When sophisticated attackers come back, they can come back with a vengeance.
So it is that the minds behind the Duqu attack platform have burst back on the scene after going dark in 2012. Linked to multiple zero-days that have now been patched, ‘Duqu 2.0’ is more stealthy and has been tied to attacks against targets involved in the negotiations about Iran’s nuclear deal as well as the IT security industry itself.
Kaspersky Lab said that in the early spring they detected an intrusion of its own internal systems while testing a prototype of technology designed to detect advanced persistent threats. The attack included some unique features that did not leave any traces, such as disk files or altered system settings. After discovering the attack, Kaspersky Lab performed an initial audit that included source code verification astund checking of its corporate infrastructure.
The audit – which is still ongoing and is expected to be completed in a few weeks, revealed that the main purpose of the attack was to spy on the company, its research and its processes. Thus far, no interference with processes or systems has been detected, and the company said it is confident its products and customers are safe.
According to Kaspersky Lab, the level of sophistication of the attack surpasses even the ‘Equation Group’, which is suspected by some to be linked to the NSA. The malware only exists in the system’s memory, making it difficult for anti-malware solutions to detect, explained Kurt Baumgartner, principal security researcher at Kaspersky Lab.
“It also doesn’t directly connect to a command-and-control server to receive instructions,” he said. “Instead, the attackers infect network gateways and firewalls by installing malicious drivers that proxy all traffic from internal network to the attackers’ [command and control servers]. Combined, this made discovery very difficult.”
“The Duqu people were confident enough to create and run an entire cyber-espionage operation just in the system’s memory, and that they can survive within an entire network of compromised computers without relying on any persistence mechanism at all,” he said.
Researchers discovered several similarities in the code of Duqu 2.0 and the original version of the platform publicized in 2011, including in a set of functions that provide logging facilities.
“During our analysis in 2011, we noticed that the logs collected from some of the proxies indicated the attackers appear to work less on Fridays and didn’t appear to work at all on Saturdays, with their regular work week starting on Sunday,” said Baumgartner. “They also compiled binaries on January 1st, indicating it was probably a normal workday for them. The compilation timestamps in the binaries seemed to suggest a time zone of GMT+2 or GMT+3. Finally, their attacks would normally occur on Wednesdays, which was the reason we originally referred to them as the “Wednesday Gang”.”
The majority of the same time indicators were found in the Duqu 2.0 attack as well, he said.
Researchers at Kaspersky Lab believe Duqu 2.0 may have leveraged three zero-days: CVE-2015-2360, CVE-2014-4148 and CVE-2014-6324. According to Kaspersky Lab, the initial attack against the firm began with the targeting of an employee in one of its smaller offices in the Asia-Pacific region. While the original infection vector is not currently known, it is believed spear-phishing was involved because one of the victims had their mailbox and web browser history wiped to hide traces of the attack. Other victims of the attackers have been found in Western countries as well as nations in the Middle East and Asia.
Most of the new 2014 and 2015 infections are linked to P5+1 events and venues associated with negotiations with Iran about a nuclear deal, the firm reported. The attackers appear to have launched attacks at venues where the talks took place, as well as a similar attack related to the 70th anniversary event of the libration of the Auschwitz-Birkenau death camp.
According to Symantec, other victims include telecoms operators in Europe and North Africa as well as a South East Asian electronic equipment manufacturer. There were also infections on computers in the U.S., U.K., Sweden, India and Hong Kong.
“Spying on cybersecurity companies is a very dangerous tendency,” Eugene Kaspersky, CEO of Kaspersky Lab, said in a statement. “Security software is the last frontier of protection for businesses and customers in the modern world, where hardware and network equipment can be compromised. Moreover, sooner or later technologies implemented in similar targeted attacks will be examined and utilized by terrorists and professional cybercriminals. And that is an extremely serious and possible scenario.”
According to Mr. Kaspersky, there may be several reasons why an attacker might want to access the company’s technical data.
“Maybe the idea was to steal our technologies, source code, know-how and ideas to support the attackers’ own software development,” he wrote in a blog post published on Forbes.Com. “That would help cut a corner or two, but makes little sense in the long run. Modern software is always a work-in-progress – it’s always in development – so you need to keep running very fast just to keep up, otherwise the copied software becomes obsolete fast.”
According to Kaspersky, another reason could be that the spies were interested in the inner workings of the company. “We obviously have our share of technological secrets as we’re a competitive business, but I can’t think of anything really top secret,” he noted.
Kaspersky also explained that the attackers were probably interested in the company’s ongoing investigations and research methods and to “know what’s cooking in the Kaspersky Lab kitchen” so as to quickly develop mitigation techniques to stay under their radar.
“Anyway, no matter the reasons behind this attack, the bad guys have lost a very expensive and sophisticated framework they’d been developing and nurturing for years,” the CEO said.
While the company did not attribute the attack to a particular Nation state, some reports suggest a possible link to Israel. When asked about such a connection during a press conference on Wednesday, Mr. Kaspersky said he found the possible connection “interesting,” but held back from directly calling out Israel for attacking his company.
Kaspersky provided Indicators of Compromise (IOCs) including MD5s and IPs from the command and control servers, which can be found here, along with Yara rules which can be found here.
*Additional reporting by Mike Lennon
Related: Same Platform Used to Develop Stuxnet and Duqu Created other Malware