Kaspersky Lab Reveals Cyberattack On Its Corporate Network

An anonymous reader writes: Kaspersky Lab has revealed that it was recently subject to a major cyberattack. The company launched an investigation, which led to the discovery of a new malware platform from Duqu. Kaspersky has revealed that the attack exploited zero-day vulnerabilities and the malware has spread in the network through MSI (Microsoft Software Installer) files. "The attack is extremely sophisticated, and this is a new generation of what is most likely state-sponsored malware," Kaspersky said during the press conference. "It's a kind of a mix of Alien, Terminator and Predator, in terms of Hollywood."

If only

[penguinoid]

If only they had an antivirus installed.

Hyperbole

[The+Raven]

Kasperski must characterize the malware as ultra-advanced, targeted, government hacking. Otherwise they look like fools for being penetrated.

I'm not saying they are lying; I'm saying there is no way to tell, because their success as a company depends on them assuring everyone that they can competently defend against ordinary malware.

Re:Hyperbole

[Firethorn]

It would have been funnier if in front of 'network' was 'honeypot'. Not to mention more impressive competence wise.

"Yeah, that network you hacked? Those terabytes of data you stole? It was a honeypot network, we were having bets on what you'd do next, and the terabytes of data was all randomly generated using SCIGen and such. Oh, and 50% horse cock porn. You didn't rate midget porn."

Re:Hyperbole

[kosmosik]

They were probably aware that this would come up anyway so their PR department took action. To be hacked when you are a security focused company is hurting their image whatever advanced attack was used. I guess they were blackmailed that somebody will reveal information about breach so they took proactive but image hurting approach. Nevertheless it is curious.

Some technical explanation that I TL'DR as for now ;)
https://securelist.com/files/2...

Re:Hyperbole

[IamTheRealMike]

They were probably aware that this would come up anyway so their PR department took action

Come up how? Who the hell cares about hacking an anti-virus company except intelligence agencies anyway? They, at least for now it seems, aren't in the business of blackmailing companies in ways that could only lead directly back to them.

To be hacked when you are a security focused company is hurting their image whatever advanced attack was used

No way! This can only help their image, not hurt it.

Look. This attack speaks to the idiocy and hubris of whichever intelligence agency is behind Duqu (probably the NSA, iirc). Kaspersky have repeatedly revealed western intelligence malware; they are not idiots, as anyone who reads their reports can attest. Indeed they've done massively more than any other AV company in the business. The people who thought it was a good idea to attack a company staffed by some of the best reverse engineers in the industry must be crazy: they just burned three zero days ..... for what? To get a sneak preview of upcoming products? Those must be some mighty scary products!

What sort of message does this send to anyone outside the USA? It says that Kaspersky AV is so frickin' badass that the world's best funded intelligence agencies tried to spy on it ..... and failed. It says that Kaspersky, being Russian, doesn't give a shit about being prosecuted by the US government and will happily add NSA malware to their AV product scans, it reinforces their image of being in the lead when it comes to analysing state-sponsored malware, it reveals a strong commitment to transparency (they could have said nothing), and it says "if you think you may be targeted by government attackers, you can't do better than buy Kaspersky AV".

I think this is a genius move by them.

Re:Hyperbole

[IamTheRealMike]

Sorry having fully read the report now I'm gonna guess that Duqu is more likely to be Israeli intelligence than the NSA. The report notes that at least one victim has been hacked by the "Equation Group" (very clearly NSA) and Duqu at the same time. Additionally the target list is things like anything to do with the Iranian nuclear program (very interesting to the Israelis) and also something to do with an anniversary of an event related to Auschwitz? Doesn't seem likely to interest the Americans. And apparently the few unfaked timestamps that remain are GMT+2 or GMT+3, the developers work on January 1st, and there's at least one English spelling mistake in the code.

Additionally, Duqu and Stuxnet are apparently somehow related but not quite the same thing, and we know from leaks by US officials wanting to take credit that Stuxnet was a US/Israeli collaboration.

Re:Hyperbole

[bad-badtz-maru]

One could wonder... if they burned three zero days for essentially nothing... how many zero days do they have?

Re:Why aren't they running OpenBSD?

[rubycodez]

OpenBSD doesn't run those MSI files worth a darn. Someone should submit a patch

Human ignorance

[nimbius]

The real question isnt who attacked Kaspersky, but why Kaspersky still runs a punching bag OS like Windows. One would expect a major security vendor would have hardened everything from the secretaries desktop to the coffee maker.

Re:Human ignorance

[Whiteox]

Because they test and develop for Win machines. There other stuff is *nix based.

Re:Human ignorance

[Hognoxious]

Because their customers run punching-bag OSs like Microsoft?

I agree 120%. It would be utterly ridiculous to have separate machines for testing & experimentation that are totally isolated from the ones you run your operations on.

