Last year, suspecting their clients had been hacked by an Israeli spy virus, Kaspersky Lab ZAO researchers tested their 270,000 corporate clients world-wide, including energy corporations, thousands of hotels and banks to see who else was hit by the same virus, the Wall Street Journal reported Wednesday.
They found infections on fewer than 100 of their clients in Western Europe, Asia and the Middle East, and none of Kaspersky’s clients in the U.S. were infected.
Among those few infected clients, they discovered the computers from three luxury European hotels had been hit. Eventually, the researchers discovered that these hotels had been attacked just before the Iranian negotiating teams and the world powers, arrived to discuss Iran’s nuclear program and the lifting of economic sanctions.
The spyware was a variant of Duqu, which Kaspersky is convinced is Israel’s most powerful intelligence-gathering program.
The new virus could not be connected to Israel in a way that would satisfy a judge, but it borrowed so much from the Duqu that Kaspersky noted it “could not have been created by anyone without access to the original Duqu source code.”
Kaspersky will not point fingers directly at Israel as the country responsible for the spyware. But the company’s report is titled “The Duqu Bet,” as in Aleph-Bet, the second letter in the Hebrew alphabet.
According to the Wall Street Journal, in 2014, U.S. officials accused Israel of spying on the nuclear talks.
Some of the updated virus’s stealth capabilities were unlike anything Kaspersky researchers had ever seen, ArsTechnica reports. Steangely enough, among the 100 victims of the virus were computers involved in commemorating the 70th anniversary of the liberation of Auschwitz. A bit of misdirection.
And those anonymous developers with a strange sense of humor planted false flags in the malware, creating the appearance that its origins were in Eastern Europe or China.
The Kaspersky people figured out that this virus was an updated version of Duqu, which was discovered in 2011, and was based on Stuxnet, which in 2010 had delayed the Iranian nuclear program for a few years, in part by destroying their centrifuges.
Israeli officials have made it clear they don’t spy on their allies, but admit they’re watching Iran and Iranians. They had no comment on the Duqu virus.
According to the Kaspersky report, the virus jumped from one system to system, slowly attacking an increasing number of computers. When it decided a machine was not useful for its purposes, it erased itself, save for a leaving a back door so it could reinfect itself if needed.
“The Equation Group always used some form of ‘persistence, accepting a bigger risk of being discovered. The Duqu 2.0 malware platform was designed in a way that survives almost exclusively in the memory of infected systems, without need for persistence – it means the attackers are sure there is always a way for them to maintain an infection – even if the victim’s machine is rebooted and the malware disappears from the memory,” Kaspersky’s report said.
“That approach is much more sophisticated. It also demonstrates a different mentality: the Duqu 2.0 threat actor was confident enough to create and manage an entire cyber-espionage operation just in memory – one that could survive within an entire network of compromised computers without relying on any persistence mechanism at all.”
Israeli genius.