Duqu spy group also targeted telecommunications companies

Symantec found infections with Duqu 2.0 in the U.S., U.K., Sweden, India and Hong Kong

Big data

Big data

The group behind the Duqu cyberespionage tool has compromised at least two telecommunications operators and one electronic equipment manufacturer, in addition to a cybersecurity firm and venues that hosted high-level nuclear negotiations between world powers and Iran.

On Wednesday, Moscow-based antivirus firm Kaspersky Lab, which has been deeply involved in exposing sophisticated cyberespionage campaigns over the past few years, revealed that it too fell victim to such an attack.

The company discovered in early spring that several of its internal systems were infected with a new version of Duqu, a sophisticated malware platform believed to be related to the Stuxnet worm used to sabotage Iran's nuclear enrichment centrifuges at Natanz.

Kaspersky reported that in addition to its own systems, it identified computers infected with Duqu 2.0 at hotels that hosted talks over the past year between the U.S., Germany, France, Russia, the U.K., China and Iran over the latter's nuclear program. The company also identified infections at a location associated with the 70th anniversary of the liberation of the Auschwitz concentration camp, which was commemorated on Jan. 27.

Now security firm Symantec has done its own analysis of Duqu 2.0, which unlike the first version, lives only in the memory of infected computers, without writing any files on disk. This makes it much harder for security products to to detect.

Symantec scanned its own global network and found Duqu 2.0 infections in the U.S., U.K., Sweden, India and Hong Kong, as well as on the systems of a European network operator, a North African network operator and an electronic equipment manufacturer from South East Asia. It didn't name the affected companies.

"Some organizations may not be the ultimate targets of the group's operations, but rather stepping stones towards the final target," the Symantec researchers said in a blog post. "The group's interest in telecoms operators could be related to attempts to monitor communications by individuals using their networks."

The group behind Duqu is known for compromising "utilitarian targets." These are companies like Kaspersky Lab or the network operators, whose information and assets might help the group improve its attack capabilities and achieve its final goals.

For example, in 2011 the Duqu group infected a certificate authority in Hungary with the first version of the malware tool. The goal was probably to obtain valid digital certificates that could be used to sign their malware samples.

The Kaspersky Lab researchers believe that a nation state is behind Duqu due to the sophistication of the malware platform and the techniques employed by its creators, including the use of multiple zero-day exploits -- exploits for previously unknown vulnerabilities in Windows and other software products.

The Wall Street Journal reported Wednesday that unnamed former U.S. government officials believe Israel is behind Duqu. This would explain the group's interest in the Iranian nuclear negotiations, which Israel opposes, and the platform's similarity to Stuxnet, which is believed to have been a joint U.S.-Israeli project.

Duqu is not the first cyberespionage malware threat that was used to target telecom operators. The Equation group, which some people believe is the U.S. National Security Agency, has also compromised such companies, and so did Volatile Cedar, a cyberespionage group that security firm Check Point Software Technologies believes operates from Lebanon.

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionsymantecsecurityspywaremalwarekaspersky lab

More about Check PointCheck Point Software TechnologiesKasperskyNational Security AgencyPoint Software TechnologiesSoftware TechnologiesSymantecWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place