Written by Warwick Ashford for Computer Weekly:
Kaspersky Lab determined the best approach to cyber attack was to not only admit that it had been hacked, but also to provide extensive information on the malware
Moscow-based security firm Kaspersky Lab has been praised for the way it handled a cyber attack on its network, which also hit high-profile targets in Europe, the Middle East and Asia.
When a company suffers an attack, it can pretend it never happened, issue a bland security advisory or admit the attack took place and explain the implications, said independent security consultant Graham Cluley.
“Kaspersky determined the best approach was to not only admit it had been hacked, but also to provide extensive information on the malware (dubbed Duqu 2.0) it found attempting to infiltrate information from its servers,” Cluley wrote in a blog post.
The cyber security firm also co-ordinated blog posts by founder Eugene Kaspersky on his site and on Forbes, live-streamed press conferences in London and published detailed technical analyses of the malware.
“In short, it handled what could have been a corporate crisis well, and reassured customers and partners their data was safe and the integrity of its security products had not been compromised,” said Cluley.
Kaspersky Lab revealed it detected a cyber intrusion affecting several of its internal systems in early spring 2015, using a prototype of an anti-APT (advanced persistent threat) technology.
The ensuing investigation led to the discovery of a malware platform, which Kaspersky Lab has described as “one of the most skilled, mysterious and powerful threat actors” in the world of APTs.
Kaspersky Lab believes the attackers were confident that it was impossible to discover the cyber attack, which included some unique features that leave almost no traces.
The attack exploited zero-day vulnerabilities, and after elevating privileges to domain administrator the malware is spread in the network through Microsoft Software Installer (MSI) files, which are commonly used by system administrators to deploy software on remote Windows computers.
Duqu 2.0: An international threat
Researchers said the Duqu 2.0 attack did not leave behind any disk files or change system settings, making detection extremely difficult.
“The Duqu 2.0 group is a generation ahead of anything seen in the APT world,” the researchers added.
The attackers exploited up to three zero-day vulnerabilities. The last remaining zero-day (CVE-2015-2360) was patched by Microsoft on 9 June (MS15-061) after Kaspersky Lab reported it.
The malicious program used an advanced method to hide its presence in the system and the code of Duqu 2.0 exists only in the computer’s memory and tries to delete all traces on the hard drive.
Kaspersky Lab then found other Duqu 2.0 attacks in some western countries, the Middle East and Asia, including venues linked to international talks on Iran’s nuclear programme.
Kaspersky said it found the Duqu 2.0 malware in three European hotels used in the negotiations involving Iran and six world powers, and also on its computers.
“Some of the 2014-2015 infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal,” Kaspersky Lab said in a statement.
P5+1 refers to the six world powers negotiating with Iran on curbs to its disputed nuclear programme: the US, Russia, China, Britain, France and Germany. The talks have been held in Geneva, Lausanne, Montreux, Munich and Vienna, according to the Guardian.
In addition to the P5+1 events, Kaspersky Lab said the Duqu 2.0 group launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau, which was attended by many foreign dignitaries and politicians.
According to Kaspersky Lab, the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes, but the company said no interference with processes or systems was detected.
“Kaspersky Lab is confident that its clients and partners are safe and that there is no impact on the company’s products, technologies and services,” it said in a statement.
The attackers also showed a high interest in Kaspersky Lab’s current investigations into advanced targeted attacks.
Researchers believe the attack was carefully planned and carried out by the same group behind the 2011 Duqu APT campaign, which Kaspersky Lab thinks is sponsored by a nation state.
A sophisticated cyber attack
Kaspersky Lab said Duqu 2.0 had evolved from the earlier Duqu, which was deployed against unidentified targets for years before it was discovered in 2011.
According to researchers, there is an overlap between Duqu and Stuxnet, which has been linked to a US-Israeli project to sabotage Iran’s nuclear programme.
“The people behind Duqu are one of the most skilled and powerful APT groups and they did everything possible to try to stay under the radar,” said Costin Raiu, director of the global research and analysis team at Kaspersky Lab.
“This highly sophisticated attack used up to three zero-day exploits, which is very impressive – the costs must have been very high. To stay hidden, the malware resides only in kernel memory, so anti-malware systems might have problems detecting it.
“It also doesn’t directly connect to a command-and-control server to receive instructions. Instead, the attackers infect network gateways and firewalls by installing malicious drivers that proxy all traffic from the internal network to the attackers’ command and control servers,” said Raiu.
Eugene Kaspersky, CEO of Kaspersky Lab, warned: “Sooner or later technologies implemented in similar targeted attacks will be examined and utilised by terrorists and professional cyber criminals – and that is an extremely serious and possible scenario.
“Reporting such incidents is the only way to make the world more secure. This helps to improve the security design of enterprise infrastructure and sends a straightforward signal to developers of this malware: all illegal operations will be stopped and prosecuted.
“The only way to protect the world is to have law enforcement agencies and security companies fighting such attacks openly. We will always report attacks regardless of their origin,” he said.
Kaspersky Lab believes this attack had a much wider geographical reach and many more targets.
“Judging from what the company already knows, Duqu 2.0 has been used to attack a complex range of targets at the highest levels with similarly varied geo-political interests,” it said.
Symantec security researchers described Duqu 2.0 as a “stealthy, information-stealing tool” that can be used to gain a persistent foothold inside a targeted domain.
A need for serious cyber offense
Symantec said it also found evidence that Duqu has been used in a number of different attack campaigns against a limited number of selected targets.
Among the organisations targeted were a European telecommunications operator, a North African telecommunications operator and a Southeast Asian electronic equipment manufacturer. Infections were also found on computers located in the US, UK, Sweden, India and Hong Kong.
Symantec believes these may have been “stepping stone” type attacks to infiltrate another organisation and eavesdrop on their network.
Tod Beardsley, engineering manager at security firm Rapid7, said Duqu 2.0 represents both the state of the art and the minimum bar for cyber operations.
“Even if one doubts that Stuxnet, Duqu and Duqu 2.0 are sourced from well-financed, highly skilled and geopolitically motivated Western nations, Duqu 2.0 is precisely where we should expect any serious national cyber offensive capability to be,” he said.
According to Beadsley, this, in turn, informs where defensive thinking needs to focus.
“If you cannot defend against a Duqu 2.0-style long-term campaign, you better not have any data or resources that a national offensive cyber organisation will care to compromise,” he added.
Beardsley said Kaspersky has a reputation for being one of the most capable detection and defence organisations in the world, and the fact that it was compromised is a “sobering reminder that the gap between offense and defence is massively lopsided in favour of the attacker”.
He also praised Kaspersky’s handling of the attack on its network.
“It is more transparency than what we usually see with initial breach reports. I’m hopeful that as this story unfolds, Kaspersky will provide more details on exactly how it did detect the activity of Duqu 2.0, since these detection techniques are what CISOs at critical infrastructure networks need to defend and remediate against similar attacks,” said Beardsley.