Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kaspersky Lab Reveals Cyberattack On Its Corporate Network

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes: Kaspersky Lab has revealed that it was recently subject to a major cyberattack. The company launched an investigation, which led to the discovery of a new malware platform from Duqu. Kaspersky has revealed that the attack exploited zero-day vulnerabilities and the malware has spread in the network through MSI (Microsoft Software Installer) files. "The attack is extremely sophisticated, and this is a new generation of what is most likely state-sponsored malware," Kaspersky said during the press conference. "It's a kind of a mix of Alien, Terminator and Predator, in terms of Hollywood."

13 of 73 comments (clear)

  1. If only by penguinoid · · Score: 4, Funny

    If only they had an antivirus installed.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  2. Hyperbole by The+Raven · · Score: 5, Insightful

    Kasperski must characterize the malware as ultra-advanced, targeted, government hacking. Otherwise they look like fools for being penetrated.

    I'm not saying they are lying; I'm saying there is no way to tell, because their success as a company depends on them assuring everyone that they can competently defend against ordinary malware.

    --
    "I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
    1. Re:Hyperbole by Firethorn · · Score: 3, Funny

      It would have been funnier if in front of 'network' was 'honeypot'. Not to mention more impressive competence wise.

      "Yeah, that network you hacked? Those terabytes of data you stole? It was a honeypot network, we were having bets on what you'd do next, and the terabytes of data was all randomly generated using SCIGen and such. Oh, and 50% horse cock porn. You didn't rate midget porn."

      --
      I don't read AC A human right
  3. Re:Why aren't they running OpenBSD? by rubycodez · · Score: 4, Funny

    OpenBSD doesn't run those MSI files worth a darn. Someone should submit a patch

  4. Human ignorance by nimbius · · Score: 3, Insightful

    The real question isnt who attacked Kaspersky, but why Kaspersky still runs a punching bag OS like Windows. One would expect a major security vendor would have hardened everything from the secretaries desktop to the coffee maker.

    --
    Good people go to bed earlier.
  5. Kapersky's 46 page report on incident by VikingThunder · · Score: 5, Informative

    FYI: Here is the link to Kapersky's report of the incident: https://securelist.com/files/2...

    1. Re:Kapersky's 46 page report on incident by plover · · Score: 4, Informative

      Have Kapersky considered running their business off of bootable CDs?

      Read further down in the Fine Report, and you'll see why that strategy probably wouldn't have helped much. After the initial installation, the Command and Control network ran almost exclusively in RAM on Kaspersky's servers; the executable files were deleted to leave as few detectable traces as possible. Of course that meant the malware would be lost during a server reboot, so it depended on the actions of the other nearby servers that would eventually detect the rebooted server was uninfected, and would then re-infect it. And just in case Kaspersky's admins rebooted all servers simultaneously, wiping out the entire C&C system, they left a back door open in the form of a few unimportant PCs infected with persistent malware that would simply launch reverse tunneling proxies at startup. The attackers would have been able to reenter the network without needing to phish them again.

      --
      John
  6. Test run by Jumunquo · · Score: 4, Funny

    Ah, so the Russians tested on themselves before deploying to Germany.

    1. Re:Test run by Anonymous Coward · · Score: 4, Insightful

      Have a look at the report, if it is to be believed then all fingers point to Israel...

  7. What was the goal ? by eulernet · · Score: 5, Interesting

    Why did the attacker sacrificed such a nice tool ? And to obtain what kind of information ?

    My hypothesis is that the attackers wanted to retrieve all source code from Kaspersky Labs, in order to prepare future attacks.
    I have no doubt that they have the resources to analyze the source code and find some ways to evade Kaspersky's detection.
    The most wanted target was probably Kaspersky's internal tools, which are not in the final product, like virus analyzers, detection algorithms, and also how they build their virus signatures.

    It's probable that the attackers also wanted to confirm the ties between Kaspersky and the Russian government.

    1. Re:What was the goal ? by timrod · · Score: 4, Interesting

      Kaspersky themselves said that the Duqu authors were probably using them as a "utility target" to gain more access to their main target, which is believed to be anyone involved in the negotiations over Iran's nuclear program. The people from Kaspersky posited the idea that Duqu has no value to the people who wrote it - likely because by the time they attacked Kaspersky, they had already infected the people they were really after and could safely throw it away. It could also be that they purposely attacked Kaspersky for two reasons: to gain information on their detection methods and find ways around them, but also to ensure that no one else gets infected (thus avoiding a possible scandal for a state actor behind the attacks if people unrelated to their targets get hit).

      I'm with the camp that thinks Israel is behind it. It only makes sense, given their involvement with Stuxnet and their high level of interest in Iran's nuclear program, plus the connection with the Auschwitz liberation date.

  8. Payback for Outting NSA Spyware? by Maltheus · · Score: 4, Interesting

    Coming so soon after revealing the NSA spyware in the firmware of hard drive manufacturers, care to wager any guesses over which out-of-control state sponsored this attack?

    1. Re:Payback for Outting NSA Spyware? by IamTheRealMike · · Score: 3, Interesting

      I thought that at first too. But if you read the reports more closely it strongly suggests this is Israeli intelligence, not NSA.

      One strong indicator of this is that Kaspersky already found and analysed the current-gen NSA malware platform, they call the NSA the "Equation Group" and the things linking it to the NSA are extremely strong, to the extent that known NSA codenames are found in the binaries. However they also say that they found at least one victim that was hacked by NSA and "Duqu 2" simultaneously. It wouldn't really make sense for the NSA to have two entirely duplicative/redundant malware development projects over such a long period of time.

      Additionally, various other things suggest Israeli intelligence, like timestamps and working hours indicative of Israel and the fact that one of the victims was linked to some anniversary of the liberation of Auschwitz.