Sqrrl Blog

Aug 11, 2015 8:00:00 AM

Cyber Incident Matrix: Kaspersky

Severity Score: 2
Complexity Score: 10
How did we get these numbers?

Incident Summary:

  • What was breached: Several internal R&D related Systems of Kaspersky Lab

  • Delivery: Unknown - Spring 2015

  • The Attackers:  Unnamed Nation State


On June 10th, 2015, Russia-based security firm Kaspersky Lab announced that their systems had been infiltrated by a hyper-advanced previously undiscovered form of malware known as Duqu 2.0, the next generation of the Duqu trojan, or the “cousin” of Stuxnet. According to Kaspersky Lab, they were not the only target of the attack, as Duqu 2.0 was also deployed to spy on the 2014-2015 P5+1 talks, the new Iran Nuclear talks, and a conference commemorating the 70th Anniversary of the liberation of Auschwitz-Birkenau.

Sqrrl_Cyber_Incident_Matrix_Kaspersky   OPM Breach IRS Breach Anthem Breach ATM hacks Kaspersky hack  

Complexity Score:

Plan Time Indirect Attack Cyber/Human Coordinated Zero-Days Used Time Undetected TTPs Used Total
2 1 1 2 2 2 10

Duqu 2.0 is, according to Kaspersky, an entire generation ahead of the rest of the APT world. The malware resides in a system’s RAM, and avoids the hard drive in order to avoid detection as well as persist in a system even after memory wipes and reboots. In short, Duqu 2.0 manages to persist in a system… without a persistence mechanism. 

Duqu 2.0 used multiple Zero-Days, and was able to spread throughout multiple computers through Microsoft Software Installer. To avoid automated detection, the nation-state behind Duqu 2.0 used stolen security certificates which had been physically stolen from Taiwanese manufacturer, Foxconn. In a similar fashion to Stuxnet, the security certificates were meant to authenticate Duqu 2.0 as “clean”, to the malware undetected even if the Microsoft zero-days were patched.

If you are interested in learning more about the specifics of Duqu 2.0, or to ensure that your systems are not infected, the link will direct you to the Duqu 2.0 Indicators of Compromise (IOCs).

Severity Score:

Incident Costs Physical Damage Lives Lost Nat. Sec. Impact Total
0 0 0 2 2

The Duqu 2.0 breach is a classic case of “could have been.” Had the attackers not attempted to steal from Kaspersky, a leader in cybersecurity research and development, it is likely they could have continued to spy on secret talks and export classified data for years.

Thankfully, Kaspersky Labs was able to isolate the malware and Microsoft was able to patch the vulnerabilities even before Kaspersky announced that they had discovered the malware in their systems. The architects of Duqu 2.0, at least thus far, do not seem interested in commercial infiltration and exfiltration, leaving the breach with a relatively low Sqrrl “severity” score. With that said, Duqu 2.0 has been called the most sophisticated modern malware and that should leave every security organization wary.                                

View Webinar

Topics: Malware, Data Breach, Duqu 2.0, Indicators of Compromise