Media report that Russian security company Kaspersky has been compromised during an electronic break-in. The incident, the malware used by the attackers and the political context of the attack have led to an increased media interest and questions to scip AG regarding the attack Kaspersky has dubbed Duqu 2.0.

The following should give you an overview over the most important aspects oft he case.

What Happened?

Russian security research company Kaspersky reported on June 10th, 2015, that they have fallen victim to an attack. Eugene Kaspersky, founder oft he company, describes how researchers discovered the attack, how it has been analysed and what conclusions they can draw.

Which Malware was Used?

A first analysis by Kaspersky has shown that malware was used that is identical with the malware known as Duqu in key aspects. Therefore the Malware was named Duqu 2.0 by the researchers. The first version of Duqu was used during attacks in 2011.

What Makes Duqu 2.0 Remarkable?

An extended analysis by security company Symantec has shown that the extended version Duqu 2.0 mainly has three new features:

1. There is more functionality in Duqu 2.0
2. The Malware is almost entirely contained to RAM of an infected system. This makes a forensic analysis difficult, as very little to no data is stored persistently.
3. The installed basis acts as a Botnet and can be controlled centrally using Command-and-Control servers. Therefore, infected systems can be remote controlled.

Why was Kaspersky Attacked?

Security companies are lucrative targets for a variety of attackers. Manufacturers such as Kaspersky research and develop new technologies combatting computer attacks and malware. If an attacker gains access to the security company’s research, the attacker holds a strategic and tactical advantage for further attacks.

How Were Other Victims Identified?

There are two possibilities to identify victims of malware:

1. Modern anti virus solutions allow reporting of identified malware, giving manufacturers a statistical overview over infected systems
2. Analysing Command-and-Control servers that remote control infected systems, researchers can identify further activity by the attacker. To do this, however, researchers need access to communication originating from the command-and-control server. Sometimes, compromising and forensic analysis of the command and control server is necessary. If that has happened in the case of Duqu 2.0 is debated.

Who is behind Duqu 2.0?

Kaspersky emphasises that they can not conclusively name a culprit. The complexity and professionality of Duqu and Duqu 2.0 point to an attacker with considerable financial means. The most likely culprits based on this are governments and organised crime. The targets have primarily been political in nature. This points to the attacker being a governmental agency. Among the targets were political talks regarding Iran’s nuclear weapons program or celebrations of the 70th Anniversary of the Liberation of Auschwitz-Birkenau. These are all indicators that Duqu 2.0 is an Israeli product. This assessment remains unconfirmed.

About the Author

Marc Ruef has been working in information security since the late 1990s. He is well-known for his many publications and books. The last one called The Art of Penetration Testing is discussing security testing in detail. He is a lecturer at several faculties, like ETH, HWZ, HSLU and IKF. (ORCID 0000-0002-1328-6357)

Links

• http://www.computerworld.com/article/2934398/cybercrime-hacking/duqu-20-hackers-may-have-cracked-kaspersky-to-recon-research.html
• http://www.kaspersky.com
• http://www.theguardian.com/technology/2015/jun/11/duqu-20-computer-virus-with-traces-of-israeli-code-was-used-to-hack-iran-talks
• https://blog.kaspersky.com/kaspersky-statement-duqu-attack/
• https://securelist.com/blog/incidents/31177/the-mystery-of-duqu-part-one-5/