Russian security firm Kaspersky Lab today hosted a dramatic press conference that all but accused the US of carrying out a successful cyber-attack on the company using an obscure but extremely advanced cyber-weapon called ‘Duqu 2.0’.
It should be underlined that the firm did not mention the US or its allies by name but simply said that it believed the attack was conducted by a nation state that has also used the same APT to attempt surveillance on the recent negotiations with Iran over the country’s nuclear development.
Of course those with a long enough memory will recall that Duqu 1.0, a worm first discovered in late 2011, was later forensically if not categorically connected to the infamous Stuxnet attack on Iran overwhelmingly blamed on the US and Israel. If Kaspersky Lab is sure that a version of Duqu was used in the latest attack on it and other organisations then that leaves only one sure conclusion – the attack was the work of the US or its allies.
For a security firm to admit to being attacked by anyone let alone a nation state is an unprecedented admission. The likelihood that the attacker was the US or a proxy takes the security industry into new territory.
At some point after the attack dating from earlier this year Kaspersky Lab realised something was wrong. On investigation it was realised that the software used had exploited zero day flaws (all now patched), levering MSI (Microsoft Software Installer) files to spread itself across the network . It left no or almost no trace of itself. The people that did this knew what they were doing.
Kaspersky has described it as so advanced that it would be a “generation ahead” of the best nation-state cyber-weapons currently circulating.
“The people behind Duqu are one of the most skilled and powerful APT groups and they did everything possible to try to stay under the radar,” said Kaspersky Lab’s director of global research, Costin Raiu.
“This highly sophisticated attack used up to three zero-day exploits, which is very impressive – the costs must have been very high. To stay hidden, the malware resides only in kernel memory, so anti-malware solutions might have problems detecting it.
“It also doesn’t directly connect to a command-and-control server to receive instructions. Instead, the attackers infect network gateways and firewalls by installing malicious drivers that proxy all traffic from the internal network to the attackers’ command and control servers.”
This will only increase the impression that cyber-operations, including those of the US, are spiralling if not out of control then into dangerous territory.
Kaspersky Lab is a Russian security company of course and has been accused of devoting too much time to investigating non-Russian malware. But for a nation state to contemplate attacking an expert entity is still a dangerous event. The possibility that nation states might use their immense power in developing complex programs to spy on the people who are out to expose them should be disturbing to us all.
With immaculate timing, security firm Symantec released its own analysis of the same Duqu attack, which it said had also been used to carry out espionage against “a European telecoms operator, a North African telecoms operator, and a South East Asian electronic equipment manufacturer.”
There was no question that the old Duqu of 2011 and the new Duqu of 2015 were connected – they shared too much code for a start.
“Duqu 2.0 is a fully featured information-stealing tool that is designed to maintain a long term, low profile presence on the target’s network. Its creators have likely used it as one of their main tools in multiple intelligence gathering campaigns,” said Symantec.
We’ll give Kaspersky Lab’s Raiu that last word because he sums it up perfectly.
“Spying on cybersecurity companies is a very dangerous tendency. Security software is the last frontier of protection for businesses and customers in the modern world, where hardware and network equipment can be compromised.”
Kaspersky Lab said that its customers were safe despite the attack. Looking to the longer term some might not be feeling so optimistic.