Duqu 2.0 Exposed
Over the last five years, Kaspersky has made a name for itself exposing one nation-state attack after another, including Stuxnet, Duqu, Flame, Gauss, Regin and the Equation Group—many of them seemingly launched by the US and its UK and Israeli allies. It was perhaps inevitable that Kaspersky eventually would be targeted itself.
Side-by-side comparison showing a near identical function, for generating log entries, in the Duqu 2011 and 2015 attacks.
(they have a picture side-by-side of the code used in 2011 and 2015)
Kaspersky uncovered the breach after an engineer, testing a new product on a company server, spotted anomalous traffic that caused him to further investigate. Eventually the company determined that a couple dozen Kaspersky systems had been infected. The company won’t say when exactly the intrusion began to preserve the integrity of the investigation, but Raiu says they’re working with law enforcement agencies in several countries to track the breach of Kaspersky as well as other victims. The company has also filed police complaints in Russia and the UK, where it also has an office.
Mode of Infection
The infection of Kaspersky unfolded like a precision campaign. The attackers first targeted an employee in one of the company’s Asia-Pacific offices, likely using a spear-phishing attack and zero-day exploit to breach the system. The employee’s machine had all the latest software patches installed, but zero-day exploits target vulnerabilities that are yet unknown to a software maker, and therefore have no patches available to seal them.
Another indication that a spear-phishing email was used was the fact that while Kaspersky was investigating the breach, the attackers wiped the mailbox and browsing history from the infected employee’s system, preventing Kaspersky from fully analyzing it.
<snip>
What They Were After
The attackers were primarily interested in Kaspersky’s work on APT nation-state attacks–especially with the Equation Group and Regin campaigns. Regin was a sophisticated spy tool Kaspersky found in the wild last year that was used to hack the Belgian telecom Belgacom and the European Commission. It’s believed to have been developed by the UK’s intelligence agency GCHQ.
The Equation Group is the name Kaspersky gave an attack team behind a suite of different surveillance tools it exposed earlier this year. These tools are believed to be the same ones disclosed in the so-called NSA ANT catalogue published in 2013 by journalists in Germany. The interest in attacks attributed to the NSA and GCHQ is not surprising if indeed the nation behind Duqu 2.0 is Israel.
<snip>
There was one victim, however, that didn’t fit the profile of other targets. Raiu says this was an international gathering for the 70th anniversary of the liberation of the Auschwitz-Birkenau concentration camps. The focus in this case may have been on the scores of VIPs who attended the event, including presidents and prime ministers. “Pretty much everyone was there with the exception of Obama and Putin,” Raiu notes.
In addition to all of these targets, Symantec uncovered victims in the UK, Sweden, Hong Kong and India. Notably, it found telecom victims in Europe and Africa, an electronics firm in South East Asia, and multiple infections in the US, including one organization where developers working on mobile platforms were infected. Some of the infections dated back to 2013, according to Vikram Thakur, senior manager for the company’s Security Response team.
http://www.wired.com/2015/06/kaspersky-finds-new-nation-state-attack-network/
I think I'm gonna have to grab the popcorn here.
= new reply since forum marked as read
