Earlier in 2015 during a test, a prototype of an anti-APT solution developed by Kaspersky Lab detected signs of a complex targeted attack on its corporate network.
Following this finding the company launched an intensive investigation, which led to the discovery of a new malware platform from one of the most skilled, mysterious and powerful threat actors in the APT (advanced persistent threat) world: Duqu.
Kaspersky Lab believes the attackers were confident that it was impossible to discover the cyberattack. The attack included some unique and earlier unseen features and almost didn’t leave traces.
The attack exploited zero-day vulnerabilities and after elevating privileges to domain administrator, the malware is spread in the network through MSI (Microsoft Software Installer) files which are commonly used by system administrators to deploy software on remote Windows computers.
The cyberattack didn’t leave behind any disk files or change system settings, making detection extremely difficult. The philosophy and way of thinking of the “Duqu 2.0” group is a generation ahead of anything seen in the APT world.
However, Kaspersky Lab researchers found that they weren’t the only target of this powerful threat actor. Other victims have been found in Western countries, as well as in countries in the Middle East and Asia. Most notably, some of the new 2014-2015 infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal.
The threat actor behind Duqu appears to have launched attacks at the venues where the high level talks took place. In addition to the P5+1 events, the Duqu 2.0 group launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau. These meetings were attended by many foreign dignitaries and politicians.
Kaspersky Lab performed an initial security audit and analysis of the attack. The audit included source code verification and checking of the corporate infrastructure. The audit is still ongoing and will be completed in a few weeks.
Besides intellectual property theft, no additional indicators of malicious activity were detected. The analysis revealed that the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes. No interference with processes or systems was detected.
Kaspersky Lab is confident that its clients and partners are safe and that there is no impact on the company’s products, technologies and services.
A team of the company’s researchers, reverse engineers and malware analysts worked around the clock to analyze this exceptional attack. The company is releasing all the technical details about Duqu 2.0 via Securelist.
Preliminary conclusions:
- The attack was carefully planned and carried out by the same group that was behind the infamous 2011 Duqu APT attack. Kaspersky Lab believes this is a nation-state sponsored campaign.
- Kaspersky Lab strongly believes the primary goal of the attack was to acquire information on the company’s newest technologies. The attackers were especially interested in the details of product innovations including Kaspersky Lab’s Secure Operating System, Kaspersky Fraud Prevention, Kaspersky Security Network and Anti-APT solutions and services. Non-R&D departments (sales, marketing, communications, legal) were out of attackers’ interests.
- The information accessed by the attackers is in no way critical to the operation of the company’s products. Armed with information about this attack Kaspersky Lab will continue to improve the performance of its IT security solutions portfolio.
- The attackers also showed a high interest in Kaspersky Lab’s current investigations into advanced targeted attacks; they were likely aware of the company’s reputation as one of the most advanced in detecting and fighting complex APT attacks.
- The attackers seem to have exploited up to three zero-day vulnerabilities. The last remaining zero-day (CVE-2015-2360) has been patched by Microsoft on June 9th, 2015 (MS15-061) after Kaspersky Lab experts reported it.
The malicious program used an advanced method to hide its presence in the system: the code of Duqu 2.0 exists only in computer’s memory and tries to delete all traces on the hard drive.
Costin Raiu, Director of Kaspersky Lab’s Global Research & Analysis Team, said, “The people behind Duqu are one of the most skilled and powerful APT groups and they did everything possible to try to stay under the radar. This highly sophisticated attack used up to three zero-day exploits, which is very impressive – the costs must have been very high.”
“To stay hidden, the malware resides only in kernel memory, so anti-malware solutions might have problems detecting it. It also doesn’t directly connect to a command-and-control server to receive instructions. Instead, the attackers infect network gateways and firewalls by installing malicious drivers that proxy all traffic from the internal network to the attackers’ command and control servers,” he adds.
“Spying on cybersecurity companies is a very dangerous tendency. Security software is the last frontier of protection for businesses and customers in the modern world, where hardware and network equipment can be compromised. Moreover, sooner or later technologies implemented in similar targeted attacks will be examined and utilised by terrorists and professional cybercriminals. And that is an extremely serious and possible scenario,” commented Eugene Kaspersky, CEO of Kaspersky Lab.
“Reporting such incidents is the only way to make the world more secure. This helps to improve the security design of enterprise infrastructure and sends a straightforward signal to developers of this malware: all illegal operations will be stopped and prosecuted. The only way to protect the world is to have law enforcement agencies and security companies fighting such attacks openly. We will always report attacks regardless of their origin,” added Eugene Kaspersky.
Kaspersky Lab would like to assure its clients and partners that the company will continue to protect against any cyberattack indiscriminately. Kaspersky Lab has contacted cyberpolice departments in different countries making official requests for criminal investigations of this attack.
Kaspersky Lab would like to reiterate that these are only preliminary results of the investigation. There is no doubt that this attack had a much wider geographical reach and many more targets. But judging from what the company already knows, Duqu 2.0 has been used to attack a complex range of targets at the highest levels with similarly varied geo-political interests. To mitigate this threat, Kaspersky Lab is releasing Indicators of Compromise and would like to offer its assistance to all interested organisations.
Procedures for protection from Duqu 2.0 have been added to the company’s products. Kaspersky Lab’s products detect this threat as HEUR:Trojan.Win32.Duqu2.gen.