Malware & Spywarecritical

Duqu 2.0: Kaspersky's Own Network Breached by Sophisticated Spyware

Kaspersky Lab — one of the world's leading antivirus companies — discovered that sophisticated spyware had been living inside its own corporate network, silently monitoring the company's threat research and analysis work.

Kaspersky Lab·2015·2 min read

Background

Kaspersky Lab had been a leading voice in attributing nation-state malware including Stuxnet, Flame, and the original Duqu. In 2015, while conducting an internal security audit, the company discovered it had been compromised by a new version of Duqu — attributed to the same actors as Stuxnet, namely Israel's Unit 8200.

The Attack

Duqu 2.0 exploited a Windows kernel zero-day and had no persistence mechanism — it lived entirely in memory, leaving no files on disk and no registry entries. It survived reboots by being injected into the Windows Installer MSI mechanism. The malware collected Kaspersky's internal research on active threat investigations, its methodologies, and detection capabilities — giving the attackers insight into what Kaspersky could and could not detect. Kaspersky also found Duqu 2.0 on systems belonging to hotels in Austria and Switzerland used for the P5+1 Iran nuclear negotiations.

Response

Kaspersky published a full technical report in June 2015, naming the malware Duqu 2.0 and attributing it to the same nation-state as Stuxnet. The company said the attackers were interested in new technologies for bypassing security products. Israel did not confirm or deny involvement. Kaspersky was commended for transparency.

Outcome

Duqu 2.0's in-memory operation with no disk persistence made it nearly impossible to detect with traditional antivirus. Kaspersky estimated the attack began in 2014. The operation at the nuclear negotiation hotels suggested intelligence gathering on the negotiations themselves.

Key Takeaways

  1. In-memory malware with no disk persistence evades all file-scanning security tools — endpoint security must include memory inspection
  2. Security companies' internal research and detection capabilities are primary intelligence targets
  3. Even security experts with state-of-the-art tools can be compromised for a year before detection
  4. Transparent disclosure of a breach, even embarrassing ones, builds credibility and advances the security community
Duqu 2.0memory-only malwareantivirus compromiseUnit 8200fileless malware

More in Malware & Spyware

2001critical

Code Red Worm Infects 359,000 Servers in 14 Hours

2 min readMalware & Spyware
2003critical

SQL Slammer: The Fastest-Spreading Worm in History

2 min readMalware & Spyware
2016critical

Mirai Botnet: IoT Devices Take Down the Internet's Infrastructure

2 min readMalware & Spyware