Kaspersky Lab Reveals Cyberattack On Its Corporate Network

An anonymous reader writes: Kaspersky Lab has revealed that it was recently subject to a major cyberattack. The company launched an investigation, which led to the discovery of a new malware platform from Duqu. Kaspersky has revealed that the attack exploited zero-day vulnerabilities and the malware has spread in the network through MSI (Microsoft Software Installer) files. "The attack is extremely sophisticated, and this is a new generation of what is most likely state-sponsored malware," Kaspersky said during the press conference. "It's a kind of a mix of Alien, Terminator and Predator, in terms of Hollywood."

At least there's an upside

"It's a kind of a mix of Alien, Terminator and Predator, in terms of Hollywood."

So they've just been sitting back and enjoying it, then?

Re:At least there's an upside

[zlives]

no some one with a mac will successfully integrate, infiltrate and subjugate the malware... in terms of hollywood.

"in terms of hollywood"

In terms of substance, not so much.

If only

[penguinoid]

If only they had an antivirus installed.

Re:If only

[smallfries]

Did they not have a subscription to McCaffe? How embarrassing, there should be a free voucher around somewhere...

Re:Why aren't they running OpenBSD?

[Feral+Nerd]

Why aren't they running OpenBSD? It's the only practical operating system to use in truly high-risk, high-security deployments.

DUH! Because Netcraft has confirmed that BSD is dying.

Hyperbole

[The+Raven]

Kasperski must characterize the malware as ultra-advanced, targeted, government hacking. Otherwise they look like fools for being penetrated.

I'm not saying they are lying; I'm saying there is no way to tell, because their success as a company depends on them assuring everyone that they can competently defend against ordinary malware.

Re:Hyperbole

[Firethorn]

It would have been funnier if in front of 'network' was 'honeypot'. Not to mention more impressive competence wise.

"Yeah, that network you hacked? Those terabytes of data you stole? It was a honeypot network, we were having bets on what you'd do next, and the terabytes of data was all randomly generated using SCIGen and such. Oh, and 50% horse cock porn. You didn't rate midget porn."

Re:Hyperbole

[phantomfive]

And to be fair (although in the same way you would be fair to morons), from their perspective, it was an advanced attack, because they didn't know how to stop it.

Re:Hyperbole

Well, they could just as well not say anything, which would also not impact their reputation.

Re:Hyperbole

If you read the report, the details seem to back up their comments. I mean, I agree with at face value, but when they do provide quite a bit of details. You're welcome to look through them and determine for yourself if the attacks were trivial or advanced.

Re:Hyperbole

[kosmosik]

They were probably aware that this would come up anyway so their PR department took action. To be hacked when you are a security focused company is hurting their image whatever advanced attack was used. I guess they were blackmailed that somebody will reveal information about breach so they took proactive but image hurting approach. Nevertheless it is curious.

Some technical explanation that I TL'DR as for now ;)
https://securelist.com/files/2...

Re:Hyperbole

If they're not lying about it being based on Duqu, then you're just revealing how little you know about Duqu.

Re: Hyperbole

Pfft, I'm takin a Duqu right now. What's to know?

Re:Hyperbole

Except that they provided a 48 page document detailing the attack. You can read it for yourself and see that it is in fact, quite sophisticated.

Re:Hyperbole

[gl4ss]

you know what would be funny?

if "Microsoft Software Installer" files the refer to would just be malware.msi and NOT the malware injecting itself into some other softwares msi files. which still sounds a bit lame and well, NOT VERY ZERO DAY method at all. sounds more like how viruses worked 20 years ago to be honest.

anyway. kaspersky.. the great tool that you need another tool to remove.

Re:Hyperbole

[smallfries]

That is completely unprofessional.

At most, it should be 5% horse cock porn so they have to look a bit harder to find it.

Re:Hyperbole

[IamTheRealMike]

They were probably aware that this would come up anyway so their PR department took action

Come up how? Who the hell cares about hacking an anti-virus company except intelligence agencies anyway? They, at least for now it seems, aren't in the business of blackmailing companies in ways that could only lead directly back to them.

