14 DAY TRIAL // Earlier today, the boss of Kaspersky Labs appeared in a cheerful mood at a press conference in London, called to offer clarifications on the cyber-attack at a company office, conducted by one of the most mysterious advanced persistent threat (APT) groups identified to date.
Eugene Kaspersky did not offer details about who was behind the attack and was evasive on providing an accurate time frame for the compromise, but he was quick to point out the sophistication of the platform used, a second-generation Duqu that emerged in 2014 after an absence of about two years.
Duqu 2 was like a ninja on Kaspersky's systems
He said that the malware and the tactics used by the APT allowed it to be almost invisible on the network for a significant period of time, comparing its actions and the prowess of the threat actor to a mix of Alien, Terminator and Predator in the movie world.
The components of Duqu 2 were found on the internal network of an APAC office of the security company in spring, but Eugene Kaspersky said that it went undetected for a long time, a few months it seems.
It would have probably spent even more time on the infrastructure collecting information on the malware research approach of security experts (collection and manual analysis) and the technologies used by the company, but its activity was revealed during an internal security audit of the systems.
The reason for flying under the radar this long is that it does not leave any trace on the compromised machine, all malicious modules running in memory. A simple reboot, also recommended by Kaspersky to make sure that Duqu 2 is not on the network, would remove the infection, but only if the entire network is powered off.
Apart from lodging itself in RAM, the malware does not generate much traffic, which would have alerted Kaspersky’s anti-APT systems to suspicious activity; it also pretends to be the system administrator, a tactic that also prevents detection.
Getting on the network in the first place was most likely done via spear-phishing, and then multiple vulnerabilities (zero-days at the time the attack was discovered, one patched on Tuesday) were exploited to elevate privileges and spread across the infrastructure.
State-sponsored attacks drive the advances in cybercrime, too
It is believed that Duqu 2 is the result of a state-sponsored operation that targets high profile companies in the west, Asia, Middle-East and Russia, whose costs are estimated by Kaspersky to start at the $10 / €8.8 million mark.
In a report from Symantec on Wednesday, victims have been identified in Sweden, India, Hong Kong, USA, UK, as well as North Africa.
As far as attribution is concerned, Eugene Kaspersky said that researchers can draw a conclusion only based on the source code of the malware, the command and control servers used, and the movement on the network. No specific government was named during the press conference.
However, he talked about the future implications of such an attack against a security company, saying that it also pushes cybercrime to new standards. State-sponsored cyber incidents educate the “bad guys” (referring to cybercriminals that are in the game for the money), and traditional crime is also nudged towards cyber tools, bringing everything closer to cyber terrorism.
APT group picked on someone its own size, and got exposed
Taking on a leading security company “was a mistake,” Kaspersky said, suggesting that an organization in a different business may have found itself in really hot waters if compromised.
The disclosure of the incident was in the spirit of transparency and to convince other companies to do the same, in order to improve collaboration against threat actors.
The investigation into the incident is ongoing, but based on the current findings, Kaspersky is confident that the partners and customers of the company are safe, despite the threat actor’s capabilities to peek into the databases.
The purpose of the attack appeared to be spying on the technology and methods used for malware analysis, although the techniques become obsolete in a short while, based on each new research.
Kaspersky himself does not know what to make of it, because the source code for the company products is available to governments, upon request, and the company's success does not rely on a “secret sauce” but on hard work and innovative, efficient ideas for fighting cybercrime.
Nevertheless, the effort invested by the APT group into creating a new generation of malware was wasted, according to the CEO, since tools to catch it have been created and details about the modus operandi have been shared with the security industry.
“Don’t hack me! That’s a bad idea” were the words Eugene Kaspersky ended the conference with. It is unclear, though, how bad an idea this was in the case of Duqu APT if the goal, whatever it might have been, was reached.