Complexity Score: 10
How did we get these numbers?
What was breached: Several internal R&D related Systems of Kaspersky Lab
Delivery: Unknown - Spring 2015
The Attackers: Unnamed Nation State
On June 10th, 2015, Russia-based security firm Kaspersky Lab announced that their systems had been infiltrated by a hyper-advanced previously undiscovered form of malware known as Duqu 2.0, the next generation of the Duqu trojan, or the “cousin” of Stuxnet. According to Kaspersky Lab, they were not the only target of the attack, as Duqu 2.0 was also deployed to spy on the 2014-2015 P5+1 talks, the new Iran Nuclear talks, and a conference commemorating the 70th Anniversary of the liberation of Auschwitz-Birkenau.
|Plan Time||Indirect Attack||Cyber/Human Coordinated||Zero-Days Used||Time Undetected||TTPs Used||Total|
Duqu 2.0 is, according to Kaspersky, an entire generation ahead of the rest of the APT world. The malware resides in a system’s RAM, and avoids the hard drive in order to avoid detection as well as persist in a system even after memory wipes and reboots. In short, Duqu 2.0 manages to persist in a system… without a persistence mechanism.
Duqu 2.0 used multiple Zero-Days, and was able to spread throughout multiple computers through Microsoft Software Installer. To avoid automated detection, the nation-state behind Duqu 2.0 used stolen security certificates which had been physically stolen from Taiwanese manufacturer, Foxconn. In a similar fashion to Stuxnet, the security certificates were meant to authenticate Duqu 2.0 as “clean”, to the malware undetected even if the Microsoft zero-days were patched.
If you are interested in learning more about the specifics of Duqu 2.0, or to ensure that your systems are not infected, the link will direct you to the Duqu 2.0 Indicators of Compromise (IOCs).
|Incident Costs||Physical Damage||Lives Lost||Nat. Sec. Impact||Total|
The Duqu 2.0 breach is a classic case of “could have been.” Had the attackers not attempted to steal from Kaspersky, a leader in cybersecurity research and development, it is likely they could have continued to spy on secret talks and export classified data for years.
Thankfully, Kaspersky Labs was able to isolate the malware and Microsoft was able to patch the vulnerabilities even before Kaspersky announced that they had discovered the malware in their systems. The architects of Duqu 2.0, at least thus far, do not seem interested in commercial infiltration and exfiltration, leaving the breach with a relatively low Sqrrl “severity” score. With that said, Duqu 2.0 has been called the most sophisticated modern malware and that should leave every security organization wary.