Alwaght | News & Analysis Website

Alwaght- Last week, the Moscow based Kaspersky broke the news of a cyber-attack against venues of nuclear talks between Iran and the P5 + 1. Costin Raiu, director of Kaspersky's Global Research & Analysis Team in an interview with Iranian semi-official Fars News Agency reiterated there is a risk of similar cyber-attacks in the future.

The following is the full text of the interview; however, the final part of the interview concerning the technical details on how to prevent similar attacks in the future has not been included.

Question: At first, could you please tell us about the attack and Duqu infections. What can the malware do?

Answer: Duqu is a complex malware. Earlier this year, during a security sweep, Kaspersky Lab detected a cyber-intrusion affecting several of its internal system. Its main objective is to penetrate the system and facilitate the cyberespionage of personal information. In the case of Kaspersky Lab, the attack took advantage of a zero-day in the Windows Kernel, and possibly up to two other currently patched vulnerabilities, which were zero-day at that time. No interference with processes or systems was detected. Once the attackers gained domain administrator privileges, they can use these permissions to infect other computers in the domain.

To infect other computers in the domain, the attackers use few different strategies. In most of the attacks we monitored, they prepare Microsoft Windows Installer Packages (MSI) and then deploy them remotely to other machines. This cyber-attack does not leave any file or trace, and does not modify any settings and this makes it very difficult to detect. Experience and thinking of 'Duqu 2.0' is a generation beyond what is already found in the world of advanced cyber threats.

Researchers found a driver used in the attack had a digital signature from the Foxconn (a company that produces digital certificate for most major tech companies including Black Berry, Apple, Dell, Sony, etc.). The use of digital certificates could allow attackers to insert malicious software on victims' machines, without security barriers, as it recognizes the software safe, reliable and secure.

Question: How did you find that the hotels hosting the nuclear negotiations have been attacked? Could you identify which hotels, cities or countries were attacked?

Answer: Kaspersky has a lot of experience in detection and investigation of sophisticated cyber-attacks. Kaspersky first detected some cyber intrusion in its internal systems. As the company researchers set off to investigate the cyber-attack, they found out that the same virus had been used to infiltrate a series of other targets in the West and the West Asia, including, most notably, hotels where the Iranian delegates met with the P5+1 group. However, as the investigation continues, we normally do not disclose the identity of the country and the victims.

Question: Could you tell us when the attacks were launched and when they were detected? Were the victim countries aware of the attacks?

Answer: In early spring 2015, Kaspersky Lab detected a cyber-intrusion affecting several of its internal systems. We cannot disclose the date of attacks, because it may harm an ongoing investigation on the incident. Currently, we are collaborating with several police services and relevant teams from the victim countries and also some international organizations related to cyber security. Most victims have already been identified and we have informed them.

uestion: It is said the malware is linked to intelligence agencies, particularly the Israeli intelligence service, Mossad. Is there any evidence to support the claim?

Answer: As always, attributing internet cyber-attacks (specifying the origin of the attack) is difficult. In the case of 'Duqu', the attackers have used several proxies and various jump points to conceal their links. This has made the attacks very difficult to detect.

However, we are quite confident that Duqu 2.0 is an updated version of the malware known as 'Duqu' that was active in 2011. The Duqu threat actor went dark in 2012 and was believed to have stopped working on this project.

Meanwhile, the attackers will always leave a trace. “During our analysis in 2011, we noticed that the logs collected from some of the proxies indicated the attackers appear to work less on Fridays and didn’t appear to work at all on Saturdays, with their regular work week starting on Sunday. “They also compiled binaries on January 1st, indicating it was probably a normal workday for them. The compilation timestamps in the binaries seemed to suggest a time zone of GMT+2 or GMT+3. Finally, their attacks would normally occur on Wednesdays, which was the reason we originally referred to them as the “Wednesday Gang”. This timing was mostly applied for Duqu 2.0 as well.



Question: Is there any similarity between Duqu 2.0 and Stuxnet?

Answer: While it seems that Stuxnet was product of several groups, but Duqu has been a project for cyberespionage, and it has been probably developed by the same group that made the 'Flame', 'Gauss' and 'MiniFlame' viruses.

One of the groups that were involved in the development of Stuxnet, was a group called 'Equation Group'. The group has produced several viruses including 'EquationDrug', DoubleFantasy', 'Fanny' and 'GrayFish'.

These two groups worked together in the past, but it seems they are now separated; as one of the victims of Duqu 2.0, was simultaneously attacked by Equation Group, and this implies that these two groups are separate and compete to obtain information from their victims.

Question: Is there any way to know what information was stolen?

Answer: The attackers showed a high interest in Kaspersky Lab’s current investigations into advanced targeted attacks; their main goal was to access the intellectual property and related technologies for the identification and analysis of cyber threats. The information stolen by the attackers is in no way critical to the operation of the company’s products. The legal authorities are investigating the case to find what information was stolen from other victims.

Question: Were the attack limited to computers? Have cell phones been targeted?

Answer: The threat had targeted the devices whose operating systems were Microsoft Windows (32-bit and 64-bit). No attacks were reported for cell phones or devices based on the Mac or UNIX operating systems.