Summit in Cancun, Mexico. A researcher testing a new tool to detect APTs, or advanced persistent threats — information-security jargon for nation-state attacks — noticed that he was detecting unusual behavior in Kaspersky Lab's own networks.
"How did we find it?" Eugene Kaspersky asked with a laugh during the London press conference. "Come on — it's stupid to attack a cybersecurity company. Sooner or later, we're gonna find it anyway."
The malware was traced to a computer used by a non-technical Kaspersky Lab employee — an employee who, Eugene Kaspersky hinted, regularly dealt with the public — in the Asia-Pacific region. As soon as company researchers began examining the computer, however, the Duqu 2.0 administrators detected their efforts and wiped the machine's browsing history and email archive.
Because of that effort to cover digital tracks, the Kaspersky researchers can't tell for certain how the malware got in, but they suspect a "spear-phishing" email bearing an attached file infected with a zero-day exploit. This method was used by Chinese state-sponsored hackers to penetrate the RSA digitial-security firm in 2011, which led to the theft of U.S. military secrets from defense contractors that used RSA's technology to secure their networks.
Eugene Kaspersky today reassured his own customers that their own systems were safe, especially because the same APT-detection tool used to find Duqu 2.0 was pushed out "a few days ago" to Kasperky Lab's enterprise clients.
"For our customers, I recommend updating from our databases, then rebooting the computer," he said. "If [the Duqu 2.0] malware tries to enter, it will be detected. To get rid of [the] malware, it's very simple — turn off all computers in network for half an hour, then the system will be clean."
- The Best (and Worst) Identity Theft Protection
- Your Router's Security Stinks: Here's How to Fix It
- What to Do After a Data Breach