It was last year that the hackers penetrated and stuck around the networks, Kaspersky said. The attackers did this for a few reasons, according to Kaspersky.
- To access and steal the gathered intelligence on nation-state attacks that Kaspersky has been investigating and looking into.
- To understand how Kaspersky’s detection algorithms and software works, in order to navigate a way around them.
The discovery
Kaspersky has earned a reputation in exposing and thwarting plenty of nation state attacks including those such as Stuxnet, Flame, Gauss, Regin, Duqu and more. It was an inevitability that the attackers would settle on targeting Kaspersky eventually.
The breach was discovered when an engineer noticed irregular web traffic in the security firm’s servers while testing a new product developed by the company. Upon investigating further, it was discovered that a dozen systems were also infected.
The Hack and the malicious toolkit
With similarities to the 2011 Duqu hack, the attackers are believed to be the same group behind the creation of the spyware – Duqu. The original attack comprised of six modules and the sharing of an algorithm and plenty of similar coding to hide the malware in plain sight. The new attack however, dubbed as Duqu 2.0 by Kaspersky, is a tremendous 19 mega-byte toolkit that’s rooted with plugins for clandestine recon work as well as data theft tasks. Three zero-day exploits were used as well, in order to stealthily extract data from a remote location and ping to communicate with infected machines.
“The entire code of this [attack] platform is some of the best we have seen ever,” said Costin Raiu, director of the Kaspersky’s Global Research and Analysis Team. “It is incredibly well written. Almost no mistakes anywhere.”
The infiltration of the infection
Here’s how precise the infection and attack was:
- The first target was a singular employee in Kaspersky’s Asia-Pacific offices, breaching the employee’s system with zero-day exploits.
- Although the employee had the most up-to-date patches installed, zero-day exploits are programmed to cause problems by targeting vulnerabilities that aren’t even known as vulnerabilities yet, by the software developer. No patches were available, as a consequence.
- A spear-phishing campaign may have also been used, as breach response data showed deleted browsing history and a complete wipe of the mailbox in the employee’s work system, in order to prevent Kaspersky from analyzing the infection fully.
- This wipe occurred merely 4 hours before the system was identified as “patient zero,” with the attackers knowing that the game was up.
- The attackers are likely to have come to such a conclusion when Kaspersky took many of the company’s crucial security systems offline, after discovering the breach.
“Kaspersky Lab customers and partners were not affected and are not at risk,” noted Eugene Kaspersky, the company’s CEO and founder.