Russian security firm becomes target of sophisticated malware campaign
The Moscow-based security firm Kaspersky Lab is known for identifying and cataloging malicious software. Now, it has also become a victim of one of the most sophisticated attacks the company has discovered.
The company detailed the incident in a blog post Wednesday, describing a long-running and sophisticated campaign that relied on three, separate 鈥渮ero-day鈥 vulnerabilities in software run by Microsoft. The attackers compromised systems operated by the company鈥檚 virus researchers and product developers, with an interest in tools Kaspersky was developing to spot so-called 鈥渁dvanced persistent threat,鈥 or APT attacks.听
In a press conference in London on Wednesday, Kaspersky chief executive Eugene Kaspersky described the campaign against his company as 鈥渧ery complicated鈥 and 听鈥渁lmost invisible,鈥 beginning in the final months of 2014 and continuing through the spring of 2015.
According to a report on the attack published by Kaspersky, the attackers used two different malicious programs to infect computers, which Kaspersky dubbed 鈥淒uqu 2.0.鈥 The attackers used previously unknown exploits to gain administrator-level access to Kaspersky鈥檚 network. They then abused that access to distribute the software to target systems, disguised as legitimate software packages.听
Notably the malware ran purely in the volatile memory of computers it infected. That technique meant that the software could not survive a computer rebooting. In exchange, the technique allowed the malware to operate without first installing itself on the infected system鈥檚 hard drive or making modifications to the operating system registry. Those are two common behaviors that almost certainly would have resulted in the malicious software being detected.听
鈥淭his is a mix of 'Alien,' 'Predator,' and 'Terminator' in terms of Hollywood,鈥 said a jovial and suntanned Mr. Kaspersky, referring to the classic action films. 鈥淚t is almost not possible to see how it infects computers.鈥
Kaspersky said the malicious software bore a close resemblance to earlier versions of Duqu, a cyberespionage platform that was first identified in 2011 and that has been linked to attacks on the government of Iran and parties involved in sensitive talks regarding the fate of Iran鈥檚 nuclear program.听
Asked about the source of the attack, Kaspersky declined to speculate on the origin of the malicious software, saying that the attack came by way of proxy servers and that Kaspersky lacked the legal authority to do what would be needed to trace the attack back to its origins.听
Still, his company鈥檚 report on the malware makes clear that Kaspersky was not the only victim.
Victims of Duqu 2.0 were identified in several countries, including western nations, the Middle East, and Asia. While some of those appear to be opportunistic infections designed to further the spread of the malware, some are linked to events and venues with a connection to the so-called 鈥淧5+1鈥 negotiations with Iran about a nuclear deal. The list includes three luxury hotels in Europe that played host to P5+1 diplomats and negotiators, according to a .听
Some experts have interpreted that as proof the government of Israel 鈥 which is excluded from the P5+1 group 鈥 is behind the Duqu malware. Kaspersky鈥檚 report is mum on attribution, but does note that the Duqu 2.0 group has launched 鈥渁 similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau,鈥 a possible reference to Israel. 听
The motivation for such a group to compromise a security company such as听Kaspersky听Lab is unclear. The chief executive said his company鈥檚 analysis of the incident revealed compromises in systems used by its virus researchers but听that the attack did not target听Kaspersky's听antivirus software, which is installed on hundreds of millions of machines globally.
Instead, attackers focused on systems containing information about Kaspersky鈥檚 future technologies, anti-APT solutions, and APT research as well as research the company is doing on developing a secure operating system for use in critical infrastructure. In recent years, Kaspersky Lab researchers have discovered or contributed to research exposing a number of state-backed malware campaigns, including the initial Duqu attacks.听
Wednesday's Kaspersky report is the first known evidence听of a successful APT attack on an antivirus software firm.听Kaspersky employs some of Russia and Eastern Europe鈥檚 top malware analysts and reverse engineers. Kaspersky took it as a point of pride that his company discovered such a sophisticated operation on its own, while downplaying the long-term impact of a compromise that lasted 鈥渕onths,鈥 by his own admission.听
Security experts outside the company acknowledged that a frontal attack on a firm such as Kaspersky Lab was unusual, but proved that even sophisticated companies are not immune from compromise.听
鈥淭his is a pretty vicious attack that was well thought-out and planned,鈥 says Karl Sigler, the threat intelligence manager at the security firm Trustwave. 鈥淚t shows that there鈥檚 no such thing as 100 percent secure.鈥澨
Memory resident malware such as the kind used in the attack is 鈥渦ncommon,鈥 but not unknown in other malicious campaigns, Mr. Sigler said. However, the use of exploits for previously unknown software vulnerabilities set the attack apart and also made it all but impossible to detect, he said.听
Sigler said the only recourse was for firms to 鈥渟tay vigilant,鈥 as malicious actors were 鈥渟tepping up their game.鈥澨
听
