Kaspersky Hacked in a New Nation-State Attack

Kaspersky Hacked in a New Nation-State Attack

World famous Russian antivirus and internet security provider Kaspersky Lab got hacked on Wednesday in a new nation-state attack. The attack is being attributed to infamous Stuxnet and Duqu gang.

The lab itself has uncovered Duqu 2.0 – a highly sophisticated malware platform exploiting up to three zero-day vulnerabilities.

Eugene Kaspersky, the founder and CEO of the company, told media that the attack might have been as a result of a recon research by Duqu 2.0 hackers.

The company which was founded in 1997 is now carrying out strict measures to tackle the sophisticated cyberespionage actors.

According to many security experts, a new zero-day was used for effective kernel memory injection and stealth.

Here is the exact copy of the press release posted on SecureList:

Earlier this year, during a security sweep, Kaspersky Lab detected a cyber-intrusion affecting several of our internal systems.

Following this finding, we launched a large scale investigation, which led to the discovery of a new malware platform from one of the most skilled, mysterious and powerful groups in the APT world – Duqu. The Duqu threat actor went dark in 2012 and was believed to have stopped working on this project – until now. Our technical analysis indicates the new round of attacks include an updated version of the infamous 2011 Duqu malware, sometimes referred to as the stepbrother of Stuxnet. We named this new malware and its associated platform “Duqu 2.0”.

Some of the new 2014-2015 Duqu infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal. The threat actor behind Duqu appears to have launched attacks at the venues for some of these high level talks. In addition to the P5+1 events, the Duqu 2.0 group has launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau.

In the case of Kaspersky Lab, the attack took advantage of a zero-day in the Windows Kernel, and possibly up to two other, currently patched vulnerabilities, which were zero-day at that time. The analysis of the attack revealed that the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes. No interference with processes or systems was detected. More details can be found in our technical paper.

From a threat actor point of view, the decision to target a world-class security company must be quite difficult. On one hand, it almost surely means the attack will be exposed – it’s very unlikely that the attack will go unnoticed. So the targeting of security companies indicates that either they are very confident they won’t get caught, or perhaps they don’t care much if they are discovered and exposed. By targeting Kaspersky Lab, the Duqu attackers probably took a huge bet hoping they’d remain undiscovered; and lost.

At Kaspersky Lab, we strongly believe in transparency, which is why we are going public with this information. Kaspersky Lab is confident that its clients and partners are safe and that there is no impact on the company’s products, technologies and services.

Duqu 2.0 – Indicators of Compromise (IOCs)


Action loaders:





To check your network for Duqu’s 2.0 presence, you can also use the open IOC file available here.

About The Author

Imran Ahmed Hunzai is a digital media consultant and co-founder of Islamabad-based digital agency Centangle Interactive . He covers stories from the Pakistani startup arena and interviews budding entrepreneurs in the region. You can follow him on Facebook, Twitter and Google+