Kaspersky Lab corporate network targeted by Duqu 2.0

• Company comes clean on cyber-intrusion, but is confident its customers are safe
• Duqu attacks linked to P5+1 events and venues on nuclear negotiations with Iran 

CYBERSECURITY company Kaspersky Lab said its internal networks were targeted by what it believes is the same group that was behind the Duqu advanced persistent threat (APT) attacks of 2011.
 
The attack was carefully planned, and the company believes this is a nation-state sponsored campaign, it said in a statement.
 
Kaspersky Lab also strongly believes the primary goal of the attack was to acquire information on its newest technologies.
 
The attackers were especially interested in the details of Kaspersky Lab’s Secure Operating System, Kaspersky Fraud Prevention, Kaspersky Security Network and Anti-APT solutions and services, the company said.
 
Departments not related to research and development (sales, marketing, communications, legal) were of no interest to the attackers.
 
The company said it is confident that its clients and partners are safe and that there is no impact on its products, technologies and services.
 
Kaspersky Lab researchers discovered the company wasn’t the only target of this powerful threat actor. Other victims have been found in Western countries, as well as in countries in the Middle East and Asia.
 
Most notably, some of the new 2014-2015 infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal, it said in its statement.
 
The threat actor behind Duqu appears to have launched attacks at the venues where the high-level talks took place.
 
In addition to the P5+1 events, the Duqu 2.0 group launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau. These meetings were attended by many foreign dignitaries and politicians.
 
“Spying on cybersecurity companies is a very dangerous tendency. Security software is the last frontier of protection for businesses and customers in the modern world, where hardware and network equipment can be compromised,” said Kaspersky Lab chief executive officer Eugene Kaspersky (pic).
 
“Moreover, sooner or later technologies implemented in similar targeted attacks will be examined and utilised by terrorists and professional cybercriminals. And that is an extremely serious and possible scenario.
 
“Reporting such incidents is the only way to make the world more secure. This helps to improve the security design of enterprise infrastructure and sends a straightforward signal to developers of this malware: All illegal operations will be stopped and prosecuted.
 
“The only way to protect the world is to have law enforcement agencies and security companies fighting such attacks openly. We will always report attacks regardless of their origin,” he added.
 
Tracing the intrusion
 
Earlier this year, Kaspersky Lab detected a cyber-intrusion affecting several of its internal systems. It launched an intensive investigation, which led to the discovery of a new malware platform from what it described as one of the most skilled, mysterious and powerful threat actors in the APT world: Duqu.
 
The attack included some unique and earlier unseen features and almost didn’t leave traces. The attack exploited zero-day vulnerabilities and after elevating privileges to domain administrator, the malware is spread in the network through MSI (Microsoft Software Installer) files which are commonly used by system administrators to deploy software on remote Windows computers.
 
The cyberattack didn’t leave behind any disk files or change system settings, making detection extremely difficult.
 
The philosophy and way of thinking of the ‘Duqu 2.0’ group is a generation ahead of anything seen in the APT world, Kaspersky Lab said.
 
Kaspersky Lab performed an initial security audit and analysis of the attack. The audit included source code verification and checking the corporate infrastructure.
 
The audit is still ongoing and will be completed in a few weeks, the company said. Besides intellectual property theft, no additional indicators of malicious activity were detected.
 
The analysis revealed that the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes. No interference with processes or systems was detected.
 
The big picture
 
“The people behind Duqu are one of the most skilled and powerful APT groups and they did everything possible to try to stay under the radar,” said Costin Raiu (pic), director of Kaspersky Lab’s Global Research & Analysis Team.
 
“This highly sophisticated attack used up to three zero-day exploits, which is very impressive – the costs must have been very high.
 
“To stay hidden, the malware resides only in kernel memory, so anti-malware solutions might have problems detecting it.
 
“It also doesn’t directly connect to a command-and-control server to receive instructions. Instead, the attackers infect network gateways and firewalls by installing malicious drivers that proxy all traffic from the internal network to the attackers’ command and control servers,” he added.
 
More details on the Duqu 2.0 malware and Indicators of Compromise can be found in this technical report.
 
For general guidance on mitigating APTs, see How to mitigate 85% of all targeted attacks using 4 simple strategies.
 
Related Stories:
 
Kaspersky Lab uncovers ‘The Mask,’ advanced global cyber-espionage ops
 
Security industry to pay more attention to cyber-espionage: InfoWatch CEO
 
Advanced threat activities by Iran-linked group: FireEye
 
 
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.