Duqu 2.0: 'Terminator' malware that pwned Kaspersky could have come from Israel
Infosec bigwigs differ — but it's definitely a state operation
All this has happened before. And it will happen again.
Although some security experts have expressed outrage about governments attacking IT security companies, the Duqu 2.0 attack on Kaspersky Lab is far from unprecedented.
Microsoft's update service was abused to spread the previous version of Duqu. Certificate Authorities – most notably Diginotar – have also been breached.
Whitelisting firm Bit9's internal systems were hacked in order to attack its customers back in 2013. Hackers broke into its systems before stealing a digital certificate and using it to sign malware.
But perhaps the best previous example of this sort of state-sponsored malfeasance is the attack on RSA Security back in March 2011. Circumstantial evidence suggests that Chinese state-sponsored hackers assaulted RSA in order to launch follow-up attacks against its customers in the military supply and aerospace sector.
A failed attack against Lockheed Martin reported leveraged SecurID information stolen from RSA.
The attack on Kaspersky Lab would appear to be an end in itself. Hackers were primarily interested in Kaspersky Lab's technologies but they also showed a "high interest" in Kaspersky Lab’s current investigations into advanced targeted attacks.
Kaspersky, along with Hungarian security outfit CrySySLab, was a key player in discovering Duqu 1.0. That Kaspersky Lab subsequently became a victim of Duqu 2.0 is an irony not lost on the more keen-eyed observers of the cybersecurity scene.
Eugene Kaspersky explained: "They were watching, but they were watching only the information related to virus research and technologies – how do we find malware in the internet, in other customers' computers, and how we process this malware, and which kind of malware is manually processed."
Even rivals praised Kaspersky Lab for admitting it had been pwned by advanced malware, defence against which is the cornerstone of its business.
CrySySLab's analysis of Duqu 2.0 discloses that it received samples (more specifically two DLL files) of what was later identified as Duqu 2.0 from Kaspersky Lab in May 2015. "After analyzing the samples that we received, we think that the attackers behind the Duqu malware are back and active," CrySySLab concludes. "They re-used code and ideas from Duqu in the new Duqu 2.0 malware, but at the same time, they also made modifications in order to render Duqu 2.0 undetectable by the old detection methods."
Game gone changed
Tod Beardsley, engineering manager at Rapid7, the firm behind the Metasploit penetration testing tool, said the sophistication of Duqu 2.0 means that cyber defenders need to raise their game.
"It’s safe to say that Duqu 2.0 represents both the state of the art and the minimum bar for cyber operations," Beardsley commented. "Even if one doubts that Stuxnet, Duqu, and Duqu 2.0 are sourced from well-financed, highly skilled, and geopolitically motivated Western nations, Duqu 2.0 is precisely where we should expect any serious national cyber offensive capability to be."
Beardsley made the point – reiterated by many in the security community in the wake of the attack – that if Kaspersky Lab can get pwned by something like Duqu, then anyone can.
"If you cannot defend against a Duqu 2.0 style long-term campaign, you better not have any data or resources that a national offensive cyber organisation will care to compromise," Beardsley said. "Kaspersky has a reputation for being one of the most capable detection and defence organisations in the world, and the fact that they were compromised is a sobering reminder that the gap between offense and defence is, today, massively lopsided in favour of the attacker."
Gavin Millard, technical director at Tenable Network Security echoed Beardsley's assessment: "The fact that Kaspersky, one of the top vendors on the bleeding edge of malware research, were hit with a successful attack shows how advanced the threats we are all facing. The methods used leveraged some of the biggest vulnerabilities found in Microsoft in the last few months including MS14-068 which enabled privilege escalation to domain administrator and MS15-061 that was only patched this week."
"Hopefully the transparency that Kaspersky has demonstrated so far will continue with them sharing further details on how the attack was undertaken and finally uncovered for us all to learn more about the techniques used," he added.
The blame attribution game
The original Duqu shares features, and most likely the same author, as the infamous Stuxnet worm. Both were reportedly part of a joint US-Israeli cyberweapons programme. The NSA and Israel's elite Unit 8200 intelligence corps are therefore primes suspect in the creation of Duqu 2.0.
Kaspersky makes clear in its report that group behind Duqu was not Equation Group (elsewhere identified as the NSA). That leaves Israel as the prime suspect, with some industry experts already calling it as such.
Experts, such as Richard Bejtlich of FireEye, reckon Duqu 2.0 is most likely an Israeli op.
However, attribution in the case of cyberattacks is notoriously difficult and misdirection and subterfuge – not to mention mischief – are all too real a possibility, as some have already noted.
Mikko Hypponen, F-Secure's chief research officer, noted: "Duqu 2.0 included several false flags: one of the drivers contains string 'ugly.gorilla' which is a reference to Comment Crew. From China." ®