“In early spring 2015, Kaspersky Lab detected a cyber-intrusion affecting several of its internal systems. Following this finding the company launched an intensive investigation, which led to the discovery of a new malware platform from one of the most skilled threat actors in the APT world: Duqu.
The attack exploited zero-day vulnerabilities and after elevating privileges to domain administrator, the malware was spread in the network through MSI files. The attack didnt leave behind any disk files or change system settings, making detection difficult.
Kaspersky Lab researchers discovered the company wasnt the only target of this threat actor. Other victims have been found in Western countries, as well as in countries in the Middle East and Asia. Most notably, some of the new 2014-2015 infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal.
The threat actor behind Duqu appears to have launched attacks at the venues where the high level talks took place. In addition to the P5+1 events, the Duqu 2.0 group launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau. Similar to the P5+1 events, these meetings were attended by many foreign dignitaries and politicians.
Upon discovery, Kaspersky Lab performed an initial security audit and analysis of the attack. The audit included source code verification and checking of the corporate infrastructure. The comprehensive audit is still ongoing and will be completed in a few weeks. Besides intellectual property theft, no additional indicators of malicious activity were detected.
The analysis revealed that the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes. No interference with processes or systems was detected.
1. The attack was carefully planned and carried out by the same group that was behind the infamous 2011 Duqu APT attack. Kaspersky Lab believes this is a nation-state sponsored campaign.
2. Kaspersky Lab strongly believes the primary goal of the attack was to acquire information on the companys newest technologies. The attackers were especially interested in the details of product innovations including Kaspersky Labs Secure Operating System, Kaspersky Fraud Prevention, Kaspersky Security Network and Anti-APT solutions and services. Non-R&D departments (sales, marketing, communications, legal) were out of attackers interests.
3. The information accessed by the attackers is in no way critical to the operation of the companys products. Armed with information about this attack Kaspersky Lab will continue to improve the performance of its IT security solutions portfolio.
4. The attackers also showed a high interest in Kaspersky Labs current investigations into advanced targeted attacks; they were likely aware of the companys reputation as one of the most advanced in detecting and fighting complex APT attacks.
5. The attackers seem to have exploited up to three zero-day vulnerabilities. The last remaining zero-day (CVE-2015-2360) has been patched by Microsoft on June 9, 2015 (MS15-061) after Kaspersky Lab experts reported it.
Spying on cybersecurity companies is a very dangerous tendency. Security software is the last frontier of protection for businesses and customers in the modern world, where hardware and network equipment can be compromised. Moreover, sooner or later technologies implemented in similar targeted attacks will be examined and utilized by terrorists and professional cybercriminals. And that is an extremely serious and possible scenario, commented Eugene Kaspersky, CEO of Kaspersky Lab.
The technical paper is available here.”