- Jan 24, 2011
- 9,377
Earlier today, the boss of Kaspersky Labs appeared in a cheerful mood at a press conference in London, called to offer clarifications on the cyber attack at a company office from one of the most mysterious advanced persistent threat (APT) groups identified to date.
Eugene Kaspersky did not offer details about who was behind the attack and was evasive on providing an accurate time frame for the compromise, but was quick to point out the sophistication of the platform used, a second-generation Duqu that emerged in 2014 after an absence of about two years.
Duqu 2 was like a ninja on Kaspersky's systems
He said that the malware and tactics used by the APT allowed it to be almost invisible on the network for a significant period, comparing its actions and the prowess of the threat actor to a mix of Alien, Terminator and Predator in the movie world.
The components of Duqu 2 were found on the internal network of an APAC office of the security company in spring, but Eugene Kaspersky said that it went undetected for a long time, a few months.
It would have probably spent even more time on the infrastructure collecting information on the security experts’ malware research approach (collection and manual analysis) and technologies used by the company, but its activity was revealed during an internal security audit of the systems.
The reason for flying under the radar this long is that it does not leave any trace on the compromised machine, all malicious module running in memory. A simple reboot, also recommended by Kaspersky to make sure that Duqu 2 is not on the network, would remove the infection, but only if the entire network is powered off.
Apart from lodging itself in RAM, the malware does not generate much traffic, which would have alerted Kaspersky’s anti-APT systems to suspicious activity; it also pretends to be the system administrator, a tactic that also prevents detection.
Getting on the network in the first place was mostly likely done via spear-phishing, and then multiple vulnerabilities (zero-days at the time the attack was discovered, one patched on Tuesday) were exploited to elevate privileges and spread across the infrastructure.
State-sponsored attacks drive the advances in cybercrime, too
It is believed that Duqu 2 is the result of a state-sponsored operation that targets high profile companies in the west, Asia, Middle-East and Russia, whose costs are estimated by Kaspersky to start at the $10 / €8.8 million mark.
In a report from Symantec on Wednesday, victims have been identified in Sweden, India, Hong Kong, USA, UK as well as North Africa.
As far as attribution is concerned Eugene Kaspersky said that researchers can draw a conclusion only based on the source code of the malware, the command and control servers used and the movement on the network. No specific government was named during the press conference.
However, the talked about the future implications of such an attack against a security company, saying that it also pushes cybercrime to new standards. State-sponsored cyber incidents educate the “bad guys” (referring to cybercriminals that are in the game for the money), and traditional crime is also nudged towards cyber tools, bringing everything closer to cyber terrorism.
Read more: http://news.softpedia.com/news/Don-...s-Eugene-Kaspersky-to-APT-Groups-483950.shtml
Eugene Kaspersky did not offer details about who was behind the attack and was evasive on providing an accurate time frame for the compromise, but was quick to point out the sophistication of the platform used, a second-generation Duqu that emerged in 2014 after an absence of about two years.
Duqu 2 was like a ninja on Kaspersky's systems
He said that the malware and tactics used by the APT allowed it to be almost invisible on the network for a significant period, comparing its actions and the prowess of the threat actor to a mix of Alien, Terminator and Predator in the movie world.
The components of Duqu 2 were found on the internal network of an APAC office of the security company in spring, but Eugene Kaspersky said that it went undetected for a long time, a few months.
It would have probably spent even more time on the infrastructure collecting information on the security experts’ malware research approach (collection and manual analysis) and technologies used by the company, but its activity was revealed during an internal security audit of the systems.
The reason for flying under the radar this long is that it does not leave any trace on the compromised machine, all malicious module running in memory. A simple reboot, also recommended by Kaspersky to make sure that Duqu 2 is not on the network, would remove the infection, but only if the entire network is powered off.
Apart from lodging itself in RAM, the malware does not generate much traffic, which would have alerted Kaspersky’s anti-APT systems to suspicious activity; it also pretends to be the system administrator, a tactic that also prevents detection.
Getting on the network in the first place was mostly likely done via spear-phishing, and then multiple vulnerabilities (zero-days at the time the attack was discovered, one patched on Tuesday) were exploited to elevate privileges and spread across the infrastructure.
State-sponsored attacks drive the advances in cybercrime, too
It is believed that Duqu 2 is the result of a state-sponsored operation that targets high profile companies in the west, Asia, Middle-East and Russia, whose costs are estimated by Kaspersky to start at the $10 / €8.8 million mark.
In a report from Symantec on Wednesday, victims have been identified in Sweden, India, Hong Kong, USA, UK as well as North Africa.
As far as attribution is concerned Eugene Kaspersky said that researchers can draw a conclusion only based on the source code of the malware, the command and control servers used and the movement on the network. No specific government was named during the press conference.
However, the talked about the future implications of such an attack against a security company, saying that it also pushes cybercrime to new standards. State-sponsored cyber incidents educate the “bad guys” (referring to cybercriminals that are in the game for the money), and traditional crime is also nudged towards cyber tools, bringing everything closer to cyber terrorism.
Read more: http://news.softpedia.com/news/Don-...s-Eugene-Kaspersky-to-APT-Groups-483950.shtml