To be hacked when you are a security focused company is hurting their image whatever advanced attack was used

No way! This can only help their image, not hurt it.

Look. This attack speaks to the idiocy and hubris of whichever intelligence agency is behind Duqu (probably the NSA, iirc). Kaspersky have repeatedly revealed western intelligence malware; they are not idiots, as anyone who reads their reports can attest. Indeed they've done massively more than any other AV company in the business. The people who thought it was a good idea to attack a company staffed by some of the best reverse engineers in the industry must be crazy: they just burned three zero days ..... for what? To get a sneak preview of upcoming products? Those must be some mighty scary products!

What sort of message does this send to anyone outside the USA? It says that Kaspersky AV is so frickin' badass that the world's best funded intelligence agencies tried to spy on it ..... and failed. It says that Kaspersky, being Russian, doesn't give a shit about being prosecuted by the US government and will happily add NSA malware to their AV product scans, it reinforces their image of being in the lead when it comes to analysing state-sponsored malware, it reveals a strong commitment to transparency (they could have said nothing), and it says "if you think you may be targeted by government attackers, you can't do better than buy Kaspersky AV".

I think this is a genius move by them.

Re:Hyperbole

[IamTheRealMike]

Sorry having fully read the report now I'm gonna guess that Duqu is more likely to be Israeli intelligence than the NSA. The report notes that at least one victim has been hacked by the "Equation Group" (very clearly NSA) and Duqu at the same time. Additionally the target list is things like anything to do with the Iranian nuclear program (very interesting to the Israelis) and also something to do with an anniversary of an event related to Auschwitz? Doesn't seem likely to interest the Americans. And apparently the few unfaked timestamps that remain are GMT+2 or GMT+3, the developers work on January 1st, and there's at least one English spelling mistake in the code.

Additionally, Duqu and Stuxnet are apparently somehow related but not quite the same thing, and we know from leaks by US officials wanting to take credit that Stuxnet was a US/Israeli collaboration.

Re:Hyperbole

[bad-badtz-maru]

One could wonder... if they burned three zero days for essentially nothing... how many zero days do they have?

Re: Hyperbole

My thoughts exactly

Re:Hyperbole

What do you mean by "essentially nothing"? According to the reports, Kaspersky cannot exclude the possibility that the attackers might have obtained the complete source code to all Kaspersky products ...

Re:Hyperbole

[bad-badtz-maru]

The Kaspersky source code (completely ignoring the presence of any exploitable bugs) wouldn't be much value to anyone other than Kaspersky. The mechanism behind virus scanners is pretty well known.

Re:Hyperbole

[Firethorn]

At most, it should be 5% horse cock porn so they have to look a bit harder to find it.

Good point. But I was picturing it being in any databases and such as well, thus inflating sizes and requiring analysis to access, at which point it's not until they try jpg encoding that they get the horse picture on their monitor. ;) So 10%?

Re:Why aren't they running OpenBSD?

[rubycodez]

OpenBSD doesn't run those MSI files worth a darn. Someone should submit a patch

i'll be back

[turkeydance]

because i don't have time to bleed. all other priorities rescinded.

Human ignorance

[nimbius]

The real question isnt who attacked Kaspersky, but why Kaspersky still runs a punching bag OS like Windows. One would expect a major security vendor would have hardened everything from the secretaries desktop to the coffee maker.

Re:Human ignorance

[Whiteox]

Because they test and develop for Win machines. There other stuff is *nix based.

Re:Human ignorance

[Irate+Engineer]

Because their customers run punching-bag OSs like Microsoft? This illustrates how fucking hard the problem of internet security is though. I don't believe a state sponsor did this; I'll bet it was one of the usual cast of scoundrels coupled with some social engineering at a weak point (maybe the new secretary at the front desk?). Big networks mean many points of potential weakness. When an infinite army of monkeys on computers wants in to your system, you cannot let your guard down for one freaking second, because the odds are eventually you are going to get pwned. The monkeys are occasionally smart.

