Kaspersky Finds New Nation-State Attack—In Its Own Network

Kaspersky says the attackers became entrenched in its networks some time last year.
Inside the headquarters of Kaspersky Lab in Moscow Dec. 9 2014.
Inside the headquarters of Kaspersky Lab in Moscow, Dec. 9, 2014.Alexander Zemlianichenko Jr./Bloomberg/Getty Images

Researchers at Kaspersky Lab in Russia have discovered yet another new nation-state attack attributed to members of the infamous Stuxnet and Duqu gang. But this time the perpetrators were hiding in plain sight---inside the security firm's own networks.

Kaspersky says the attackers became entrenched in its networks some time last year. For what purpose? To siphon intelligence about nation-state attacks the company is investigating---a case of the watchers watching the watchers who are watching them. They also wanted to learn how Kaspersky's detection software works so they could devise ways to avoid getting caught. Too late, however: Kaspersky found them recently while testing a new product designed to uncover exactly the kind of attack the intruders had launched.

The attackers appear to be the same group that created Duqu, spyware discovered in 2011 that was used to hack a certificate authority in Hungary, as well as targets in Iran and Sudan, and that shared a number of similarities with Stuxnet, the famed digital weapon that sabotaged Iran's nuclear program. The team's handiwork popped up again in 2012 in two sophisticated spy tools Kaspersky helped expose---the massive Flame surveillance platform that infected thousands of victims over a period of five years and the mysterious Gauss attack, which contained a payload so securely locked that it's yet to be deciphered.

The hack against Kaspersky bears some of the hallmarks of the 2011 Duqu attack, including sharing an algorithm and large amounts of the same code. But where the original Duqu consisted of just six modules, Duqu 2.0, as Kaspersky is calling it, is a massive, 19-megabyte toolkit with plugins for various reconnaissance and data theft activities. All of these are stored in and operated stealthily from inside an infected machine's memory in order to bypass detection tools that might otherwise uncover them if they were stored on the machine's hard drive. The attackers also appear to have used at least three zero-day exploits to conduct their attack, as well as a clever technique to surreptitiously extract data remotely and communicate with infected machines.

"The entire code of this [attack] platform is some of the best we have seen ever," Costin Raiu, director of the company's Global Research and Analysis Team, told WIRED. "It is incredibly well written. Almost no mistakes anywhere."

Kaspersky is still trying to determine how much data the attackers stole. The thieves, as with the previous Duqu 2011 attack, embedded the purloined data inside blank image files to slip it out, which Raiu says "makes it difficult to estimate the volume of information that was actually transferred." But at least, he says, it doesn't appear that the attackers were out to infect Kaspersky customers through its networks or products. Kaspersky claims to have more than 400 million users worldwide.

Kaspersky wasn't the only victim of Duqu 2.0. Based on data the company collected from its customers, the attackers also struck a series of hotels and conference venues, each of them a location where members of the UN Security Council met in the past year to negotiate Iran's nuclear program. That program is a recurring interest for the attackers behind the Duqu code, which shouldn't come as a big surprise. The US and Israel reportedly were behind Stuxnet, but various researchers have long suspected that Israel alone was behind the Duqu code. The focused spying on the nuclear negotiations, from which Israel was excluded, would seem to support this theory.

Additionally, the security firm Symantec, which obtained samples of Duqu 2.0 provided by Kaspersky, uncovered more victims of the targeted attack code among its own customers, and found that some of these victims were in the US---a fact that would be cause for even more concern if the attack were perpetrated by the US government.

Duqu 2.0 Exposed

Over the last five years, Kaspersky has made a name for itself exposing one nation-state attack after another, including Stuxnet, Duqu, Flame, Gauss, Regin and the Equation Group---many of them seemingly launched by the US and its UK and Israeli allies. It was perhaps inevitable that Kaspersky eventually would be targeted itself.

Side-by-side comparison showing a near identical function, for generating log entries, in the Duqu 2011 and 2015 attacks.

Kaspersky Lab

Kaspersky uncovered the breach after an engineer, testing a new product on a company server, spotted anomalous traffic that caused him to further investigate. Eventually the company determined that a couple dozen Kaspersky systems had been infected. The company won't say when exactly the intrusion began to preserve the integrity of the investigation, but Raiu says they're working with law enforcement agencies in several countries to track the breach of Kaspersky as well as other victims. The company has also filed police complaints in Russia and the UK, where it also has an office.

