Original Article from June 2015
RESEARCHERS AT KASPERSKY Lab in Russia have discovered yet another new nation-state attack attributed to members of the infamous Stuxnet and Duqu gang. But this time the perpetrators were hiding in plain sight—inside the security firm’s own networks.
Kaspersky says the attackers became entrenched in its networks some time last year. For what purpose? To siphon intelligence about nation-state attacks the company is investigating—a case of the watchers watching the watchers who are watching them. They also wanted to learn how Kaspersky’s detection software works so they could devise ways to avoid getting caught. Too late, however: Kaspersky found them recently while testing a new product designed to uncover exactly the kind of attack the intruders had launched.
The attackers appear to be the same group that created Duqu, spyware discovered in 2011 that was used to hack a certificate authority in Hungary, as well as targets in Iran and Sudan, and that shared a number of similarities with Stuxnet, the famed digital weapon that sabotaged Iran’s nuclear program. The team’s handiwork popped up again in 2012 in two sophisticated spy tools Kaspersky helped expose—the massive Flame surveillance platform that infected thousands of victims over a period of five years and the mysterious Gauss attack, which contained a payload so securely locked that it’s yet to be deciphered.
The hack against Kaspersky bears some of the hallmarks of the 2011 Duqu attack, including sharing an algorithm and large amounts of the same code. But where the original Duqu consisted of just six modules, Duqu 2.0, as Kaspersky is calling it, is a massive, 19-megabyte toolkit with plugins for various reconnaissance and data theft activities. All of these are stored in and operated stealthily from inside an infected machine’s memory in order to bypass detection tools that might otherwise uncover them if they were stored on the machine’s hard drive. The attackers also appear to have used at least three zero-day exploits to conduct their attack, as well as a clever technique to surreptitiously extract data remotely and communicate with infected machines.
“The entire code of this [attack] platform is some of the best we have seen ever,” Costin Raiu, director of the company’s Global Research and Analysis Team, told WIRED. “It is incredibly well written. Almost no mistakes anywhere.”
Kaspersky is still trying to determine how much data the attackers stole. The thieves, as with the previous Duqu 2011 attack, embedded the purloined data inside blank image files to slip it out, which Raiu says “makes it difficult to estimate the volume of information that was actually transferred.” But at least, he says, it doesn’t appear that the attackers were out to infect Kaspersky customers through its networks or products. Kaspersky claims to have more than 400 million users worldwide.
Kaspersky wasn’t the only victim of Duqu 2.0. Based on data the company collected from its customers, the attackers also struck a series of hotels and conference venues, each of them a location where members of the UN Security Council met in the past year to negotiate Iran’s nuclear program. That program is a recurring interest for the attackers behind the Duqu code, which shouldn’t come as a big surprise. The US and Israel reportedly were behind Stuxnet, but various researchers have long suspected that Israel alone was behind the Duqu code. The focused spying on the nuclear negotiations, from which Israel was excluded, would seem to support this theory.
Additionally, the security firm Symantec, which obtained samples of Duqu 2.0 provided by Kaspersky, uncovered more victims of the targeted attack code among its own customers, and found that some of these victims were in the US—a fact that would be cause for even more concern if the attack were perpetrated by the US government.
Duqu 2.0 Exposed
Over the last five years, Kaspersky has made a name for itself exposing one nation-state attack after another, including Stuxnet, Duqu, Flame, Gauss, Regin and the Equation Group—many of them seemingly launched by the US and its UK and Israeli allies. It was perhaps inevitable that Kaspersky eventually would be targeted itself.
Kaspersky uncovered the breach after an engineer, testing a new product on a company server, spotted anomalous traffic that caused him to further investigate. Eventually the company determined that a couple dozen Kaspersky systems had been infected. The company won’t say when exactly the intrusion began to preserve the integrity of the investigation, but Raiu says they’re working with law enforcement agencies in several countries to track the breach of Kaspersky as well as other victims. The company has also filed police complaints in Russia and the UK, where it also has an office.
Mode of Infection
The infection of Kaspersky unfolded like a precision campaign. The attackers first targeted an employee in one of the company’s Asia-Pacific offices, likely using a spear-phishing attack and zero-day exploit to breach the system. The employee’s machine had all the latest software patches installed, but zero-day exploits target vulnerabilities that are yet unknown to a software maker, and therefore have no patches available to seal them.
Another indication that a spear-phishing email was used was the fact that while Kaspersky was investigating the breach, the attackers wiped the mailbox and browsing history from the infected employee’s system, preventing Kaspersky from fully analyzing it.
The wipe occurred just four hours before Kaspersky identified the employee’s machine as “patient zero,” suggesting the intruders knew they’d been caught and were racing to eliminate evidence before Kaspersky could find it. Raiu suspects they may have been tipped off when Kaspersky disconnected many of its critical systems from the Internet after discovering the breach. He notes, however, that the company has backups and logs of the employee’s system, and once they’re able to compile and review them, he’s confident they’ll produce evidence of how the attackers got in.
From this first infected system, the attackers leapfrogged to others in the network, likely using a second zero-day exploit to do this. “We were able to map the malware jumping from one computer to another based on event logs,” Raiu says.
He thinks they used an exploit targeting a vulnerability in the Kerberos protocol, which Microsoft patched last November after the attackers had already used it. The hole would have allowed them to gain elevated privileges on a domain controller server, which would have provided them with credentials to target other systems. Although Kaspersky found no samples of such an exploit on their system, they saw indications that a domain controller attack had occurred.
Once the attackers found a computer of interest, they used another zero-day exploit to install their toolkit in memory from kernel mode, the deepest layer of a machine. Kaspersky reported this zero-day to Microsoft several weeks ago, for which the software vendor issued a patch yesterday. Kaspersky had waited for Microsoft to issue the patch before going public with news of the breach and the zero-day exploit.
Original Article by Kim Zetter
