Advanced malware is spying on the Iranian nuclear talks

On February 19, Russian cybersecurity firm Kaspersky Lab had a break-in. There were no signs of forced entry or incriminating security footage. The only noise was the droning electric hum of computer servers as one approved an incoming software program. The interloper had the right identification – a digital certificate, required by the server to allow installment of the new program. Once in the system, the malware effectively constructed a panopticon within Kaspersky. Gaining access to internal files and communiques, it could see the company’s inner workings. And no one would see it until June — four months later.

When Kaspersky did discover the hackers’ work, the firm put its best analysts on the case to understand how the rogue code was so successful, and who wrote it. The findings are troubling. The malware, dubbed Duqu 2.0, seems to be the most complex of its kind. Israel appears to have conducted the attacks. And Kaspersky Lab was not the only target.

The malware’s first task was to gain entry into Kaspersky’s computer network. To trick the servers into thinking the incoming software was from a legitimate company, the creators of Duqu 2.0 used a digital security certificate stolen from Hon Hai Precision Industry Co. This would be unremarkable were it not for the fact that Hon Hai is better known as Foxconn, the tech manufacturing colossus with a client list that includes Google and Apple, a history of miserable working conditions, and a location in a country with a well-known habit of hacking: the People’s Republic of China.

Why pretend to be Foxconn? In her Wired article, Kim Zetter suggests an answer: to mislead investigators into thinking China orchestrated the cyberattack. Beyond giving investigators false leads, the malware’s use of digital certificates poses a serious challenge to the cybersecurity community. Hackers are subverting the very measures intended to defend against them — measures that discern a malicious program from a legitimate one.

The digital certificate disguise isn’t going out of style anytime soon. Considered to be the forerunners of Duqu 2.0, the Duqu 1.0 attacks in 2011 and Stuxnet in 2010 also exploited digital certificates to gain entry. In all three attacks, each certificate originated from a different Taiwanese tech giant, suggesting the perpetrators possess an arsenal of stolen certifications. Kaspersky Lab’s Global Research and Analysis Team consider the hackers’ stash “extremely alarming, because it effectively undermines trust in digital certificates.”

It is, experts say, the “most complex malware ever seen.” For one, Duqu 2.0 is incredibly hard to detect. Increased network traffic is a typical “tell” of hacker activity; traffic spikes when malware-infected machines communicate with the hackers’ external computers. But Duqu 2.0 masks its presence by infiltrating not just computers, but also firewalls, gateways, and servers. The result is a secure communication channel that allowed hackers to access, spy, and sabotage the Kaspersky network unnoticed.

Once in, it’s very hard to wipe from a computer. With less-advanced malware, rebooting an infected machine should erase the bad code, and the hackers would have to start over. Duqu 2.0 eliminates this risk by storing a master copy of itself within the shadow communication network it creates. In the event of a machine reboot, Duqu 2.0 sends a copy soon thereafter to re-infect the recently “cured” machine.

Attributing the cyberattack with full certainty is almost impossible, as the hackers used proxy servers to obscure their trail. But there are other ways to determine the author of malware, and many experts are now pointing fingers at Israel. Duqu 2.0 appears to be a descendent of Stuxnet, a cyberattack on an Iranian nuclear plant widely reported to be a covert collaborative effort between the United States and Israel. The resources needed to create and execute attacks of this magnitude and precision suggest the involvement of a nation-state or other large organization able to provide adequate funding and direction.

By observing patterns in the malware’s activity, Kaspersky Labs found another clue implying Israel’s involvement: as with the Duqu 1.0 attacks, Duqu 2.0 hackers appear to have spied on the Russian firm every day of the week except Saturday, suggesting that they were observing the Sabbath. But perhaps the most convincing evidence for Israel’s involvement is the identity of Duqu 2.0’s other victims. According to Kaspersky’s report, the malware infected other IT security companies in order improve its espionage capabilities. What’s more, Duqu 2.0 targeted three luxury European hotels. Analysts were at first befuddled by the lack of any apparent connection between the hotels — until it turned out that all three hosted negotiations between Tehran and the P5+1 over Iran’s nuclear capabilities. Upon further investigation, Duqu 2.0 was found to have targeted other events connected with the Iranian nuclear deal.

The original June 30 deadline for the nuclear negotiations has come and gone, and for now, tacking on extensions appears to be the modus operandi. Israeli prime minister Benjamin Netanyahu had consistently called the deal “terrible”, warning Western leaders that Iran is “not a country that you can place your trust in. And it’s not a country that you’re going to resolve its congenital cheating.” Considering Kaspersky’s discovery of Duqu 2.0 slinking around its computer network, it would appear that Israel isn’t playing it too straight either.


The Source: Kim Zetter, “Attackers stole certificates from Foxconn to hack Kaspersky with Duqu 2.0,” Wired, 2015.

This article was first published in the Wilson Quarterly on July 9, 2015. View it here.

Photo credit: Alex via Flickr