The Moscow-based security firm Kaspersky Lab is known for identifying and cataloging malicious software. Now, it has also become a victim of one of the most sophisticated attacks the company has discovered.
The company detailed the incident in a blog post Wednesday, describing a long-running and sophisticated campaign that relied on three, separate “zero-day” vulnerabilities in software run by Microsoft. The attackers compromised systems operated by the company’s virus researchers and product developers, with an interest in tools Kaspersky was developing to spot so-called “advanced persistent threat,” or APT attacks.
In a press conference in London on Wednesday, Kaspersky chief executive Eugene Kaspersky described the campaign against his company as “very complicated” and “almost invisible,” beginning in the final months of 2014 and continuing through the spring of 2015.
According to a report on the attack published by Kaspersky, the attackers used two different malicious programs to infect computers, which Kaspersky dubbed “Duqu 2.0.” The attackers used previously unknown exploits to gain administrator-level access to Kaspersky’s network. They then abused that access to distribute the software to target systems, disguised as legitimate software packages.
Notably the malware ran purely in the volatile memory of computers it infected. That technique meant that the software could not survive a computer rebooting. In exchange, the technique allowed the malware to operate without first installing itself on the infected system’s hard drive or making modifications to the operating system registry. Those are two common behaviors that almost certainly would have resulted in the malicious software being detected.
“This is a mix of 'Alien,' 'Predator,' and 'Terminator' in terms of Hollywood,” said a jovial and suntanned Mr. Kaspersky, referring to the classic action films. “It is almost not possible to see how it infects computers.”
Kaspersky said the malicious software bore a close resemblance to earlier versions of Duqu, a cyberespionage platform that was first identified in 2011 and that has been linked to attacks on the government of Iran and parties involved in sensitive talks regarding the fate of Iran’s nuclear program.
Asked about the source of the attack, Kaspersky declined to speculate on the origin of the malicious software, saying that the attack came by way of proxy servers and that Kaspersky lacked the legal authority to do what would be needed to trace the attack back to its origins.
Still, his company’s report on the malware makes clear that Kaspersky was not the only victim.
Victims of Duqu 2.0 were identified in several countries, including western nations, the Middle East, and Asia. While some of those appear to be opportunistic infections designed to further the spread of the malware, some are linked to events and venues with a connection to the so-called “P5+1” negotiations with Iran about a nuclear deal. The list includes three luxury hotels in Europe that played host to P5+1 diplomats and negotiators, according to a report in The Wall Street Journal.
Some experts have interpreted that as proof the government of Israel – which is excluded from the P5+1 group – is behind the Duqu malware. Kaspersky’s report is mum on attribution, but does note that the Duqu 2.0 group has launched “a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau,” a possible reference to Israel.
The motivation for such a group to compromise a security company such as Kaspersky Lab is unclear. The chief executive said his company’s analysis of the incident revealed compromises in systems used by its virus researchers but that the attack did not target Kaspersky's antivirus software, which is installed on hundreds of millions of machines globally.
Instead, attackers focused on systems containing information about Kaspersky’s future technologies, anti-APT solutions, and APT research as well as research the company is doing on developing a secure operating system for use in critical infrastructure. In recent years, Kaspersky Lab researchers have discovered or contributed to research exposing a number of state-backed malware campaigns, including the initial Duqu attacks.
Wednesday's Kaspersky report is the first known evidence of a successful APT attack on an antivirus software firm. Kaspersky employs some of Russia and Eastern Europe’s top malware analysts and reverse engineers. Kaspersky took it as a point of pride that his company discovered such a sophisticated operation on its own, while downplaying the long-term impact of a compromise that lasted “months,” by his own admission.
Security experts outside the company acknowledged that a frontal attack on a firm such as Kaspersky Lab was unusual, but proved that even sophisticated companies are not immune from compromise.
“This is a pretty vicious attack that was well thought-out and planned,” says Karl Sigler, the threat intelligence manager at the security firm Trustwave. “It shows that there’s no such thing as 100 percent secure.”
Memory resident malware such as the kind used in the attack is “uncommon,” but not unknown in other malicious campaigns, Mr. Sigler said. However, the use of exploits for previously unknown software vulnerabilities set the attack apart and also made it all but impossible to detect, he said.
Sigler said the only recourse was for firms to “stay vigilant,” as malicious actors were “stepping up their game.”