Mode of Infection

The infection of Kaspersky unfolded like a precision campaign. The attackers first targeted an employee in one of the company's Asia-Pacific offices, likely using a spear-phishing attack and zero-day exploit to breach the system. The employee's machine had all the latest software patches installed, but zero-day exploits target vulnerabilities that are yet unknown to a software maker, and therefore have no patches available to seal them.

Another indication that a spear-phishing email was used was the fact that while Kaspersky was investigating the breach, the attackers wiped the mailbox and browsing history from the infected employee's system, preventing Kaspersky from fully analyzing it.

The wipe occurred just four hours before Kaspersky identified the employee's machine as "patient zero," suggesting the intruders knew they'd been caught and were racing to eliminate evidence before Kaspersky could find it. Raiu suspects they may have been tipped off when Kaspersky disconnected many of its critical systems from the Internet after discovering the breach. He notes, however, that the company has backups and logs of the employee's system, and once they're able to compile and review them, he's confident they'll produce evidence of how the attackers got in.

From this first infected system, the attackers leapfrogged to others in the network, likely using a second zero-day exploit to do this. "We were able to map the malware jumping from one computer to another based on event logs," Raiu says.

He thinks they used an exploit targeting a vulnerability in the Kerberos protocol, which Microsoft patched last November after the attackers had already used it. The hole would have allowed them to gain elevated privileges on a domain controller server, which would have provided them with credentials to target other systems. Although Kaspersky found no samples of such an exploit on their system, they saw indications that a domain controller attack had occurred.

Once the attackers found a computer of interest, they used another zero-day exploit to install their toolkit in memory from kernel mode, the deepest layer of a machine. Kaspersky reported this zero-day to Microsoft several weeks ago, for which the software vendor issued a patch yesterday. Kaspersky had waited for Microsoft to issue the patch before going public with news of the breach and the zero-day exploit.

Jumping into kernel-mode to install malware like this will often trigger a detection system like Kaspersky's, so the attackers used a creative technique to bypass Kaspersky's antivirus software and trick it into believing the behavior was normal. The malware in fact checked for the presence of more than a dozen antivirus products from different vendors to determine the best method to bypass detection. Kaspersky has described these techniques in a blog post and paper published today, which also discuss all the ways in which Duqu 2011 and 2015 are alike.

Once the toolkit was loaded into the infected machine's memory and launched, all traces of the installer and malware were erased from the hard disk. The fact that the attackers ran their entire operation from memory after this step, is a sign, Raiu says, that they had high confidence in their code and the stability of their platform.

Not every system got the full 19-megabyte package. In some cases, the attackers only installed a small backdoor. These are the systems they used only to explore further into a network. But once they found a system of interest, they installed the full package. There appeared to be no middle ground, Raiu notes.

"It's pretty crazy. It has a lot of modules that may not be necessarily relevant to us, but nevertheless they deployed the entire payload packet [on our systems]," he says. Ordinarily, attackers install as few tools as possible to maintain a low profile. But Raiu says the attackers probably didn't care in this case because they believed their chances of being detected were "close to zero."

This was one risky move the attackers took. But another one was storing all of their malware only in memory. This meant that any time an infected system got rebooted, the malware would disappear. With nothing on disk to re-install it, the attackers ran the risk of losing the infected machine. So to combat this, they stored a driver on another machine on the network, and any time an infected machine got rebooted, the driver could reach out to a domain controller on the network and relaunch an infection on the cleaned machine.

The same driver also served a second purpose. It helped the attackers communicate stealthily and remotely with infected networks. Often, criminal hackers will have every infected machine on a network communicate with their external command-and-control server. But large amounts of traffic like this can raise alerts. So the Duqu 2.0 attackers limited the traffic by using this driver to tunnel communication to and from the network.

They would first send one of two "magic strings" to the driver---either "romanian.anti-hacker" or "ugly.gorilla"---from an IP address in Jakarta or Brazil. The strings triggered the driver to add the IP addresses to a whitelist so communication to them wouldn't be flagged. Then they used Windows pipes sessions to tunnel through the driver to communicate with other machines on the network. They also siphoned data out of the network in this way, in order to shield their activity. Instead of multiple machines communicating with the external command servers, only the machine with the driver would be seen communicating with it.

Image showing one of the magic strings, "romanian.antihacker," the attackers sent from their command server to a driver on the victim's network to establish a communication channel

Kaspersky Lab

The 19-megabyte assault kit contains a complete set of specialized modules designed to map systems and networks, harvest passwords and other credentials, snap screenshots, read and write content and siphon text from emails and documents, among other things. They've found modules for infecting both the 32-bit and 64-bit versions of Windows, but so far found no modules for infecting Mac systems.

