Duqu 2.0: Electric Boogaloo

By Chad Hemenway on June 11, 2015

The way I see it, Hollywood is in trouble.

Psychological thrillers are happening within the computer code that make the things we see before our eyes.

Cyberespionage. Nuclear war. Nation-state attacks. Multiple nations involved. High stakes, high costs, highly confidential intelligence. Heroes, even having won the battle, giving a damn-that-was-a-good-one wink to adversaries.

You can’t make this stuff up!

When Russian cybersecurity  firms are throwing out potential partial film taglines like “the most skilled, mysterious and powerful threat actors…in the world,” what hope does a script-writer have?

Need a catchy villain name? Try “Duqu.” Done.

***

If you have yet to hear, Kaspersky Labs recently admitted several of its internal systems were infected by malware as part of a “highly sophisticated attack”—from hackers thought to be dormant. Kaspersky in 2011 labeled the malware created by these advanced persistent threat aficionados “Duqu” (which Kaspesky later called the “stepbrother of Stuxnet”). And because they believe the group has resurfaced, the platform used in the latest intrusion is “Duqu 2.0.”

Kaspersky researchers don’t think the hackers ever thought it was even possible to discover the malware, which utilized three zero-day vulnerabilities (holes to which no plug existed before discovery). While the antivirus maker assured clients and partners there were safe and there was no damage to Kaspersky’s products or services, the company acknowledged the attack “included some unique and earlier unseen features and almost didn’t leave traces.”

“The philosophy and way of thinking of the Duqu 2.0 group is a generation ahead of anything seen in the APT world,” Kaspersky said in a statement.

I spare the technical details of how this malware took hold of systems. I don’t understand it anyway. But the real story—other than the lesson that hackers can still successfully make camp inside the networks of one of the most advanced and employed cybersecurity firms—lies within other information Kaspersky and cybersecurity firm Symantec learned. Duqu 2.0 was used in attacks all over the world.

“Among the organizations targeted were a European telecoms operator, a North African telecoms operator, and a South East Asian electronic equipment manufacturer. Infections were also found on computers located in the US, UK, Sweden, India, and Hong Kong,” Symantec said of the “information-stealing tool.”

Additionally, Kaspersky believes Duqu 2.0 was used to hit countries involved in international negotiations, called the P5+1 talks, with Iran about its nuclear program. The P5+1 includes the US, UK, Germany, France, Russia, and China, facilitated by the European Union. According to reports, Duqu 2.0 was the fly on the wall during these meetings. I encourage you to read some of the conjecture.

Here is another gem: Kaspersky thinks Duqu 2.0 is a nation-state sponsored campaign. This malware was not inexpensive and it took some serious commitment to maintain and stay hidden. The company said there “is no doubt that this attack had a much wider geographical reach and many more targets. Duqu 2.0 has been used to attack a complex range of targets at the highest levels with similarly varied geo-political interests.”

So…who wants to talk about cyber aggregation?

Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or [email protected].