Kapersky's 46 page report on incident

[VikingThunder]

FYI: Here is the link to Kapersky's report of the incident: https://securelist.com/files/2...

Re:Kapersky's 46 page report on incident

[plover]

Have Kapersky considered running their business off of bootable CDs?

Read further down in the Fine Report, and you'll see why that strategy probably wouldn't have helped much. After the initial installation, the Command and Control network ran almost exclusively in RAM on Kaspersky's servers; the executable files were deleted to leave as few detectable traces as possible. Of course that meant the malware would be lost during a server reboot, so it depended on the actions of the other nearby servers that would eventually detect the rebooted server was uninfected, and would then re-infect it. And just in case Kaspersky's admins rebooted all servers simultaneously, wiping out the entire C&C system, they left a back door open in the form of a few unimportant PCs infected with persistent malware that would simply launch reverse tunneling proxies at startup. The attackers would have been able to reenter the network without needing to phish them again.

In terms of Hollywood?

[freeze128]

What is the new attack like, in terms of Muppets?

Test run

[Jumunquo]

Ah, so the Russians tested on themselves before deploying to Germany.

Re:Test run

Have a look at the report, if it is to be believed then all fingers point to Israel...

Re:Test run

[plover]

Keep reading the report, and you'll see that they doubled back and covered their other tracks several times. Scheduling the malware activity levels to coincide with Israel's work week would be in keeping with the other forms of camouflage and diversion that were employed by Duqu 2.0's operators, and prove almost nothing at all.

Various leaks after the fact strongly implicated Israel was responsible for Stuxnet (including a YouTube video of an IDF general being congratulated on his team's creation of the malware at his retirement party), but Duqu? The only confirmed relationship to Stuxnet is that both were found in Iran's nuclear facilities. And several nations have as much interest in Iran's nuclear program as Israel, including the US, China, and Russia.

Re:Test run

[cowwoc2001]

And why would a Russian firm have an interest in doing so...? Oh wait.

There are plenty of top-notch cybersecurity firms across the globe. How does Kapersky magically track down all these threats that others do not, and how are they all coincidentally coming from enemies of their greatest military customer, Iran?

If you honestly think that a country the size of Israel is more active in this area than the rest of the world combined, I suggest you take a second look.

What was the goal ?

[eulernet]

Why did the attacker sacrificed such a nice tool ? And to obtain what kind of information ?

My hypothesis is that the attackers wanted to retrieve all source code from Kaspersky Labs, in order to prepare future attacks.
I have no doubt that they have the resources to analyze the source code and find some ways to evade Kaspersky's detection.
The most wanted target was probably Kaspersky's internal tools, which are not in the final product, like virus analyzers, detection algorithms, and also how they build their virus signatures.

It's probable that the attackers also wanted to confirm the ties between Kaspersky and the Russian government.

Re:What was the goal ?

[timrod]

Kaspersky themselves said that the Duqu authors were probably using them as a "utility target" to gain more access to their main target, which is believed to be anyone involved in the negotiations over Iran's nuclear program. The people from Kaspersky posited the idea that Duqu has no value to the people who wrote it - likely because by the time they attacked Kaspersky, they had already infected the people they were really after and could safely throw it away. It could also be that they purposely attacked Kaspersky for two reasons: to gain information on their detection methods and find ways around them, but also to ensure that no one else gets infected (thus avoiding a possible scandal for a state actor behind the attacks if people unrelated to their targets get hit).

I'm with the camp that thinks Israel is behind it. It only makes sense, given their involvement with Stuxnet and their high level of interest in Iran's nuclear program, plus the connection with the Auschwitz liberation date.

Payback for Outting NSA Spyware?

[Maltheus]

Coming so soon after revealing the NSA spyware in the firmware of hard drive manufacturers, care to wager any guesses over which out-of-control state sponsored this attack?

Re:Payback for Outting NSA Spyware?

[IamTheRealMike]

I thought that at first too. But if you read the reports more closely it strongly suggests this is Israeli intelligence, not NSA.

One strong indicator of this is that Kaspersky already found and analysed the current-gen NSA malware platform, they call the NSA the "Equation Group" and the things linking it to the NSA are extremely strong, to the extent that known NSA codenames are found in the binaries. However they also say that they found at least one victim that was hacked by NSA and "Duqu 2" simultaneously. It wouldn't really make sense for the NSA to have two entirely duplicative/redundant malware development projects over such a long period of time.

Additionally, various other things suggest Israeli intelligence, like timestamps and working hours indicative of Israel and the fact that one of the victims was linked to some anniversary of the liberation of Auschwitz.

Holly fucking shit

[behrooz0az]

I had never seen a malware analyzed this thoroughly.
the function name at page 39, The typo on page 44, and the list goes on.
They found things you simply can't find in 18 Mega-bytes of executables which should mean like 3 Million SLOC of C code?
I hate windoz, kaspersky, probably russians too, but... well done.