Hackers PWNED Kaspersky Lab servers for months -- Duqu 2.0 blamed on Israel

In Yakov's tedious meme, Impact-font macro YOU

Duqu 2.0 Kaspersky
Credit: Yakov Smirnoff

Eugene Kaspersky's eponymous AV company got hacked last year. But it took them several months to discover the infection. Off the record, the Russian security company is tentatively blaming the state of Israel for "Duqu 2.0," pointing to such evidence as code similarities, the information the malware targeted, and the identities of other victims.

State-sponsored malware infecting an anti-malware company? Is nothing sacred? Is nobody safe?

In IT Blogwatch, bloggers warn Eugene to be careful with that ax.

curated these bloggy bits for your entertainment.


John Leyden jars us awake: [You're fired -Ed.]

Kaspersky Lab has unearthed an attack on its corporate network. ... The Duqu 2.0 malware...was exploiting up to three zero-day vulnerabilities, a highly unusually feature.

This malware was a "generation ahead"...according to Kaspersky Lab. ... The NSA and Israel's elite Unit 8200 intelligence corps are...primes suspect.

The main goal of the attackers...was to spy on its technologies, ongoing research and internal processes.  MORE


And Dan Goodin is in:

Not long after blowing the lid off a [NSA]-backed hacking group...researchers at Moscow-based Kaspersky Lab returned home...to an even more startling discovery. ... A different state-sponsored group had been casing their corporate network.

The infection originated in a computer used by a non-technical Kaspersky employee...in the Asia-Pacific region. ... Researchers suspect the employee received a highly targeted spear phishing e-mail. ... The attackers went on to exploit a separate critical vulnerability in Windows server...to hijack the Windows domain controllers.

In all, "dozens" of machines inside Kaspersky's network were infected...but there are no signs they tried to compromise any of Kaspersky's...users.  MORE


So Kim Zetter recurses to finger the perp:

[It's] a case of the watchers watching the watchers who are watching them. ... The attackers appear to be the same group that created Duqu [which] shared a number of similarities with Stuxnet...the massive Flame surveillance platform...and the mysterious Gauss attack.

Kaspersky wasn’t the only victim of Duqu 2.0. ... The attackers also struck a series of hotels and conference venues, each of them...where members of the UN Security Council met in the past year to negotiate Iran’s nuclear program.

Researchers have long suspected that Israel alone was behind the Duqu code. The focused spying on the nuclear negotiations, from which Israel was excluded, would seem to support this theory. ... The attackers were primarily interested in Kaspersky’s work on...the Equation Group and Regin campaigns...attributed to the NSA and GCHQ [which] is not surprising if indeed the nation behind Duqu 2.0 is Israel.

There was one victim, however, that didn’t fit the profile of other targets. ... An international gathering for the 70th anniversary of the liberation of the Auschwitz-Birkenau concentration camps.  MORE


The aforementioned Evgeniy Valentinovich Kasperskiy 'fesses up:

[We] recently detected and neutralized a sophisticated, very well-planned attack on our networks. [But] the more I think about it, the less it makes sense.

We’ve always been repelling attacks. But we never believed we should expect state-sponsored industrial espionage to come and break down our digital door.  

[They] messed up: now we know how to catch a new generation of stealthy malware developed by them...hardly a good return on a serious investment with public money. [They] have lost a very expensive and sophisticated framework they’d been developing and nurturing for years.  MORE


Meanwhile, Eugene asked his friends at CrySyS Lab to do an independent analysis:

Duqu is particularly interesting, not only because we discovered it back in 2011, but because...it has very strong similarities to Stuxnet. ... And now we have a new member of the same family...the attackers behind the Duqu malware are back and active.

It is not surprising that the attackers reused their old tools, as they have already invested a lot of design and development effort in them. [It] raises the far reaching questions of how much information the defenders should publish about newly discovered threats, and whether security-by-obscurity is perhaps not such an undesirable approach after all.  MORE


Update: Quoth The Raven, it's hyperbole:

Kasperski must characterize the malware as ultra-advanced, targeted, government hacking. Otherwise they look like fools for being penetrated.

[But] there is no way to tell, because their success as a company depends on them assuring everyone that they can competently defend against ordinary malware.  MORE


But John "nimbius" Roman points an accusatory finger at the initial vector:

The real question isn't who attacked Kaspersky, but why Kaspersky still runs a punching bag OS like Windows. One would expect a major security vendor would have hardened everything from the secretaries desktop to the coffee maker.  MORE


And Finally…
But of course, David, Roger, Richard and Nick spelled it "axe"


You have been reading IT Blogwatch by , who curates the best bloggy bits, finest forums, and weirdest websites… so you don't have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or itbw@richi.uk. Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.