Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Duqu 2.0 Attack Hits Kaspersky Lab, Venues Tied to Iran Nuclear Talks

When sophisticated attackers come back, they can come back with a vengeance.

When sophisticated attackers come back, they can come back with a vengeance.

So it is that the minds behind the Duqu attack platform have burst back on the scene after going dark in 2012. Linked to multiple zero-days that have now been patched, ‘Duqu 2.0’ is more stealthy and has been tied to attacks against targets involved in the negotiations about Iran’s nuclear deal as well as the IT security industry itself.

Kaspersky Lab said that in the early spring they detected an intrusion of its own internal systems while testing a prototype of technology designed to detect advanced persistent threats. The attack included some unique features that did not leave any traces, such as disk files or altered system settings. After discovering the attack, Kaspersky Lab performed an initial audit that included source code verification astund checking of its corporate infrastructure.

The audit – which is still ongoing and is expected to be completed in a few weeks, revealed that the main purpose of the attack was to spy on the company, its research and its processes. Thus far, no interference with processes or systems has been detected, and the company said it is confident its products and customers are safe.

According to Kaspersky Lab, the level of sophistication of the attack surpasses even the ‘Equation Group’, which is suspected by some to be linked to the NSA. The malware only exists in the system’s memory, making it difficult for anti-malware solutions to detect, explained Kurt Baumgartner, principal security researcher at Kaspersky Lab.

“It also doesn’t directly connect to a command-and-control server to receive instructions,” he said. “Instead, the attackers infect network gateways and firewalls by installing malicious drivers that proxy all traffic from internal network to the attackers’ [command and control servers]. Combined, this made discovery very difficult.”

“The Duqu people were confident enough to create and run an entire cyber-espionage operation just in the system’s memory, and that they can survive within an entire network of compromised computers without relying on any persistence mechanism at all,” he said.

Researchers discovered several similarities in the code of Duqu 2.0 and the original version of the platform publicized in 2011, including in a set of functions that provide logging facilities.

“During our analysis in 2011, we noticed that the logs collected from some of the proxies indicated the attackers appear to work less on Fridays and didn’t appear to work at all on Saturdays, with their regular work week starting on Sunday,” said Baumgartner. “They also compiled binaries on January 1st, indicating it was probably a normal workday for them. The compilation timestamps in the binaries seemed to suggest a time zone of GMT+2 or GMT+3. Finally, their attacks would normally occur on Wednesdays, which was the reason we originally referred to them as the “Wednesday Gang”.”

The majority of the same time indicators were found in the Duqu 2.0 attack as well, he said.

Researchers at Kaspersky Lab believe Duqu 2.0 may have leveraged three zero-days: CVE-2015-2360, CVE-2014-4148 and CVE-2014-6324. According to Kaspersky Lab, the initial attack against the firm began with the targeting of an employee in one of its smaller offices in the Asia-Pacific region. While the original infection vector is not currently known, it is believed spear-phishing was involved because one of the victims had their mailbox and web browser history wiped to hide traces of the attack. Other victims of the attackers have been found in Western countries as well as nations in the Middle East and Asia.

Most of the new 2014 and 2015 infections are linked to P5+1 events and venues associated with negotiations with Iran about a nuclear deal, the firm reported. The attackers appear to have launched attacks at venues where the talks took place, as well as a similar attack related to the 70th anniversary event of the libration of the Auschwitz-Birkenau death camp.

According to Symantec, other victims include telecoms operators in Europe and North Africa as well as a South East Asian electronic equipment manufacturer. There were also infections on computers in the U.S., U.K., Sweden, India and Hong Kong.

“Spying on cybersecurity companies is a very dangerous tendency,” Eugene Kaspersky, CEO of Kaspersky Lab, said in a statement. “Security software is the last frontier of protection for businesses and customers in the modern world, where hardware and network equipment can be compromised. Moreover, sooner or later technologies implemented in similar targeted attacks will be examined and utilized by terrorists and professional cybercriminals. And that is an extremely serious and possible scenario.” 

According to Mr. Kaspersky, there may be several reasons why an attacker might want to access the company’s technical data.

“Maybe the idea was to steal our technologies, source code, know-how and ideas to support the attackers’ own software development,” he wrote in a blog post published on Forbes.Com. “That would help cut a corner or two, but makes little sense in the long run. Modern software is always a work-in-progress – it’s always in development – so you need to keep running very fast just to keep up, otherwise the copied software becomes obsolete fast.”

According to Kaspersky, another reason could be that the spies were interested in the inner workings of the company. “We obviously have our share of technological secrets as we’re a competitive business, but I can’t think of anything really top secret,” he noted.

Kaspersky also explained that the attackers were probably interested in the company’s ongoing investigations and research methods and to “know what’s cooking in the Kaspersky Lab kitchen” so as to quickly develop mitigation techniques to stay under their radar.

“Anyway, no matter the reasons behind this attack, the bad guys have lost a very expensive and sophisticated framework they’d been developing and nurturing for years,” the CEO said.

While the company did not attribute the attack to a particular Nation state, some reports suggest a possible link to Israel. When asked about such a connection during a press conference on Wednesday, Mr. Kaspersky said he found the possible connection “interesting,” but held back from directly calling out Israel for attacking his company.

Kaspersky provided Indicators of Compromise (IOCs) including MD5s and IPs from the command and control servers, which can be found here, along with Yara rules which can be found here.

*Additional reporting by Mike Lennon

Related: Same Platform Used to Develop Stuxnet and Duqu Created other Malware

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.