A successor to Stuxnet, the sophisticated piece of malware that infected Iran's nuclear centrifuges around 2010, managed to infiltrate one of the most high-profile cybersecurity groups. Today, Kaspersky Labs published a postmortem on what it calls Duqu 2.0, a derivative of the Duqu program it investigated in 2011; Kaspersky has previously tied Duqu to Stuxnet. Where Duqu and Stuxnet were studied as part of outside investigations, though, Duqu 2.0 appeared right in Kaspersky's network.
"The thinking behind it is a generation ahead of anything we'd seen earlier — it uses a number of tricks that make it really difficult to detect and neutralize," writes CEO and co-founder Eugene Kaspersky in a blog post. Kaspersky Labs researchers say that around six months ago, unknown hackers targeted an employee from an Asia Pacific satellite office. While it's been difficult to reconstruct exactly what happened, they believe the employee received a targeted phishing email containing a malicious attachment. Once it was opened, the malware took advantage of multiple zero-day exploits — previously unknown security flaws that software developers haven't had time to fix — to insinuate itself into the machine. One of the key holes, according to the company's report, wasn't actually patched until June 9th of 2015.
Kaspersky discovered the invasion in early 2015, when one of its researchers observed unusual bugs while testing a prototype of new security software. After realizing that the computer was infected, the company started monitoring the spread of the unknown virus. Slowly and almost invisibly, it spread through what Ars Technica — in its excellent recap of the case — calls "dozens" of machines in Kaspersky's network.
"The thinking behind it is a generation ahead of anything we'd seen earlier."
Kaspersky insists that the malware compromised neither its security services nor its customer data. Eugene Kaspersky speculates that the hackers were spying on its ongoing security investigations or research and development. What's particularly worrying, though, is that the sophisticated Duqu 2.0 is almost certainly a government project — and Kaspersky wasn't its only target.
Since finding the malware, the company says it's uncovered Duqu 2.0 breaches in three hotels that were used for negotiations over Iran's nuclear program. As The Wall Street Journal reports, it was also found on the site of a 70th anniversary commemoration of liberating Auschwitz, where hackers could potentially have spied on world leaders. Duqu 2.0 modules could reportedly have hijacked security camera footage, pulled data off phones or computers connected to Wi-Fi, turned on microphones to eavesdrop on conversations, and accessed the front desk computers at the hotels. Kaspersky says it's still investigating what it believes is a much larger spread of targets.
Based on the choice of targets and other circumstantial evidence, Israel may be the most likely suspect in these attacks. While US involvement in this particular case apparently looks more dubious, the US and Israel are widely suspected to have developed Stuxnet in partnership, Duqu is firmly linked to Stuxnet, and researchers say it would be extremely difficult for an outside developer to replicate Duqu closely enough for Duqu 2.0. Kaspersky, however, has refrained from naming any specific countries.