Security software vendor Kaspersky Lab has revealed that it was recently subject to a major cyberattack.
The company’s corporate network was attacked in early spring this year and detected a complex cyber-intrusion affecting its internal system, which later led to the discovery of powerful cyber threat Duqu 2.0.
After the attack was discovered an internal investigation was launched. A team of the company’s researchers, reverse engineers and malware analysts worked around the clock to analyse the ‘exceptional’ attack.
Duqu 2.0 is an advanced threat actor closely linked to P5+1 nuclear discussions, which has exploited as many as three zero day vulnerabilities and is closely linked to Duqu.
Kaspersky has revealed that the attack exploited zero-day vulnerabilities and the malware has spread in the network through MSI (Microsoft Software Installer) files.
Duqu didn’t leave any disk files behind or change any system settings, which made detecting the attack difficult.
Kaspersky described it as ‘one of the most sophisticated campaigns ever seen’.
Eugene Kaspersky, CEO of Kaspersky Lab, said: “Spying on cybersecurity companies is a very dangerous tendency. Security software is the last frontier of protection for businesses and customers in the modern world, where hardware and network equipment can be compromised.
“Moreover, sooner or later technologies implemented in similar targeted attacks will be examined and utilised by terrorists and professional cybercriminals. And that is an extremely serious and possible scenario.”
The security vendor has since performed a security audit and analysis of the attack, which is still ongoing and will be completed in a few weeks.
The analysis found that hackers were trying to spy on the company’s technologies, ongoing research and internal processes.
Western companies have also been hit by Duqu, as well as those in the Middle East and Asia.
Costin Raiu, director of Kaspersky Lab’s global research and analysis team, added: “The people behind Duqu are one of the most skilled and powerful APT groups and they did everything possible to try to stay under the radar.
"This highly sophisticated attack used up to three zero-day exploits, which is very impressive – the costs must have been very high. To stay hidden, the malware resides only in kernel memory, so anti-malware solutions might have problems detecting it. It also doesn’t directly connect to a command-and-control server to receive instructions.
“Instead, the attackers infect network gateways and firewalls by installing malicious drivers that proxy all traffic from the internal network to the attackers’ command and control servers.”
Kaspersky is releasing all the technical details about Duqu 2.0 via Securelist.