Duqu 2.0 Espionage Malware DiscoveredKaspersky Lab Suffered Cyber-Intrusion, Found APT Malware
Kaspersky Lab says it has discovered a new, advanced persistent threat that appears to have been launched by the gang behind the Stuxnet and Duqu malware families. But while security vendors typically unearth intrusions in their customers' networks, in this case Kaspersky's own networks also fell victim to the attack campaign, thanks in part to attackers employing a zero-day Windows exploit.
Those are the results of an investigation that Kaspersky Lab says it launched earlier this year, after discovering an internal cyber-intrusion and ultimately unearthing what it has dubbed Duqu 2.0, because the malware and attack platform is based on Duqu, which security researchers believe went dark in 2012.
Kaspersky's researchers, who have released a technical teardown of the Duqu 2.0 malware, say they recently discovered that it was used in 2014 and 2015 to target hotels related to P5+1 negotiations - referring to six world powers that in 2006 began diplomatic efforts relating to Iran and its nuclear program - as well as an attack related to the 70th anniversary remembrance of the liberation of the Auschwitz-Birkenau concentration camp. Symantec reports that it has so far found six victims, of which it has identified three: two telecommunications companies and one telecommunications equipment manufacturer.
Duqu 2.0 appears to have been designed to exploit at least one zero-day flaw. "In the case of Kaspersky Lab, the attack took advantage of a zero-day in the Windows Kernel, and possibly up to two other, currently patched vulnerabilities, which were zero-day at that time," researchers at Kaspersky Lab say in a blog post. "The analysis of the attack revealed that the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes. No interference with processes or systems was detected." The related Windows kernel bug was patched by Microsoft on June 9.
After discovering Duqu 2.0, Kaspersky reached out to warn other security firms - including Microsoft - as well as ask some of them to verify its research findings, Symantec Security Response Team member Gavin O'Gorman tells Information Security Media Group. "Attacking a security company - and what clearly is a nation-state attacker going after a private security company that is meant to be protecting customers and so on - is quite galling," he says.
The Case For APT Reuse
The original Duqu malware and related attack platform were first discovered in 2011 by the Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics, and it says the new malware is an extension of the old. "After analyzing the samples that we received, we think that the attackers behind the Duqu malware are back and active," CrySyS says in a blog post. "They reused code and ideas from Duqu in the new Duqu 2.0 malware, but at the same time, they also made modifications in order to render Duqu 2.0 undetectable by the old detection methods."
The CrySyS researchers say it isn't surprising that the attack group reused its existing tools, given the amount of time and money that likely went into their design and development. "What is perhaps more interesting [is] that they could tweak and optimize their malware such that it was not detected by state-of-the-art defense mechanisms. In part, this is again due to the information asymmetry between the attackers and the defenders: the attackers had the possibility to read all published analysis reports about Duqu, so they knew what the defenders were prepared for, while the defenders typically know very little about the methods of the attackers."
It's become a cliché for breached businesses to claim that the malware or phishing attack to which they succumbed was "advanced," when oftentimes little more than social engineering was at play. But in the case of Duqu 2.0, multiple information security experts have noted that the malware was actually quite advanced.
For starters, the malware is also designed to be very difficult to detect. "The way the attackers move across the network is very smart," Symantec's O'Gorman says. In particular, to help evade anti-virus scans and digital forensic investigations, the malware only runs in RAM on the targeted system, thus not leaving a trace on the hard drive. "There is no persistence mechanism," he says, meaning that the infection gets removed when a machine gets rebooted. Accordingly, the attackers appear to have focused on infecting servers - which would not get rebooted - and then using the Windows zero-day flaw to keep reinstalling the malware into the RAM of targeted systems. "Every time they want to access that particular machine, they go and re-infect it."
At the code level, meanwhile, F-Secure Chief Research Officer Mikko Hypponen notes that the malware also contains "false flags" so that if it was found, it would appear to be the work of Chinese hackers.
Duqu 2.0 included several false flags: one of the drivers contains string "ugly.gorilla" which is a reference to Comment Crew. From China.ï¿½ Mikko Hypponen (@mikko) June 10, 2015
Ties to Flame, Stuxnet
Who's behind Duqu 2.0? The attack was "most probably carried out by a government-backed group," Kaspersky Lab CEO Eugene Kaspersky writes in Forbes, although he declined to name potential culprits. "While they managed to get access to data related to our R&D and new technologies ... our customers and partners were not affected and are not at risk." He adds that while his company - like all security vendors - gets regularly targeted by a variety of cyber-attacks, he cannot ascribe a plausible motive to why the Duqu gang would want to infiltrate Kaspersky Lab networks, unless it was to keep tabs on the company's investigation techniques and findings.
Malware researchers have previously suggested that whoever commissioned Stuxnet, which was found in 2010, also had a hand in Duqu, which was discovered in 2011. Stuxnet was allegedly the product of a U.S.-Israeli cyberweapons program code-named Olympic Games, although the White House has never confirmed those allegations. Both Stuxnet and Duqu were designed to analyze or attack industrial control systems.
In 2012, meanwhile, researchers found more apparently related malware: Flame, which targeted organizations in the Middle East and predated Stuxnet; and also Gauss, which was discovered in 2012 and found to be targeting online banking users in the Middle East.
Praise For Transparency
Regardless of who launched those attacks, multiple security experts have offered kudos to Kaspersky for its transparency, as well as quickly sharing malware samples with other researchers. "They didn't have to disclose this," said Forrester Research analyst Rick Holland via Twitter. Likewise, SANS instructor Robert M. Lee noted that Kaspersky had turned the attack, and the breach of its networks, "into something good for the community."