Kaspersky, a leading anti-virus company from Russia, announced that it uncovered a piece of malware on its networks that tried to steal information about its products and clients.
The company called the malware "Duqu 2.0" due to its similarity to the "Duqu" malware found in 2011 and used in attacks against Iran, India, France and Ukraine. Duqu was also seen at the time as being linked to the Stuxnet malware, which is believed to be created by the U.S.'s and Israel's spy agencies.
The attack was found early this year when Kaspersky was conducting a test for an "anti-APT" (Advanced Persistent Threat) solution the company was developing. The malware was otherwise almost impossible to detect due to its ability to reside only in kernel memory and delete all of its traces on the disk.
It also didn't connect directly to a command-and-control server to receive instructions. Instead, the attackers infected the network gateways in order to proxy the company's traffic through their own command-and-control servers.
The attack also used three zero-day vulnerabilities for Microsoft's software installers, which are used by many enterprise customers. Normally such zero-day vulnerabilities cost hundreds of thousands of dollars each on the black market. However, if the attacker was indeed the NSA, then it could've also gotten it for free from "cyber threat sharing" programs, where companies give the NSA access to their vulnerabilities months before patches are ready or before anyone else knows the bugs even exist. Such programs are supposed to give the NSA advance notice to secure its networks, but they can also be used for offensive purposes before the vulnerabilities are patched by the companies.
Whoever the attackers were, they must have thought they could never be detected, or they thought an eventual detection is worth the price if they could steal useful data. Kaspersky said that because it detected the attack early, only some intellectual property was stolen, but its customers' data is safe.
However, it warned that the attack may already be used against other high-value targets around the world. Others may not have Kaspersky's expertise to protect themselves against this complex and undetectable malware, so the company will offer assistance to those interested in detecting Duqu 2.0.
Kaspersky has already contacted the police in different countries to investigate this attack and called for law enforcement to openly prosecute such attacks, which can ultimately leave ordinary citizens exposed to even more malicious attackers.
“Spying on cybersecurity companies is a very dangerous tendency. Security software is the last frontier of protection for businesses and customers in the modern world, where hardware and network equipment can be compromised. Moreover, sooner or later technologies implemented in similar targeted attacks will be examined and utilized by terrorists and professional cybercriminals. And that is an extremely serious and possible scenario," commented Eugene Kaspersky, CEO of Kaspersky Lab.“Reporting such incidents is the only way to make the world more secure. This helps to improve the security design of enterprise infrastructure and sends a straightforward signal to developers of this malware: all illegal operations will be stopped and prosecuted. The only way to protect the world is to have law enforcement agencies and security companies fighting such attacks openly. We will always report attacks regardless of their origin," he added.