Duqu 2.0 hackers may have cracked Kaspersky to recon research
After all, antivirus makers like Kaspersky Lab should be prepared to sniff out and snuff out an attack.
"They were not only stupid, but greedy," Kaspersky said during a London-based press conference Wednesday, which was also webcast to reporters elsewhere.
When asked why the attackers -- whose malware was dubbed Duqu 2.0 in a nod to 2011's Duqu, which in turn was thought to be an offspring of the infamous Stuxnet -- went head-to-head with his company, Kaspersky had theories but nothing more.
"They were not interested in our customers," he said after asserting that the intrusion did not appear to have touched any customer or partner data.
"I'm pretty sure they were watching," he said of the hackers during the months they had their malware running undetected on Kaspersky's network. He speculated that the attackers were doing reconnaissance and research, hoping to find out more about Kaspersky's security technology or how it found and analyzed malware.
Specifically, Kaspersky wondered if they had infected Windows PCs on the company's network to uncover how researchers decided what malware to manually examine.
The vast bulk of the malware that Kaspersky -- and any major antivirus firm -- collects is processed, evaluated and categorized by automated systems, which also craft the resulting "fingerprints," or signatures, that are sent to customers' devices. Only the occasional piece of attack code is interesting enough, different enough from the run-of-the-mill to justify a human touch.
How researchers make the decision to closely evaluate -- and root through -- one piece of malware while passing on another would obviously be information a hacker crew or state-sponsored group would love to have, as it would help them craft attack code and develop tradecraft that would be more likely to get shunted to the machines, where it would be one among millions, and its true purpose perhaps overlooked.
"[The bad guys] absolutely want to know what security researchers are doing, what's the state of the art on that side," said Tod Beardsley, the engineering manager at security vendor Rapid7, in an interview. "They want to know, is it better than what [they] have"
It's certain, Beardsley continued, that just as security researchers launch projects to analyze attack technology and attackers' predilections, the other side does the same. "Having a hold in a security company is of great advantage," Beardsley said. "Just the operational intelligence would be valuable, as that would give them lots or preparation time for their next mission."
And with more-than-public knowledge, hackers might be able to come up with ways to steer clear of security defenses like those employed by Kaspersky's customers.
But Eugene Kaspersky dismissed the idea that the hackers' presence within his company's network -- he said it had been hidden there at least several months -- would give them real clues about the vendor's technologies, even if they had obtained the source code, which they had not. "These technologies are quickly outdated," Kaspersky contended, saying that changes were constantly being applied.
"Maybe they were interested in some specific attacks we were working on," Kaspersky said. "Or maybe they wanted to see if we could catch them."
In a long blog post on Forbes, Kaspersky elaborated. "I can think of several reasons why someone might want to try to steal our technical data, but each one of them doesn't seem to be worth the risk" of being discovered, Kaspersky said.
Which is exactly what happened.
"Now we know how to catch a new generation of stealthy malware developed by them," Kaspersky wrote. "And the attackers are now back to the drawing board since we exposed their platform to the whole IT security industry. Moral considerations aside, that's hardly a good return on a serious investment with public money."
That latter line was a reference to Kaspersky's contention that Duqu 2.0 was created by a state-sponsored or state-run hacking crew.
Beardsley and Kaspersky agreed on one thing: Duqu 2.0 was top-of-the-line malware.
"It's very awesome for sure," said Beardsley. "It is definitely a milestone. It has a very modular framework, is able to swap out one zero-day for another, and uses new techniques for signaling and non-persistence."
Unlike most malware, Duqu 2.0 resides almost exclusively in memory, making it difficult for security software to detect it.
Which led Eugene Kaspersky to make an odd-but-effective suggestion about how to rid a network of the malware. "Technically, it's simple: Turn off the power and the system will be clean."