The news that Kaspersky Lab, one of the leading cyber-security companies in the world, was hit by a “next-generation” malware attack is an indication of both how far we have come in cyber-warfare and how much further we still have to go.
Eugene Kaspersky, founder of Kaspersky Lab, is certain that the software used in the attack represents version 2.0 of Duqu, a malware first discovered in 2011. According to Kaspersky Lab's analysis of Duqu 2.0, it is highly-sophisticated malware which shows all the signs of having been crafted by someone with the resources of a nation-state behind them.
As Eugene Kaspersky has been at pains to explain to SCMagazineUK.com, it exploited three zero-day vulnerabilities, spread through the system using MSI files, didn't create or modify any disk files or system settings and existed almost totally in memory while still achieving persistence.
Other cyber-security experts are in agreement about its sophistication.
“After reviewing the technical analysis from Kaspersky, it's safe to say that Duqu 2.0 represents both the state of the art and the minimum bar for cyber-operations. Even if one doubts that Stuxnet, Duqu, and Duqu 2.0 are sourced from well-financed, highly skilled, and geopolitically motivated Western nations, Duqu 2.0 is precisely where we should expect any serious national cyber-offensive capability to be,” said Tod Beardsley, engineering manager at Rapid7.
Such was its stealthiness, Kaspersky believes the attackers were confident that they would not be discovered.
So this was a super-sophisticated zero-day attack but the method of entry into the network was distinctly old-school – an email attachment.
“It was coming from our sales guys,” Kaspersky said. “Their job is to be in touch with our customers, our partners, so one of them was sent an infected document – there was a zero-day there – that's it.”
Was he surprised his company was hacked? “I was surprised that I wasn't surprised! I wasn't angry, I was expecting it a long time,” he said. “Our employees [are] talking to the rest of the world so there's a non-zero risk of being attacked.”
He said the attackers were very professional. “The attack was made in a very professional way so it was hard to spot the signs of this attack. Using zero-days in a very professional way, spreading through the network almost invisible, creating no disk files, no system register changes, staying only in memory – it makes the process of looking for this malware almost impossible. Let's call it Mission Impossible, but we did it.”
Beardsley concurred: “Kaspersky has a reputation for being one of the most capable detection and defence organisations in the world, and the fact that they were compromised is a sobering reminder that the gap between offense and defence is, today, massively lopsided in favour of the attacker.”
The industry will be alarmed that a company with Kaspersky Lab's expertise – not to mention credibility on the line – found itself invaded in this way. “Unfortunately modern operation system were designed in a way, based on ideas and architecture of 40 to 50 years ago, and they are not immune to this kind of attack,” Kaspersky said. “There is no 100 percent security. Unfortunately there are many enterprises that were, are and will be victims of these attacks, cyber-security companies as well.”
The attacker's motivation seemed to be spying, gathering information on Kaspersky Lab's research and its internal processes. Kaspersky wouldn't speculate on the value to the attackers of the information they managed to exfiltrate except to say that once they were denied access to fresh information, the value of existing information would quickly drop toward zero.
As damaging as it might be to admit to being hacked in this way, Kaspersky Lab has clearly decided to own this story by releasing it on its own terms. Kaspersky said the company has shared the information with its technology partners, law enforcement agencies and customers.
It has won plaudits for being open about it, with a company official telling SC that this is proof of the company's commitment to transparency.
Discovering this vulnerability is also a success story of sorts. Although Duqu2.0 remained undetected for months, it was discovered while the company was testing a new APT detection tool on its own servers.
Beardsley said, “I'm very happy to see that Kaspersky is publishing their findings in depth; it's more transparency than what we usually see with initial breach reports. I'm hopeful that as this story unfolds, Kaspersky will provide more details on exactly how they did detect the activity of Duqu 2.0, since these detection techniques are what CISOs at critical infrastructure networks need to defend and remediate against similar attacks.”