The group behind the Duqu cyberespionage tool has compromised at least two telecommunications operators and one electronic equipment manufacturer, in addition to a cybersecurity firm and venues that hosted high-level nuclear negotiations between world powers and Iran.
On Wednesday, Moscow-based antivirus firm Kaspersky Lab, which has been deeply involved in exposing sophisticated cyberespionage campaigns over the past few years, revealed that it too fell victim to such an attack.
The company discovered in early spring that several of its internal systems were infected with a new version of Duqu, a sophisticated malware platform believed to be related to the Stuxnet worm used to sabotage Iran’s nuclear enrichment centrifuges at Natanz.
Kaspersky reported that in addition to its own systems, it identified computers infected with Duqu 2.0 at hotels that hosted talks over the past year between the U.S., Germany, France, Russia, the U.K., China and Iran over the latter’s nuclear program. The company also identified infections at a location associated with the 70th anniversary of the liberation of the Auschwitz concentration camp, which was commemorated on Jan. 27.
Now security firm Symantec has done its own analysis of Duqu 2.0, which unlike the first version, lives only in the memory of infected computers, without writing any files on disk. This makes it much harder for security products to to detect.
Symantec scanned its own global network and found Duqu 2.0 infections in the U.S., U.K., Sweden, India and Hong Kong, as well as on the systems of a European network operator, a North African network operator and an electronic equipment manufacturer from South East Asia. It didn’t name the affected companies.
“Some organizations may not be the ultimate targets of the group’s operations, but rather stepping stones towards the final target,” the Symantec researchers said in a blog post. “The group’s interest in telecoms operators could be related to attempts to monitor communications by individuals using their networks.”
The group behind Duqu is known for compromising “utilitarian targets.” These are companies like Kaspersky Lab or the network operators, whose information and assets might help the group improve its attack capabilities and achieve its final goals.
For example, in 2011 the Duqu group infected a certificate authority in Hungary with the first version of the malware tool. The goal was probably to obtain valid digital certificates that could be used to sign their malware samples.
The Kaspersky Lab researchers believe that a nation state is behind Duqu due to the sophistication of the malware platform and the techniques employed by its creators, including the use of multiple zero-day exploits—exploits for previously unknown vulnerabilities in Windows and other software products.
The Wall Street Journal reported Wednesday that unnamed former U.S. government officials believe Israel is behind Duqu. This would explain the group’s interest in the Iranian nuclear negotiations, which Israel opposes, and the platform’s similarity to Stuxnet, which is believed to have been a joint U.S.-Israeli project.
Duqu is not the first cyberespionage malware threat that was used to target telecom operators. The Equation group, which some people believe is the U.S. National Security Agency, has also compromised such companies, and so did Volatile Cedar, a cyberespionage group that security firm Check Point Software Technologies believes operates from Lebanon.