Kaspersky Lab Reveals Cyberattack On Its Corporate Network

An anonymous reader writes: Kaspersky Lab has revealed that it was recently subject to a major cyberattack. The company launched an investigation, which led to the discovery of a new malware platform from Duqu. Kaspersky has revealed that the attack exploited zero-day vulnerabilities and the malware has spread in the network through MSI (Microsoft Software Installer) files. "The attack is extremely sophisticated, and this is a new generation of what is most likely state-sponsored malware," Kaspersky said during the press conference. "It's a kind of a mix of Alien, Terminator and Predator, in terms of Hollywood."

What was the goal ?

[eulernet]

Why did the attacker sacrificed such a nice tool ? And to obtain what kind of information ?

My hypothesis is that the attackers wanted to retrieve all source code from Kaspersky Labs, in order to prepare future attacks.
I have no doubt that they have the resources to analyze the source code and find some ways to evade Kaspersky's detection.
The most wanted target was probably Kaspersky's internal tools, which are not in the final product, like virus analyzers, detection algorithms, and also how they build their virus signatures.

It's probable that the attackers also wanted to confirm the ties between Kaspersky and the Russian government.

Re:What was the goal ?

[timrod]

Kaspersky themselves said that the Duqu authors were probably using them as a "utility target" to gain more access to their main target, which is believed to be anyone involved in the negotiations over Iran's nuclear program. The people from Kaspersky posited the idea that Duqu has no value to the people who wrote it - likely because by the time they attacked Kaspersky, they had already infected the people they were really after and could safely throw it away. It could also be that they purposely attacked Kaspersky for two reasons: to gain information on their detection methods and find ways around them, but also to ensure that no one else gets infected (thus avoiding a possible scandal for a state actor behind the attacks if people unrelated to their targets get hit).

I'm with the camp that thinks Israel is behind it. It only makes sense, given their involvement with Stuxnet and their high level of interest in Iran's nuclear program, plus the connection with the Auschwitz liberation date.

Payback for Outting NSA Spyware?

[Maltheus]

Coming so soon after revealing the NSA spyware in the firmware of hard drive manufacturers, care to wager any guesses over which out-of-control state sponsored this attack?

Re:Payback for Outting NSA Spyware?

[IamTheRealMike]

I thought that at first too. But if you read the reports more closely it strongly suggests this is Israeli intelligence, not NSA.

One strong indicator of this is that Kaspersky already found and analysed the current-gen NSA malware platform, they call the NSA the "Equation Group" and the things linking it to the NSA are extremely strong, to the extent that known NSA codenames are found in the binaries. However they also say that they found at least one victim that was hacked by NSA and "Duqu 2" simultaneously. It wouldn't really make sense for the NSA to have two entirely duplicative/redundant malware development projects over such a long period of time.

Additionally, various other things suggest Israeli intelligence, like timestamps and working hours indicative of Israel and the fact that one of the victims was linked to some anniversary of the liberation of Auschwitz.