Re:Human ignorance

or you just have an acceptable amount of security in order to still perform day-to-day activities, and deal with the once in a while disaster...

fires, floods, loss of power, etc. whatever. unless you're a hospital or something it's pointless to worry so much about it. You can think of all the hypothetical money lost and this and that, but when it comes down to it, life and your next day isn't even a guarantee.

Re:Human ignorance

[Hognoxious]

Because their customers run punching-bag OSs like Microsoft?

I agree 120%. It would be utterly ridiculous to have separate machines for testing & experimentation that are totally isolated from the ones you run your operations on.

MSI files?

So they were officially signed with someone's key?

Kapersky's 46 page report on incident

[VikingThunder]

FYI: Here is the link to Kapersky's report of the incident: https://securelist.com/files/2...

Re:Kapersky's 46 page report on incident

[nickweller]

Have Kapersky considered running their business off of bootable CDs?

"In 2011, we were able to identify Duqu attacks that used Word Documents containing an exploit for a zero-day vulnerability (CVE-2011-3402) that relied on a malicious embedded TTF (True Type Font File). This exploit allowed the attackers to jump directly into Kernel mode from a Word Document, a very powerful, extremely rare, technique.

A similar technique and zero-day exploit ( 4CVE-2014-4148) appeared again in June 2014, as part of an attack against a prominent international organization. The C&C server used in this 2014 attack as well as other factors have certain similarities with Duqu, however, the malware is different from both Duqu and Duqu 2.0. It is possible that this is a parallel project from the Duqu group and the same zero-day (CVE-2014-4148) might have been used to install Duqu 2.0. Duqu 2.0

Re:Kapersky's 46 page report on incident

[plover]

Have Kapersky considered running their business off of bootable CDs?

Read further down in the Fine Report, and you'll see why that strategy probably wouldn't have helped much. After the initial installation, the Command and Control network ran almost exclusively in RAM on Kaspersky's servers; the executable files were deleted to leave as few detectable traces as possible. Of course that meant the malware would be lost during a server reboot, so it depended on the actions of the other nearby servers that would eventually detect the rebooted server was uninfected, and would then re-infect it. And just in case Kaspersky's admins rebooted all servers simultaneously, wiping out the entire C&C system, they left a back door open in the form of a few unimportant PCs infected with persistent malware that would simply launch reverse tunneling proxies at startup. The attackers would have been able to reenter the network without needing to phish them again.

Re:Kapersky's 46 page report on incident

This... is kind of nuts. How in the hell can people expect to defend against this level of sophistication? The sheer man hours that went into this is a pretty good indicator that it was probably state sponsored.

In terms of Hollywood?

[freeze128]

What is the new attack like, in terms of Muppets?

Re:In terms of Hollywood?

It was a Gonzo, but not quite a Fozzy bear joke.

Re:In terms of Hollywood?

[penguinoid]

What is the new attack like, in terms of Muppets?

In the aftermath of the attack, Oscar the Grouch mistook their lab for his home.

Test run

[Jumunquo]

Ah, so the Russians tested on themselves before deploying to Germany.

Re:Test run

Have a look at the report, if it is to be believed then all fingers point to Israel...

Re:Test run

Israel. Considering they attacked to mark the liberation of Auschwitz, that seems like a strange thing for Russia to be marking.

And they invented the malware in the first place, soooo...

Re:Test run

[plover]

Keep reading the report, and you'll see that they doubled back and covered their other tracks several times. Scheduling the malware activity levels to coincide with Israel's work week would be in keeping with the other forms of camouflage and diversion that were employed by Duqu 2.0's operators, and prove almost nothing at all.

Various leaks after the fact strongly implicated Israel was responsible for Stuxnet (including a YouTube video of an IDF general being congratulated on his team's creation of the malware at his retirement party), but Duqu? The only confirmed relationship to Stuxnet is that both were found in Iran's nuclear facilities. And several nations have as much interest in Iran's nuclear program as Israel, including the US, China, and Russia.

Re:Test run

Wrong. The multiple zero days included in both point to similar structures targeting similar people.

