Kaspersky Hacked By Stuxnet-Linked Attacker

Kaspersky, a leading anti-virus company from Russia, announced that it uncovered a piece of malware on its networks that tried to steal information about its products and clients.

The company called the malware "Duqu 2.0" due to its similarity to the "Duqu" malware found in 2011 and used in attacks against Iran, India, France and Ukraine. Duqu was also seen at the time as being linked to the Stuxnet malware, which is believed to be created by the U.S.'s and Israel's spy agencies.

The attack was found early this year when Kaspersky was conducting a test for an "anti-APT" (Advanced Persistent Threat) solution the company was developing. The malware was otherwise almost impossible to detect due to its ability to reside only in kernel memory and delete all of its traces on the disk.

It also didn't connect directly to a command-and-control server to receive instructions. Instead, the attackers infected the network gateways in order to proxy the company's traffic through their own command-and-control servers.

The attack also used three zero-day vulnerabilities for Microsoft's software installers, which are used by many enterprise customers. Normally such zero-day vulnerabilities cost hundreds of thousands of dollars each on the black market. However, if the attacker was indeed the NSA, then it could've also gotten it for free from "cyber threat sharing" programs, where companies give the NSA access to their vulnerabilities months before patches are ready or before anyone else knows the bugs even exist. Such programs are supposed to give the NSA advance notice to secure its networks, but they can also be used for offensive purposes before the vulnerabilities are patched by the companies.

Whoever the attackers were, they must have thought they could never be detected, or they thought an eventual detection is worth the price if they could steal useful data. Kaspersky said that because it detected the attack early, only some intellectual property was stolen, but its customers' data is safe.

However, it warned that the attack may already be used against other high-value targets around the world. Others may not have Kaspersky's expertise to protect themselves against this complex and undetectable malware, so the company will offer assistance to those interested in detecting Duqu 2.0.

Kaspersky has already contacted the police in different countries to investigate this attack and called for law enforcement to openly prosecute such attacks, which can ultimately leave ordinary citizens exposed to even more malicious attackers.

“Spying on cybersecurity companies is a very dangerous tendency. Security software is the last frontier of protection for businesses and customers in the modern world, where hardware and network equipment can be compromised. Moreover, sooner or later technologies implemented in similar targeted attacks will be examined and utilized by terrorists and professional cybercriminals. And that is an extremely serious and possible scenario," commented Eugene Kaspersky, CEO of Kaspersky Lab.“Reporting such incidents is the only way to make the world more secure. This helps to improve the security design of enterprise infrastructure and sends a straightforward signal to developers of this malware: all illegal operations will be stopped and prosecuted. The only way to protect the world is to have law enforcement agencies and security companies fighting such attacks openly. We will always report attacks regardless of their origin," he added.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • stratplaya
    I guess Russians don't like getting hacked, huh?
    Reply
  • srap
    I guess Russians don't like getting hacked, huh?
    Do you happen to know anyone who likes getting hacked? One that doesn't involve a P2O.
    Reply
  • jaber2
    I guess Russians don't like getting hacked, huh?
    Do you happen to know anyone who likes getting hacked? One that doesn't involve a P2O.
    Hackers love to get hacked.
    Reply
  • targetdrone
    It's all fun and games until a KGB front company is hacked by CIA made software.
    Reply
  • Dylan Orr
    What no mom jokes? <sigh>

    Childish behavior aside, formost my hats off to the Russians (Kapersky in this case) for going public about this hack (using that level of sophistication). This is ridiculous if this is indeed a government hack; hacking known iconic security companies because they can't publicly have access to private security companies, they violate their own laws (or find some BS loophole) to gain access anyhow. I'm hoping that they 'missed something' or something is released at a later date finding who was behind this/these attacks. And I really do hope the police do something about it. Rarely would something like this 'happen in the wild', either the hacking group that did this (government or private party) needs to be discovered and it brought into the light. Most users, myself included trust these third party vendors for protection from such threats, when the foundation of security is being undermined, it should break news and turn a few heads. Ironically (not surprisingly) only end users, bloggers, 'the people' seem to give a damn. I'm not holding my breath for an american rally against this BS (especially) from a government authority. Hopefully Kapersky doesn't let this one slide under the rug.
    Reply
  • house70
    I guess Kaspersky is not in NSA's pocket (yet).

    "However, if the attacker was indeed the NSA, then it could've also gotten it for free from "cyber threat sharing" programs, where companies give the NSA access to their vulnerabilities months before patches are ready or before anyone else knows the bugs even exist. Such programs are supposed to give the NSA advance notice to secure its networks, but they can also be used for offensive purposes before the vulnerabilities are patched by the companies."

    I, for one, find this so-called "sharing" program rather disturbing; for starters, the NSA doesn't really give anything in return, so it's not really sharing. Then, one can be certain they can and WILL use these vulnerabilities for nefarious purposes. The logic behind this program is shady, at best.
    Reply