Earlier this year, during a security sweep, Kaspersky Lab detected a cyber intrusion affecting several of its internal systems.
Following this finding, Kaspersky launched a large-scale investigation, which led to the discovery of a new malware platform from one of the most skilled, mysterious and powerful groups in the APT world, Duqu.
The Duqu threat actor went dark in 2012 and was believed to have stopped working on this project. Until now.
Technical analysis indicates the new round of attacks include an updated version of the infamous 2011 Duqu malware, sometimes referred to as the step-brother of Stuxnet. Kaspersky named this new malware and its associated platform “Duqu 2.0”.
Victims of Duqu 2.0 have been found in several places, including western countries, the Middle East and Asia. The actor appears to compromise both final and utilitarian targets, which allow them to improve their cyber capabilities.
Most notably, some of the new 2014-2015 infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal. The threat actor behind Duqu appears to have launched attacks at the venues for some of these high level talks.
In addition to the P5+1 events, the Duqu 2.0 group has launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau.
In the case of Kaspersky Lab, the attack took advantage of a zero-day (CVE-2015-2360) in the Windows Kernel, patched by Microsoft on June 9 2015 and possibly up to two other, currently patched vulnerabilities, which were zero-day at that time.
THE ATTACK
The initial attack began with the targeting of an employee in a small APAC office.
The original infection vector for Duqu 2.0 is currently unknown, although we suspect spear-phishing e-mails played an important role.
This is because for one of the patients zero we identified had their mailbox and web browser history wiped to hide traces of the attack. Since the respective machines were fully patched, we believe a zero-day exploit was used.
The attacker later took advantage of another zero-day, (CVE-2014-6324) which was patched in November 2014
with 5 MS14-068 . This exploit allows an unprivileged domain user to elevate credentials to a domain administrator account.
The attacker finally deployed malware to the domain computers via MSI installation executables.
ATTRIBUTION
Attribution of cyberattacks over the Internet is a difficult task.
In the case of Duqu, the attackers use multiple proxies and jumping points to mask their connections. This makes tracking an extremely complex problem.
Additionally, the attackers have tried to include several false flags throughout the code, designed to send researchers in the wrong direction.
CONCLUSION
From a threat actor point of view, the decision to target a world-class security company must be quite difficult.
On one hand, it almost surely means the attack will be exposed for it is very unlikely that the attack will go unnoticed.
So the targeting of security companies indicates that either they are very confident they won’t get caught, or perhaps they don’t
care much if they are discovered and exposed.
By targeting Kaspersky Lab, the Duqu attackers have probably taken a huge bet hoping they’d remain undiscovered and lost.