Re:Test run

[cowwoc2001]

And why would a Russian firm have an interest in doing so...? Oh wait.

There are plenty of top-notch cybersecurity firms across the globe. How does Kapersky magically track down all these threats that others do not, and how are they all coincidentally coming from enemies of their greatest military customer, Iran?

If you honestly think that a country the size of Israel is more active in this area than the rest of the world combined, I suggest you take a second look.

Re:Test run

[IamTheRealMike]

The report says that at least one victim has been targeted by Equation Group (NSA) and Duqu simultaneously. The targeting of something related to a WW2 anniversary also strongly suggests Israel.

Iran Nuclear Deal

"Most notably, some of the new 2014-2015 infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal."
Sounds like Israel is at it again

What was the goal ?

[eulernet]

Why did the attacker sacrificed such a nice tool ? And to obtain what kind of information ?

My hypothesis is that the attackers wanted to retrieve all source code from Kaspersky Labs, in order to prepare future attacks.
I have no doubt that they have the resources to analyze the source code and find some ways to evade Kaspersky's detection.
The most wanted target was probably Kaspersky's internal tools, which are not in the final product, like virus analyzers, detection algorithms, and also how they build their virus signatures.

It's probable that the attackers also wanted to confirm the ties between Kaspersky and the Russian government.

Re:What was the goal ?

[timrod]

Kaspersky themselves said that the Duqu authors were probably using them as a "utility target" to gain more access to their main target, which is believed to be anyone involved in the negotiations over Iran's nuclear program. The people from Kaspersky posited the idea that Duqu has no value to the people who wrote it - likely because by the time they attacked Kaspersky, they had already infected the people they were really after and could safely throw it away. It could also be that they purposely attacked Kaspersky for two reasons: to gain information on their detection methods and find ways around them, but also to ensure that no one else gets infected (thus avoiding a possible scandal for a state actor behind the attacks if people unrelated to their targets get hit).

I'm with the camp that thinks Israel is behind it. It only makes sense, given their involvement with Stuxnet and their high level of interest in Iran's nuclear program, plus the connection with the Auschwitz liberation date.

Re:What was the goal ?

[evilrip]

Kaspersky was likely targeted because they are very popular in that that part of the world: Russia, middle-east, so forth. Owning Kaspersky, if indeed it was a complete compromise, in effect means you can access data(potentially execute) from every single computer that runs Kaspersky software: you are in a position of trust at this point. Trust is a _dangerous_ thing in computer security terms, do not let this fool you. As most antivirus software will send home "suspecious" files for analysis, I expect they would leverage this functionality to have well hidden backdoor in legit, properly installed software. Of course, here is also the source code: bug hunting it much easier with it, hence why the only program with even a slight chance of being trustworthy is one you can get the source code to, given that someone with the proper skills audits it. It's about high time we realize that closed source ecosystems is horrible for security; because it can be challenging to actually audit, or at least time consuming. I wish hackers would stop selling script kiddie-ready 0days to governments, these people have no idea of the power they wield with these things. I'm looking at you the grugq, etc: you people are a disgrace to every hacker in the known universe and you are actively helping authoritarian regimes and agencies with no oversight to suppress people and other countries, and profiting off it. In any event, I believe that the stuxnet team learned a lesson from their run of stuxnet in Iran; namely that there are easier targets to compromise to get in there with better access, because how do you beat the people you can't beat? you join them.

Re:What was the goal ?

Duqu people fucked-up. Basically, they dumped huge payload (including totally unrelated SCADA attack modules) on a tightly monitored network. According to articles, Kaspersky's people are still wading through all that shit. One can infer a lot from highly specialized attack code.

Re:What was the goal ?

So now when I install Kaspersky's Russian government spyware, I get some Israeli government spyware on top?

Re:What was the goal ?

[evilrip]

If it makes you feel any better, that spyware was at least partially made in the U.S.A. :)

Re:What was the goal ?

[IamTheRealMike]

The people from Kaspersky posited the idea that Duqu has no value to the people who wrote it - likely because by the time they attacked Kaspersky, they had already infected the people they were really after and could safely throw it away.

I believe Israeli intelligence has a big budget for hacking. But not that big. Duqu 2 seems to have over 100 plugins. They burned three zero days on this attack. Much of the code is clearly an evolution of Duqu 1.0 which was being used years ago.

It seems obvious that each intelligence agency has developed its own malware platform over a period of many years and these things must represent large investments for them. To simply throw it away by attacking Kaspersky makes no sense.

Occam's Razor says pick the simplest theory. We know from the Stuxnet leaks that the Israeli's fucked up and made Stuxnet way too aggressive, that's why it spread way outside its intended victims. We know Israel is an astonishingly aggressive country that thanks to the US protection it gets, sees itself as being able to do whatever it likes. The simplest explanation is that they got cocky and thought they could beat Kaspersky. Perhaps they had beaten Kaspersky: the report notably doesn't give many details about when they think they got attacked. They might have been compromised for a long time already. Regardless, eventually they lost, and now any company that uses Kaspersky AV is probably able to detect the Israeli malware platform. Unless they have a limitless supply of kernel exploits, eventually they will not be able to patch the AV driver's brains out and their platform will start getting detected.

Re:What was the goal ?

[eulernet]

It's possible that Duqu was written by the NSA for their ally Israel.
It would explain why the technology is less advanced that Equation Group.

I think that you are right about Kaspersky.
They may have been infected since a few months, but only noticed the attack recently.

However, since they have been attacked, I doubt they'll share the signatures of the attacks to other vendors, so it'll be a huge marketing advantage for their product !

Re:What was the goal ?

[maestroX]

Why did the attacker sacrificed such a nice tool ? And to obtain what kind of information ?

Well duh. Free licenses to extend the trial version of course.

Re:What was the goal ?

My theory is that the attacker wondered if Kaspersky cracked all the Stuxnet & Duqu malware with their own skills, or whether Kaspersky actually was fed some info by some kind of mole or something. The organization that produced this persistent threat malware might be seriously concerned about a leak or double agent or something like that. Kaspersky appears to have been brilliant, but who's to say if they might have had a little KGB style assistance? Answering that question might be worth a fair amount of resources to the malware authors.

Payback for Outting NSA Spyware?

[Maltheus]

Coming so soon after revealing the NSA spyware in the firmware of hard drive manufacturers, care to wager any guesses over which out-of-control state sponsored this attack?

Re:Payback for Outting NSA Spyware?

[IamTheRealMike]

I thought that at first too. But if you read the reports more closely it strongly suggests this is Israeli intelligence, not NSA.

One strong indicator of this is that Kaspersky already found and analysed the current-gen NSA malware platform, they call the NSA the "Equation Group" and the things linking it to the NSA are extremely strong, to the extent that known NSA codenames are found in the binaries. However they also say that they found at least one victim that was hacked by NSA and "Duqu 2" simultaneously. It wouldn't really make sense for the NSA to have two entirely duplicative/redundant malware development projects over such a long period of time.

Additionally, various other things suggest Israeli intelligence, like timestamps and working hours indicative of Israel and the fact that one of the victims was linked to some anniversary of the liberation of Auschwitz.

Good!

[BrendaEM]

Good, I wish nothing but hard times for them.

https://grahamcluley.com/2014/...

A mistake targeting Kapersky ..

[nickweller]

They made a big mistake targeting Kapersky as they've given away most of their techniques. It does seem that someone went to an awful lot of trouble creating the malware. The_Mystery_of_Duqu_2_0

Re: A mistake targeting Kapersky ..

Please, this was an attack with a burner - think plastic liberator handgun. :)

Re:A mistake targeting Kapersky ..

Most people are looking at this attack as being one of two options- either whoever wrote it was being arrogant and didn't think they would be caught, or whoever wrote it didn't need it any more.

There is a third option- Both of these are based on the assumption that the people who unleashed Duqu2 (Electric Boogaloo) against Kaspersky were the same that wrote it. If I wanted to stop whoever wrote Duqu from being able to use it then what better way to do so then steal it and use it against a security company like Kaspersky? Whether that third party was Iran, Russia, the NSA, or Santa Clause I don't know.

Cyberwarefare is a fairly new field with rules that haven't been settled yet. Perhaps this was just an attempt to weaken an opponent's (or rival's) cyberwarefare capability.

This one has NSA's fingerprint all over it

[Taco+Cowboy]

I'm with the camp that thinks Israel is behind it. It only makes sense, given their involvement with Stuxnet and their high level of interest in Iran's nuclear program, plus the connection with the Auschwitz liberation date

I beg to differ

My train of thought for this case runs more along the false flag rule, and that if Israel really wants to carry it out wouldn't it at least try to avoid identifying themselves?

The fact that the attack was launched with the Auschwitz liberation date in mind tells us that someone else is behind the scheme --- as the Auschwitz liberation date has a permalink to Israel anyone who wants to frame Israel can do nothing less than to link an attack to that particular date

And apparently it works --- reading the comments here tells us that those aren't equipped with critical thinking skills will automatically associate the attack with Israel

I am no friend of Israel but I do reckon that the Jews are way more clever than that --- if indeed it was Israel which is behind this attack then they will do it in a way that, at the very least, leave enough clues to lead to some other players rather than Israel

The fact that Stuxnet / Duqu was co-developed by Israel and NSA, and this current deployment uses technique that they once deployed back in 2011, indicates to me that NSA is behind it

It is legitimate to ask why NSA wants to mess with systems belong to P5+1 who are connected the Iran nuclear deal, and the answer is no more than who is currently in charge in the White House

They way Obama is behaving, and has been behaving the past 5+ years in the White House tells us that he is a controlling type, that he needs to know everything about everybody

From the NSA spying on the Americans to blaming his favorite bogeyman - China - on the leak of the background info of 4 million American civil servants, even when he didn't even have an iota of evidence, we know full well the one true thing that motivates Obama --- to have a total control, and to manipulate the sentiments of the people so that they will give him full support of whatever he wants to do

You guys are on /. --- by the self-selection prophesy you guys are supposed to be better than the rest of the populace, so, please, it's time to equip yourselves with much better thinking skills

In a world where leaders such as Obama is so skilled in manipulating populace sentiments we must ensure that we ourselves are not being manipulated

Re: This one has NSA's fingerprint all over it

To be fair, if Israel really is more clever than 'that' - they could easily be operating /balls out/ with that Auschwitz date to make you think they're being framed.

The best thieves work under the cover of sunlight.

Re:This one has NSA's fingerprint all over it

[eulernet]

As I said in another post, it's possible that Duqu was written by the NSA for their ally Israel, or more exactly for the Mossad.

In other words, Duqu would be the second class attack vector, so it doesn't really matter if it gets caught.

About the manipulation skills, I believe that you are biased towards Obama (I'm french and not really interested in politics).
In fact, all political leaders need to develop their charisma and manipulation skills, otherwise they'll never be elected.
At a national level, the manipulation involves mass propaganda.
For me, it's a normal game, I just try to not be abused by it.

"state sponsored malware"

So it's like what KGB-Kaspersky does for Putin? I don't think they disclose/filter all the exploits they find. They use the best ones. And a press release like this one is just info warfare. Remember when Kaspersky helped Iran get closer to the atom bomb by helping them mitigate the effects of stuxnet/duqu?

Holly fucking shit

[behrooz0az]

I had never seen a malware analyzed this thoroughly.
the function name at page 39, The typo on page 44, and the list goes on.
They found things you simply can't find in 18 Mega-bytes of executables which should mean like 3 Million SLOC of C code?
I hate windoz, kaspersky, probably russians too, but... well done.

A lovely pun

French-speaking readers will see the wit in the name; DUQU is pronounced in French like DU CUL, which renders roughly as "of an arsehole" :)

A Sucker Like You

...is born every minute. Ever heard of "False Flag" ?

Angela Merkel was all too happen to aid GWB in his Criminal Acts then. Go figure.

fuckin' George Lucas

[Thud457]

This comes out and Christopher Lee kicks it?
Mighty suspicimous...