It came to light yesterday afternoon that, in early spring 2015, Kaspersky Lab detected a cyber-intrusion affecting several of its internal systems. Following this finding, the company launched an intensive investigation, which led to the discovery of a new malware platform from one of the most skilled threat actors in the APT world: Duqu. The attack exploited zero-day vulnerabilities and after elevating privileges to domain administrator, the malware was spread in the network through MSI files. The attack didn’t leave behind any disk files or change system settings, making detection difficult.
Eugene Kaspersky himself named the APT malware Duqu 2.0, given its relation to the 2011 state-sponsored malware of the same name. During a live Webcast press conference from London, Kaspersky talked in detail about the Duqu 2.0 exploit without attributing it to a particular nation-state. Not only did it target Kaspersky Lab, Duqu 2.0 also hit recent P5+1 Iranian nuclear arms negotiations, which has meant that some now speculate that the State of Israel is somehow connected.
The Duqu 2.0 attack used three different zero-day exploits in Microsoft, all of which were patched on June 9.
“The attack is extremely sophisticated, and this is a new generation of what is most likely state-sponsored malware,” Kaspersky said during the press conference. “It’s a kind of a mix of Alien, Terminator and Predator, in terms of Hollywood. Alien, Terminator and Predator are three famous movies with a relentless evil character bent on destruction.”
Gavin Reid, VP of threat intelligence at Lancope commented, “This attack is unique and one of the first times we have seen a nation-state attack on the private security industry. Kaspersky is credited with finding the original Duqu, so it is not too surprising the authors would want to add Kaspersky to the list of companies it targeted with the newer harder-to-detect Duqu 2.0. This compromise shows how at risk the private sector is from advanced adversaries – even companies that are expert in this area. The fact this malware runs completely in memory makes many host-based detection capabilities ineffective.”
Gavin Millard, technical director at Tenable Network Security added, “The fact that Kaspersky, one of the top vendors on the bleeding edge of malware research, were hit with a successful attack shows how advanced the threats we are all facing. The methods used leveraged some of the biggest vulnerabilities found in Microsoft in the last few months including MS14-068 which enabled privilege escalation to domain administrator and MS15-061 that was only patched this week. Hopefully the transparency that Kaspersky have demonstrated so far will continue with them sharing further details on how the attack was undertaken and finally uncovered for us all to learn more about the techniques used.”