The Channel logo


By | John Leyden & Alexander Martin 11th June 2015 15:34

Duqu 2.0: 'Terminator' malware that pwned Kaspersky could have come from Israel

Infosec bigwigs differ — but it's definitely a state operation

Eugene Kaspersky reckons hacking into his firm's corporate network was a "silly" move by cyberspies, but independent experts are far from convinced.

All seem agreed that the rare attack by a state against an leading information security firm is bad news for corporate security more generally, as it shows attacks are getting more sophisticated and harder to defend against.

Kaspersky Lab went public on Wednesday about an attack on its corporate network which also hit high-profile victims in Sweden, India, USA, UK, as well as North Africa and SE Asia, including covert surveillance attempts during the ongoing Iranian nuclear talks. Telecoms and electronics firms were among the targets.

The Duqu 2.0 malware platform associated with the attacks was exploiting up to three zero-day vulnerabilities, marking it out as sophisticated and likely the work of an intelligence agency.

Duqu 2.0 is an evolution of the older Duqu worm, which was used in reconnaissance attacks against industrial control systems before it was exposed in September 2011.

The revamped version of Duqu is even more stealthy and resides solely in the computer’s memory, with no files written to disk. The malware platform establishes a backdoor into compromised networks before uploading sensitive data to command-and-control (C&C) servers, as explained in a blog post by Symantec here.

Attackers behind the assault infected network gateways and firewalls by installing malicious drivers that proxy all traffic from the internal network to the attackers’ command and control servers

Kaspersky Lab detected a break-in to its internal systems in spring 2015 before isolating the Duqu 2.0 malware behind the breach in a subsequent internal investigation.

During a press conference in London on Wednesday the normally ebullient Kaspersky cast a downbeat figure, describing the attack as "very complicated" and "almost invisible". He suggested his firm may have been attacked for bragging rights.

"They wanted to prove themselves that they're cool, so they're able to affect a leading security IT company," Kaspersky said. "That was a mistake. I'm afraid that the costs of this project, cyber attack, could be ten million dollars, maybe more."

Kaspersky went on to describe the malware as a "mix of Alien, Terminator and Predator, in terms of Hollywood".

Dave Waterson, founder and CEO of data security company SentryBay, disagreed with this assessment. Cyberspies behind the attack were far from mistaken and knew exactly what they were about, Waterson reckons.

Espionage agencies normally try to hide their actions from detection. Attacking one of the world's best team of security researchers ran counter to that strategy but perhaps the prize on offer was deemed worth the risk, which is what Martijn Grooten, editor of Virus Bulletin, seemed to think.

All this has happened before. And it will happen again.

Although some security experts have expressed outrage about governments attacking IT security companies, the Duqu 2.0 attack on Kaspersky Lab is far from unprecedented.

Microsoft's update service was abused to spread the previous version of Duqu. Certificate Authorities – most notably Diginotar – have also been breached.

Whitelisting firm Bit9's internal systems were hacked in order to attack its customers back in 2013. Hackers broke into its systems before stealing a digital certificate and using it to sign malware.

But perhaps the best previous example of this sort of state-sponsored malfeasance is the attack on RSA Security back in March 2011. Circumstantial evidence suggests that Chinese state-sponsored hackers assaulted RSA in order to launch follow-up attacks against its customers in the military supply and aerospace sector.

A failed attack against Lockheed Martin reported leveraged SecurID information stolen from RSA.

The attack on Kaspersky Lab would appear to be an end in itself. Hackers were primarily interested in Kaspersky Lab's technologies but they also showed a "high interest" in Kaspersky Lab’s current investigations into advanced targeted attacks.

Kaspersky, along with Hungarian security outfit CrySySLab, was a key player in discovering Duqu 1.0. That Kaspersky Lab subsequently became a victim of Duqu 2.0 is an irony not lost on the more keen-eyed observers of the cybersecurity scene.

Eugene Kaspersky explained: "They were watching, but they were watching only the information related to virus research and technologies – how do we find malware in the internet, in other customers' computers, and how we process this malware, and which kind of malware is manually processed."

Even rivals praised Kaspersky Lab for admitting it had been pwned by advanced malware, defence against which is the cornerstone of its business.

CrySySLab's analysis of Duqu 2.0 discloses that it received samples (more specifically two DLL files) of what was later identified as Duqu 2.0 from Kaspersky Lab in May 2015. "After analyzing the samples that we received, we think that the attackers behind the Duqu malware are back and active," CrySySLab concludes. "They re-used code and ideas from Duqu in the new Duqu 2.0 malware, but at the same time, they also made modifications in order to render Duqu 2.0 undetectable by the old detection methods."

Game gone changed

Tod Beardsley, engineering manager at Rapid7, the firm behind the Metasploit penetration testing tool, said the sophistication of Duqu 2.0 means that cyber defenders need to raise their game.

"It’s safe to say that Duqu 2.0 represents both the state of the art and the minimum bar for cyber operations," Beardsley commented. "Even if one doubts that Stuxnet, Duqu, and Duqu 2.0 are sourced from well-financed, highly skilled, and geopolitically motivated Western nations, Duqu 2.0 is precisely where we should expect any serious national cyber offensive capability to be."

Beardsley made the point – reiterated by many in the security community in the wake of the attack – that if Kaspersky Lab can get pwned by something like Duqu, then anyone can.

"If you cannot defend against a Duqu 2.0 style long-term campaign, you better not have any data or resources that a national offensive cyber organisation will care to compromise," Beardsley said. "Kaspersky has a reputation for being one of the most capable detection and defence organisations in the world, and the fact that they were compromised is a sobering reminder that the gap between offense and defence is, today, massively lopsided in favour of the attacker."

Gavin Millard, technical director at Tenable Network Security echoed Beardsley's assessment: "The fact that Kaspersky, one of the top vendors on the bleeding edge of malware research, were hit with a successful attack shows how advanced the threats we are all facing. The methods used leveraged some of the biggest vulnerabilities found in Microsoft in the last few months including MS14-068 which enabled privilege escalation to domain administrator and MS15-061 that was only patched this week."

"Hopefully the transparency that Kaspersky has demonstrated so far will continue with them sharing further details on how the attack was undertaken and finally uncovered for us all to learn more about the techniques used," he added.

The blame attribution game

The original Duqu shares features, and most likely the same author, as the infamous Stuxnet worm. Both were reportedly part of a joint US-Israeli cyberweapons programme. The NSA and Israel's elite Unit 8200 intelligence corps are therefore primes suspect in the creation of Duqu 2.0.

Kaspersky makes clear in its report that group behind Duqu was not Equation Group (elsewhere identified as the NSA). That leaves Israel as the prime suspect, with some industry experts already calling it as such.

Experts, such as Richard Bejtlich of FireEye, reckon Duqu 2.0 is most likely an Israeli op.

However, attribution in the case of cyberattacks is notoriously difficult and misdirection and subterfuge – not to mention mischief – are all too real a possibility, as some have already noted.

Mikko Hypponen, F-Secure's chief research officer, noted: "Duqu 2.0 included several false flags: one of the drivers contains string 'ugly.gorilla' which is a reference to Comment Crew. From China." ®

comment icon Read 14 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe