WatchPoint Security Blog

Kaspersky Duqu 2.0 Hack

Written by Greg Edwards | June 12, 2015

 A few days ago an event occurred that shocked the world of cyber security. One of the industry’s own, the Russian anti-virus firm, Kaspersky was hacked.

The hack, known as Duqu 2.0 has been described by Kaspersky as “complex” and that “the people behind Duqu are one of the most skilled and powerful APT groups and they did everything possible to try to stay under the radar”; scary words, indeed.

Highly Sophisticated Malware

The fact that one of the most knowledgeable and advanced security organizations could be hacked shows how sophisticated and intelligent the cyber attacks have become. As it happens, it is because of Kaspersky’s awareness that the day was saved. The malware that underpinned the Duqu 2.0 attack was highly sophisticated. It avoided anti-malware programs detecting it by essentially hiding deeply inside a computer. Once inside, it waited for opportunities to steal data.

Zero Day

The Kaspersky attack was based on zero day vulnerabilities, something we’ve discussed on the WatchPoint blog previously. Zero day vulnerability hacks are a particularly tricky area of security to guard against. They require stealth, intelligence, monitoring, alerting and good patch management to have any chance of controlling these types of cyber threats.

Other Targets

Kaspersky wasn't the only target of Duqu 2.0. European and North African telecommunications companies and other companies in the U.S., India and Hong Kong were also infected by the malware. It was even targeted at venues that were used to hold talks on Iran’s nuclear program. Whomever was behind this attack is open for debate. Likely it was state initiated because of the level of sophistication and complexity of the attack.

However, Kaspersky has acted swiftly and shared information on the malware with the rest of the world, helping to prevent further infections. This type of collaborative security is becoming an essential part of our security infrastructure globally.

Weaving in other attacks, we can see a pattern of increasing collaboration, complexity and sophistication amongst cyber attacks over the last few years. The recent attack on the IRS has also crystallized the idea that we are now in a zero sum game with hackers. The IRS attack was a culmination of many other previous hacks whereby Personally Identifiable Information (PII) was stolen from places such as Anthem and other healthcare organizations. This data was then used in secondary attacks on the individuals within the IRS system. This may, of course, be only the start of an onslaught of highly complex and focused hacks based on primary attack vectors.

What can you do?

As business owners, we are the custodians of our own and often third party data that is being systematically targeted and stolen. The onslaught is real, but it is not yet out of our control. Industry can work together to disseminate the knowledge about malware attacks and we can take the precautions needed to make sure we are protected against malware.

While Kaspersky was hacked, the damage was not as great as it could have been because of security measures already in place and because of swift response to intelligence from monitoring their network and extended IT systems. We should follow in Kaspersky’s footsteps and put in place our monitoring and alerting capabilities to defend our own and our customers data.

If you want more detailed information about the Duqu 2.0 attack on Kaspersky you can see a breakdown of the hack here: http://media.kaspersky.com/en/Duqu-2-0-Frequently-Asked-Questions.pdf