Israel thought to be behind new malware found by Kaspersky

Der Spiegel reports: For the employees of the Russian firm Kaspersky Lab, tracking down computer viruses, worms and Trojans and rendering them harmless is all in a day’s work. But they recently discovered a particularly sophisticated cyber attack on several of the company’s own networks. The infection had gone undetected for months.

Company officials believe the attack began when a Kaspersky employee in one of the company’s offices in the Asia-Pacific region was sent a targeted, seemingly innocuous email with malware hidden in the attachment, which then became lodged in the firm’s systems and expanded from there. The malware was apparently only discovered during internal security tests “this spring.”

The attack on Kaspersky Lab shows “how quickly the arms race with cyber weapons is escalating,” states a 45-page report on the incident by the company, which was made available to SPIEGEL in advance of its release. The exact reason for the attack is “not yet clear” to Kaspersky analysts, but the intruders were apparently interested mainly in subjects like future technologies, secure operating systems and the latest Kaspersky studies on so-called “advanced persistent threats,” or APTs. The Kaspersky employees also classified the spy software used against the company as an APT.

Analysts at Kaspersky’s Moscow headquarters had already been familiar with important features of the malware that was being used against them. They believe it is a modernized and redeveloped version of the Duqu cyber weapon, which made international headlines in 2011. The cyber weapons system that has now been discovered has a modular structure and seems to build on the earlier Duqu platform.

In fact, says Vitaly Kamluk, Kaspersky’s principal security researcher and a key member of the team that analyzed the new virus, some of the software passages and methods are “very similar or almost identical” to Duqu. The company is now referring to the electronic intruder as “Duqu 2.0.” “We have concluded that it is the same attacker,” says Kamluk. [Continue reading…]

Print Friendly, PDF & Email