Duqu 2.0 hackers may have cracked Kaspersky to recon research

Eugene Kaspersky, the Russian whose namesake company acknowledged that it had been infected with top-tier malware, struggled during a press conference to come up with reasons why the hackers targeted his firm.

Eugene Kaspersky, the Russian whose namesake company acknowledged that it had been infected with top-tier malware, struggled during a press conference to come up with reasons why the hackers targeted his firm.

After all, antivirus makers like Kaspersky Lab should be prepared to sniff out and snuff out an attack.

"They were not only stupid, but greedy," Kaspersky said during a London-based press conference Wednesday, which was also webcast to reporters elsewhere.

When asked why the attackers -- whose malware was dubbed Duqu 2.0 in a nod to 2011's Duqu, which in turn was thought to be an offspring of the infamous Stuxnet -- went head-to-head with his company, Kaspersky had theories but nothing more.

"They were not interested in our customers," he said after asserting that the intrusion did not appear to have touched any customer or partner data.

"I'm pretty sure they were watching," he said of the hackers during the months they had their malware running undetected on Kaspersky's network. He speculated that the attackers were doing reconnaissance and research, hoping to find out more about Kaspersky's security technology or how it found and analyzed malware.

Specifically, Kaspersky wondered if they had infected Windows PCs on the company's network to uncover how researchers decided what malware to manually examine.

The vast bulk of the malware that Kaspersky -- and any major antivirus firm -- collects is processed, evaluated and categorized by automated systems, which also craft the resulting "fingerprints," or signatures, that are sent to customers' devices. Only the occasional piece of attack code is interesting enough, different enough from the run-of-the-mill to justify a human touch.

How researchers make the decision to closely evaluate -- and root through -- one piece of malware while passing on another would obviously be information a hacker crew or state-sponsored group would love to have, as it would help them craft attack code and develop tradecraft that would be more likely to get shunted to the machines, where it would be one among millions, and its true purpose perhaps overlooked.

"[The bad guys] absolutely want to know what security researchers are doing, what's the state of the art on that side," said Tod Beardsley, the engineering manager at security vendor Rapid7, in an interview. "They want to know, is it better than what [they] have?"

It's certain, Beardsley continued, that just as security researchers launch projects to analyze attack technology and attackers' predilections, the other side does the same. "Having a hold in a security company is of great advantage," Beardsley said. "Just the operational intelligence would be valuable, as that would give them lots or preparation time for their next mission."

And with more-than-public knowledge, hackers might be able to come up with ways to steer clear of security defenses like those employed by Kaspersky's customers.

But Eugene Kaspersky dismissed the idea that the hackers' presence within his company's network -- he said it had been hidden there at least several months -- would give them real clues about the vendor's technologies, even if they had obtained the source code, which they had not. "These technologies are quickly outdated," Kaspersky contended, saying that changes were constantly being applied.

"Maybe they were interested in some specific attacks we were working on," Kaspersky said. "Or maybe they wanted to see if we could catch them."

In a long blog post on Forbes, Kaspersky elaborated. "I can think of several reasons why someone might want to try to steal our technical data, but each one of them doesn't seem to be worth the risk" of being discovered, Kaspersky said.

Which is exactly what happened.

"Now we know how to catch a new generation of stealthy malware developed by them," Kaspersky wrote. "And the attackers are now back to the drawing board since we exposed their platform to the whole IT security industry. Moral considerations aside, that's hardly a good return on a serious investment with public money."

That latter line was a reference to Kaspersky's contention that Duqu 2.0 was created by a state-sponsored or state-run hacking crew.

Beardsley and Kaspersky agreed on one thing: Duqu 2.0 was top-of-the-line malware.

"It's very awesome for sure," said Beardsley. "It is definitely a milestone. It has a very modular framework, is able to swap out one zero-day for another, and uses new techniques for signaling and non-persistence."

Unlike most malware, Duqu 2.0 resides almost exclusively in memory, making it difficult for security software to detect it.

Which led Eugene Kaspersky to make an odd-but-effective suggestion about how to rid a network of the malware. "Technically, it's simple: Turn off the power and the system will be clean."

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionsecurityCybercrime & Hackingkaspersky lab

More about KasperskyRapid7

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place