Some of the modules are so sophisticated that Kaspersky hasn't been able to reverse-engineer them yet. One of them appears to be designed to interact with some type of SCADA system, Raiu says. "This could be a security system in a hotel or surveillance or security related. But it can also be some kind of a new Stuxnet payload."

What They Were After

The attackers were primarily interested in Kaspersky's work on APT nation-state attacks--especially with the Equation Group and Regin campaigns. Regin was a sophisticated spy tool Kaspersky found in the wild last year that was used to hack the Belgian telecom Belgacom and the European Commission. It's believed to have been developed by the UK's intelligence agency GCHQ.

The Equation Group is the name Kaspersky gave an attack team behind a suite of different surveillance tools it exposed earlier this year. These tools are believed to be the same ones disclosed in the so-called NSA ANT catalogue published in 2013 by journalists in Germany. The interest in attacks attributed to the NSA and GCHQ is not surprising if indeed the nation behind Duqu 2.0 is Israel.

The Duqu 2.0 attackers were also curious about a new secure operating system Kaspersky is developing for use in industrial control systems and critical infrastructure and they also wanted to study its KSN system. The Kaspersky Security Network is an opt-in system that gathers data from customers about new threats infecting them. The company uses it to create maps outlining the geographical reach of various threats. "It's one of our essential core technologies for fighting APT [advanced persistent threats]," Raiu says.

Their curiosity wasn't limited to Kaspersky's systems, though. Kaspersky found Duqu 2.0 infections on about a dozen customers, though the company won't identify the countries where they reside. Victims uncovered so far fall into two types: those who appear to have some connection to Iran's nuclear program; and technology companies that appear to have been attacked for some utilitarian purpose. One victim in this category is an industrial control system manufacturer in the Asian Pacific. "They are a very, very interesting target. We don't know if they are the final target or because they make interesting hardware that they sell to other countries," Raiu says. The attackers also targeted a telecom in the Middle East.

There was one victim, however, that didn't fit the profile of other targets. Raiu says this was an international gathering for the 70th anniversary of the liberation of the Auschwitz-Birkenau concentration camps. The focus in this case may have been on the scores of VIPs who attended the event, including presidents and prime ministers. "Pretty much everyone was there with the exception of Obama and Putin," Raiu notes.

In addition to all of these targets, Symantec uncovered victims in the UK, Sweden, Hong Kong and India. Notably, it found telecom victims in Europe and Africa, an electronics firm in South East Asia, and multiple infections in the US, including one organization where developers working on mobile platforms were infected. Some of the infections dated back to 2013, according to Vikram Thakur, senior manager for the company's Security Response team.

Based on the number of victims found so far, Kaspersky estimates that the total number is likely less than 100.

Spying on Iran's Nuclear Talks

But perhaps the most interesting targets were the venues hosting the P5+1 meetings. P5+1 refers to the five permanent members of the UN Security Council plus Germany, who have been in negotiations with Iran over its nuclear activities. Raiu wouldn't identify the hacked venues, but the negotiations have occurred in many places over the last 18 months, including the Coburg Palace Hotel in Vienna; the Montreux Plaza Hotel, Hotel Intercontinental, and President Wilson Hotel in Geneva; the Beau-Rivage Palace Hotel in Lausanne and the Al Bustan Palace Ritz-Carlton Hotel in Muscat, Oman.

Earlier this year, the Wall Street Journal reported that Israel had spied on the closed-door talks about Iran's nuclear program, but was vague on details about how this might have occurred. The Duqu 2.0 spy operation is a possible clue.

Raiu says each of the infections began within three weeks before the P5+1 meetings occurred at that particular location. "It cannot be coincidental," he says. "Obviously the intention was to spy on these meetings."

Initially Kaspersky was unsure all of these infections were related, because one of the victims appeared not to be part of the nuclear negotiations. But three weeks after discovering the infection, Raiu says, news outlets began reporting that negotiations were already taking place at the site. "Somehow the attackers knew in advance that this was one of the [negotiation] locations," Raiu says.

Exactly how the attackers spied on the negotiations is unclear, but the malware contained modules for sniffing WiFi networks and hijacking email communications. But Raiu believes the attackers were more sophisticated than this. "I don't think their style is to infect people connecting to the WiFi. I think they were after some kind of room surveillance---to hijack the audio through the teleconference or hotel phone systems."

One thing is clear, with Kaspersky's exposure of Duqu 2.0, the attackers will now have to find a new tool to conduct their espionage. Though given the recent proficiency of Kaspersky and other companies in discovering these tools, it may not be long before the next one is exposed too.