Duqu 2.0: 'Terminator' malware that pwned Kaspersky could have come from Israel
Infosec bigwigs differ — but it's definitely a state operation
Eugene Kaspersky reckons hacking into his firm's corporate network was a "silly" move by cyberspies, but independent experts are far from convinced.
All seem agreed that the rare attack by a state against an leading information security firm is bad news for corporate security more generally, as it shows attacks are getting more sophisticated and harder to defend against.
Kaspersky Lab went public on Wednesday about an attack on its corporate network which also hit high-profile victims in Sweden, India, USA, UK, as well as North Africa and SE Asia, including covert surveillance attempts during the ongoing Iranian nuclear talks. Telecoms and electronics firms were among the targets.
The Duqu 2.0 malware platform associated with the attacks was exploiting up to three zero-day vulnerabilities, marking it out as sophisticated and likely the work of an intelligence agency.
Duqu 2.0 is an evolution of the older Duqu worm, which was used in reconnaissance attacks against industrial control systems before it was exposed in September 2011.
The revamped version of Duqu is even more stealthy and resides solely in the computer’s memory, with no files written to disk. The malware platform establishes a backdoor into compromised networks before uploading sensitive data to command-and-control (C&C) servers, as explained in a blog post by Symantec here.
Attackers behind the assault infected network gateways and firewalls by installing malicious drivers that proxy all traffic from the internal network to the attackers’ command and control servers
Kaspersky Lab detected a break-in to its internal systems in spring 2015 before isolating the Duqu 2.0 malware behind the breach in a subsequent internal investigation.
During a press conference in London on Wednesday the normally ebullient Kaspersky cast a downbeat figure, describing the attack as "very complicated" and "almost invisible". He suggested his firm may have been attacked for bragging rights.
"They wanted to prove themselves that they're cool, so they're able to affect a leading security IT company," Kaspersky said. "That was a mistake. I'm afraid that the costs of this project, cyber attack, could be ten million dollars, maybe more."
Kaspersky went on to describe the malware as a "mix of Alien, Terminator and Predator, in terms of Hollywood".
Dave Waterson, founder and CEO of data security company SentryBay, disagreed with this assessment. Cyberspies behind the attack were far from mistaken and knew exactly what they were about, Waterson reckons.
Espionage agencies normally try to hide their actions from detection. Attacking one of the world's best team of security researchers ran counter to that strategy but perhaps the prize on offer was deemed worth the risk, which is what Martijn Grooten, editor of Virus Bulletin, seemed to think.
So Duqu 2.0 attacked Kaspersky itself. There goes my theory about how intel agencies are desperate not to get detected.— Martijn Grooten (@martijn_grooten) June 10, 2015