In early spring 2015, Kaspersky Lab detected a cyber-intrusion affecting several of its internal systems. Following this finding the company launched an intensive investigation, which led to the discovery of a new malware platform from one of the most skilled, mysterious and powerful threat actors in the APT (advanced persistent threat) world: Duqu.
Kaspersky Lab believes the attackers were confident that it was impossible to discover the cyberattack. The attack included some unique and earlier unseen features and almost didn’t leave traces. The attack exploited zero-day vulnerabilities and after elevating privileges to domain administrator, the malware is spread in the network through MSI (Microsoft Software Installer) files which are commonly used by system administrators to deploy software on remote Windows computers. The cyberattack didn’t leave behind any disk files or change system settings, making detection extremely difficult. The philosophy and way of thinking of the “Duqu 2.0” group is a generation ahead of anything seen in the APT world.
Kaspersky Lab researchers discovered the company wasn’t the only target of this powerful threat actor. Other victims have been found in Western countries, as well as in countries in the Middle East and Asia. Most notably, some of the new 2014-2015 infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal. The threat actor behind Duqu appears to have launched attacks at the venues where the high level talks took place. In addition to the P5+1 events, the Duqu 2.0 group launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau. Similar to the P5+1 events, these meetings were attended by many foreign dignitaries and politicians.
Upon discovery, Kaspersky Lab performed an initial security audit and analysis of the attack. The audit included source code verification and checking of the corporate infrastructure. The comprehensive audit is still ongoing and will be completed in a few weeks. Besides intellectual property theft, no additional indicators of malicious activity were detected. The analysis revealed that the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes. No interference with processes or systems was detected.
Kaspersky Lab is confident that its clients and partners are safe and that there is no impact on the company’s products, technologies and services.
Kaspersky Lab would like to assure its clients and partners that the company will continue to protect against any cyberattack indiscriminately. Kaspersky Lab is committed to doing right by its customers and maintaining their full trust and confidence; the company is confident that the steps taken will address this incident while preventing a similar issue from occurring again. Kaspersky Lab has contacted cyberpolice departments in different countries making official requests for criminal investigations of this attack.
Kaspersky Lab would like to reiterate that these are only preliminary results of the investigation. There is no doubt that this attack had a much wider geographical reach and many more targets. But judging from what the company already knows, Duqu 2.0 has been used to attack a complex range of targets at the highest levels with similarly varied geo-political interests. To mitigate this threat, Kaspersky Lab is releasing Indicators of Compromise and would like to offer its assistance to all interested organizations.