The Worm Turns: Virus Hunter Kaspersky Becomes the Hunted
The Russian IT security firm Kaspersky Lab has discovered a new, powerful cyber weapon, apparently a successor to the notorious Duqu software. But this time the virus hunter itself is a target. Now experts are scrambling to identify who's behind it.
For the employees of the Russian firm Kaspersky Lab, tracking down computer viruses, worms and Trojans and rendering them harmless is all in a day's work. But they recently discovered a particularly sophisticated cyber attack on several of the company's own networks. The infection had gone undetected for months.
Company officials believe the attack began when a Kaspersky employee in one of the company's offices in the Asia-Pacific region was sent a targeted, seemingly innocuous email with malware hidden in the attachment, which then became lodged in the firm's systems and expanded from there. The malware was apparently only discovered during internal security tests "this spring."
The attack on Kaspersky Lab shows "how quickly the arms race with cyber weapons is escalating," states a 45-page report on the incident by the company, which was made available to SPIEGEL in advance of its release. The exact reason for the attack is "not yet clear" to Kaspersky analysts, but the intruders were apparently interested mainly in subjects like future technologies, secure operating systems and the latest Kaspersky studies on so-called "advanced persistent threats," or APTs. The Kaspersky employees also classified the spy software used against the company as an APT.
Analysts at Kaspersky's Moscow headquarters had already been familiar with important features of the malware that was being used against them. They believe it is a modernized and redeveloped version of the Duqu cyber weapon, which made international headlines in 2011. The cyber weapons system that has now been discovered has a modular structure and seems to build on the earlier Duqu platform.
In fact, says Vitaly Kamluk, Kaspersky's principal security researcher and a key member of the team that analyzed the new virus, some of the software passages and methods are "very similar or almost identical" to Duqu. The company is now referring to the electronic intruder as "Duqu 2.0." "We have concluded that it is the same attacker," says Kamluk.
When asked who they believe could be behind the software, Kaspersky officials are typically vague -- which is the typical attitude shown by international IT security vendors when it comes to the question of attribution. The modular Duqu arsenal is "extremely complex and very, very expensive," says Kamluk. "Cyber criminals are not behind this. We are probably dealing with nation-state attackers." As is often the case in the difficult search for the true originators of cyber attacks, which technology can easily cover up, the targets themselves could provide the best clues about who may have perpetrated the attack.
The originators of Duqu had a "high interest in geopolitical affairs," says the Kaspersky analyst. Iran's nuclear program was also a target of this latest wave of attacks, as it was with the preceding Duqu virus.
"They surpass any other APT attackers -- no one has reached this level of competence before," says Kamluk. "In our view the attackers even surpass Equation Group. This brings the threat to a whole new level."
A US-Israeli Role?
As Kamluk explains, several of the new infections with Duqu 2.0 took place in 2014 and 2015 in connection with the "P5+1" talks -- the diplomatic negotiations underway since 2006 between Great Britain, the United States, China, France, Russia and Germany, aimed at reaching an agreement with Iran over its nuclear program. Kaspersky says it apparently detected traces of Duqu 2.0 in three of the P5+1 meeting locations, which constantly changed.
Some of the secret meetings of delegations during the time in question took place in the Austrian capital Vienna and in Lausanne, Switzerland, usually in hotels. To "protect our customers and the ongoing investigations," Kaspersky is unwilling to reveal exactly which meeting sites the virus had infected. The political director of the Foreign Ministry represented Germany at the working groups, while Foreign Minister Frank-Walter Steinmeier attended the more important meetings.
Without discussing technical background information or mentioning Duqu, the Wall Street Journal had already reported in March on spying at the P5+1 talks. Quoting anonymous senior sources in the US government, the paper assigned the blame to Israeli intelligence, but Israeli politicians sharply denied the accusation.
Kaspersky analysts identified another source of infection with Duqu 2.0 in connection with the celebrations to mark the 70th anniversary of the liberation of the concentration camp Auschwitz II-Birkenau. The guests at the main commemorative event in late January included German President Joachim Gauck, French President François Hollande, Ukrainian President Petro Poroschenko and other national leaders.
In 2011, Kaspersky analysts found a few oddities in the program code for the previous version of Duqu, which confirmed the suspicions. These suggested that the code's authors were from a country in the GMT + 2 time zone, and that they worked noticeably less on Fridays and not at all on Saturdays, which corresponds to the Israeli work week, in which the Sabbath begins on Friday.
Most striking, though, is that Duqu had major similarities to the computer worm Stuxnet, discovered in 2010. Various international IT experts were therefore sure that there had to be at least a close connection between the creators of the two cyber weapons. And Stuxnet, which manipulated control units at the Iranian uranium enrichment facility in Natanz and caused irreparable damage to a large number of centrifuges, was a joint US-Israeli project.
The Damage is Done
But according to Kaspersky, almost all of the timestamps in the new version have been manipulated so as to create a red herring. In addition, it contains an offensive reference to a known Chinese hacker, which the Russians also believe is a deliberate attempt to mislead. Still, says Kamluk, the attackers made small errors buried deep inside the individual modules. For example, the original timestamps still appear.
Kaspersky Lab has now issued an internal memo to employees about the incident and has also enlisted the support of Russian and British security agencies and notified Microsoft. As in the first Duqu wave, this time the attackers used new and previously unknown weaknesses in Windows computers known as "zero day exploits."
Identifying who exactly is behind the attack is almost irrelevant to Kaspersky, whose reputation is likely to suffer as a result of the development. "One of the most difficult things an IT security company can do is admit that there was a successful cyber attack on its own systems, reads the company's report on the incident. Nevertheless, management did not hesitate in publicizing the incident, says Kamluk, not least because Kaspersky had already identified other affected parties in Western states, Asia and the Middle East.
Translated from the German by Christopher Sultan
© SPIEGEL ONLINE 2015
All Rights Reserved
Reproduction only allowed with the permission of SPIEGELnet GmbH