Kaspersky compromise points to nation-state actors

Company says revamped version of Duqu is a generation ahead of anything previously seen

malware keyboard skull and crossbones

Kaspersky Labs disclosed a network compromise on Wednesday, which leveraged a new class of malware unlike anything the company has seen before. Given the similarities with previous versions, Kaspersky is confident the malware is a revamped version of Duqu first seen in, 2011.

In a post on Forbes.com, Eugene Kaspersky said that those responsible for the attack on his company were being silly. "This was a case of industrial espionage, plain and simple. Nevertheless, the more I think about it, the less it makes sense," Kaspersky wrote.

The malware, Duqu 2.0, "is a generation ahead of anything we’d seen earlier – it uses a number of tricks that make it really difficult to detect and neutralize," Kaspersky added in a company blog post on the topic.

Duqu 2.0 was detected by Kaspersky with a tool designed to discover advanced malware, but the product is far from complete. However, the company was fortunate that it worked well enough in its alpha state to notice something amiss.

But that doesn't mean that the team behind Duqu didn't do all they could to remain hidden.

“This highly sophisticated attack used up to three zero-day exploits, which is very impressive – the costs must have been very high," said Costin Raiu, Director of Kaspersky Lab’s Global Research & Analysis Team in a statement.

"To stay hidden, the malware resides only in kernel memory, so anti-malware solutions might have problems detecting it. It also doesn’t directly connect to a command-and-control server to receive instructions. Instead, the attackers infect network gateways and firewalls by installing malicious drivers that proxy all traffic from the internal network to the attackers’ command and control servers.”

It isn't clear how the attackers were able to infiltrate the network, but the running theory proposed by Kaspersky is that an employee in a small APAC office was targeted by a Phishing campaign. This theory supported by the fact that when the attack's origin was discovered, the attackers deleted the staffer's email and browsing history. The company is currently processing backup logs and other data to confirm the attack's source.

While the attackers on Kaspersky's network were looking for corporate secrets and code, they were also using Duqu 2.0 to target several high-profile foreign dignitaries and politicians at the venues where the Iranian nuclear talks were taking place (P5+1) and the 70th anniversary event of the liberation of Auschwitz-Birkenau.

"Attacking us was hardly the smart move: they’ve now lost a very expensive technologically-advanced framework they’d been developing for years. Besides, they tried to spy on our technologies… which are accessible under licensing agreements," Kaspersky's blog post added.

"As mentioned, our investigation is still underway; it will require a few more weeks to get the whole picture in all its detail. However, we’ve already verified that the source code of our products is intact. We can confirm that our malware databases have not been affected, and that the attackers had no access to our customers’ data."

Kaspersky has released a detailed report on the Duqu 2.0 malware, as well as IOC data. The full details are available here.

New! Download the State of Cybercrime 2017 report