Kaspersky Lab investigates hacker attack on its own network

Kaspersky Lab has discovered an advanced attack on its own internal network and is sharing its investigation results. TL;DR – Customers are safe; neither products nor services have been compromised.

I’ve got some bad news and some good news.

The bad news

The bad news is that we discovered an advanced attack on our own internal networks. It was complex, stealthy, it exploited several zero-day vulnerabilities, and we’re quite confident that there’s a nation state behind it. We’ve called it Duqu 2.0. Why Duqu 2.0 and what it has in common with the original Duqu? – See here.


The good news – pt. 1: We uncovered it

The first bit of good news is that we found something really big here. Indeed, the cost of developing and maintaining such a malicious framework is colossal. The thinking behind it is a generation ahead of anything we’d seen earlier – it uses a number of tricks that make it really difficult to detect and neutralize. It looks like the people behind Duqu 2.0 were fully confident it would be impossible to have their clandestine activity exposed; however, we did manage to detect it – with the alpha version of our Anti-APT solution, designed to tackle even the most sophisticated targeted attacks.

The good news – pt. 2: Our customers are safe

Most importantly, neither our products nor services have been compromised, so our customers face no risks whatsoever due to the breach.

The details

The attackers were interested in learning about our technologies, particularly our Secure Operating System, Kaspersky Fraud Prevention, Kaspersky Security Network, Anti-APT solution, and services. The bad guys also wanted to find out about our ongoing investigations and learn about our detection methods and analysis capabilities. Since we’re well known for successfully fighting sophisticated threats they sought this information to try stay under our radar. No chance.

Attacking us was hardly the smart move: they’ve now lost a very expensive technologically-advanced framework they’d been developing for years. Besides, they tried to spy on our technologies… which are accessible under licensing agreements (at least some of them)!

We’ve found that the group behind Duqu 2.0 also spied on several prominent targets, including participants in the international negotiations on Iran’s nuclear program and in the 70th anniversary event of the liberation of Auschwitz. Though the internal investigation is still underway we’re confident that the prevalence of this attack is much wider and has included more top ranking targets from various countries. I also think it’s highly likely that after we detected Duqu 2.0 the people behind the attack wiped their presence on the infected networks to prevent exposure.

Duqu 2.0 spied on hi-profile targets, incl. dignitaries at Iran nuclear talks and Auschwitz anniversary – but that’s just tip of the iceberg

We, in turn, will use this attack to improve our defensive technologies. New knowledge is always helpful, and better threat intelligence assists us in developing better protection. And of course, we’ve already added the detection of Duqu 2.0 to our products. So, in fact, there’s not really much bad news here at all.

As mentioned, our investigation is still underway; it will require a few more weeks to get the whole picture in all its detail. However, we’ve already verified that the source code of our products is intact. We can confirm that our malware databases have not been affected, and that the attackers had no access to our customers’ data.

You may ask at this point why we’ve disclosed this information, or whether we’re afraid it may damage our reputation.

Well, first, not disclosing – that would be like not reporting a car accident with casualties to the police because it may hurt your no-claims bonus. Besides, we know the anatomy of targeted attacks well enough to understand there’s nothing to be ashamed of in disclosing such an attack – they can happen to anyone. (Remember: there are two just types of companies – those that have been attacked and those that don’t know they’ve been attacked.) By disclosing the attack we (i) send a signal to the public and question the validity – and morality – of presumably a state-sponsored attacks against private business in general, and security companies in particular; and (ii) share our knowledge with other businesses to help them protect their assets. Even if it does hurt ‘reputation’ – I don’t care. Our mission is to save the world, and that admits no compromise.

Who’s behind the attack? What nation?

Let me say this again: we don’t attribute attacks. We’re security experts – the best – and we don’t want to dilute our core competence by getting into politics. At the same time, as a committed supporter of responsible disclosure we’ve filed statements with law enforcement agencies in several countries for them to start criminal investigations. We also reported the detected zero-day to Microsoft, which in turn recently patched it (don’t forget to install the Windows update).

I just want to let everybody do their job and see the world change for the better.

Wrapping up this announcement I’d like to share a very serious concern.

Governments attacking IT security companies is simply outrageous. We’re supposed to be on the same side as responsible nations, sharing the common goal of a safe and secure cyberworld. We share our knowledge to fight cybercrime and help investigations become more effective. There are many things we do together to make this cyberworld a better place. But now we see some members of this ‘community’ paying no respect to laws, professional ethics or common sense.

People living in glass houses shouldn’t throw stones.

To me, it’s another clear signal we need globally-accepted rules of the game to curb digital espionage and prevent cyberwarfare. If various murky groups – often government-linked – treat the Internet as a Wild West with no rules and run amok with impunity, it will put the sustainable global progress of information technologies at serious risk. So I’m once again calling on all responsible governments to come together and agree on such rules, and to fight against cybercrime and malware, not sponsor and promote it.