Russia-based Internet security firm Kaspersky Lab said it has discovered a new malware platform from “one of the most skilled, mysterious, and powerful threat actors” in the APT (advanced persistent threat) world: Duqu.
The discovery of the threat was triggered by a cyber-intrusion which affected the internal systems of Kaspersky Lab in early spring of 2015.
Kaspersky Lab said the attackers might have been confident that the cyberattack won?t be uncovered since it included some unique and earlier unseen features that almost didn?t leave traces.
The attack exploited zero-day vulnerabilities and spreads in the network through MSI (Microsoft Software Installer) files, which are commonly used by system administrators to deploy software on remote Windows computers.
The cyberattack didn?t leave behind any disk files or change system settings, making detection extremely difficult, the company said.
The philosophy and way of thinking of the ?Duqu 2.0? group is a generation ahead of anything seen in the APT world, it added.
?The people behind Duqu are one of the most skilled and powerful APT groups and they did everything possible to try to stay under the radar,? said Costin Raiu, director of Kaspersky Lab?s Global Research and Analysis Team.
?This highly sophisticated attack used up to three zero-day exploits, which is very impressive ? the costs must have been very high. To stay hidden, the malware resides only in kernel memory, so anti-malware solutions might have problems detecting it. It also doesn?t directly connect to a command-and-control server to receive instructions. Instead, the attackers infect network gateways and firewalls by installing malicious drivers that proxy all traffic from the internal network to the attackers? command and control servers.?
Kaspersky Lab researchers discovered the company was not the only target of the powerful threat actor but also those in Western countries, as well as in countries in the Middle East and Asia.
Most notably, some of the new 2014-2015 infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal.
The threat actor behind Duqu appears to have launched attacks at the venues where the high-level talks took place.
In addition to the P5+1 events, the Duqu 2.0 group launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau. These meetings were attended by many foreign dignitaries and politicians.
Kaspersky Lab said it performed an initial security audit and analysis of the attack, which included source code verification and checking of the corporate infrastructure.
The audit, it said, is still ongoing and will be completed in a few weeks. Besides intellectual property theft, no additional indicators of malicious activity were detected, it added.
The analysis revealed that the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes. No interference with processes or systems was detected, however.
Kaspersky Lab said it is confident that its clients and partners are safe and that there is no impact on the company?s products, technologies and services.
?Spying on cybersecurity companies is a very dangerous tendency. Security software is the last frontier of protection for businesses and customers in the modern world, where hardware and network equipment can be compromised. Moreover, sooner or later technologies implemented in similar targeted attacks will be examined and utilized by terrorists and professional cybercriminals. And that is an extremely serious and possible scenario,? commented Eugene Kaspersky, CEO of Kaspersky Lab.
?Reporting such incidents is the only way to make the world more secure. This helps to improve the security design of enterprise infrastructure and sends a straightforward signal to developers of this malware: all illegal operations will be stopped and prosecuted. The only way to protect the world is to have law enforcement agencies and security companies fighting such attacks openly. We will always report attacks regardless of their origin,? added Kaspersky.