Cyber-spawn Duqu 2.0: Was Malware Infection ‘Patient Zero’ Mapped?

Cybersecurity_MerrillCollegeofJournalismKaspersky Lab reported this morning a next-generation version of Duqu malware infected the information security company’s network.

Duqu is a known reconnaissance malware. Its complexity suggests it was written by a nation-state. The malware appears closely affiliated with the cyber weapon malware Stuxnet.

WSJ reported this particular version may have been used to spy on the P5+1 talks with Iran on nuclear development. Dubbed ‘Duqu 2.0,’ the malware may have gathered audio, video, documents and communications from computers used by talk participants.

Ars Technica reported in depth on Kaspersky’s discovery of the malware and its attributes. What’s really remarkable in this iteration is its residence in memory. It only exists as a copy on a drive at the first point of infection in a network, and can be wiped remotely to destroy evidence of its occupation.

The infosec firm killed the malware in their networked devices by mimicking a power outage. They detached from their network suspect devices believed to contain an infecting copy.

Kaspersky’s Patient Zero was a non-technical employee in Asia. Duqu 2.0 wiped traces of its own insertion from the PC’s drive.

Neither WSJ or Ars Technica noted Kaspersky’s network must have been subject to a program like TREASUREMAP.

…Because the rest of the data remained intact on the PC and its security patches were fully up to date, researchers suspect the employee received a highly targeted spear phishing e-mail that led to a website containing a zero-day exploit. … (bold mine – source: Ars Technica)

How was a single non-technical point of contact in Asia identified as a target for an infected email?

Targeting did more than identify a non-technical person. Collection and analysis of users’ activities earmarked a singular useful tool.

Duqu’s team had to find the one person in a infosec company like Kaspersky who’d be careless or stupid enough to open a phishing email…

OR they had to know how to prepare an email so that it would appear safe on sight…

OR they inserted HUMINT in the one place screened as suitable for a plant and infection.

Duqu’s cousin Flame was a reconnaissance software, too. Perhaps it was dispatched earlier to gather info, wiped, then Duqu 2.0 followed.

But the possible pre-infection target mapping may remain unknown, if early reconnaissance malware also wiped up in the same manner as Duqu 2.0.

Marcy’s post this morning shares an important concern related to Duqu 2.0’s implementation. Some entity mapped OPM, identifying all current and near-term former federal employees. Now this entity can identify which targets are best for Duqu 3.0.

Mapping could have been prevented several ways, had DHS, OPM, and Congress taken their roles and the nature of cyber warfare security seriously during the Bush administration. (Somewhere Richard Clarke chuckling darkly over a hot cup of coffee this morning…)

The U.S. government collaborated on cyber weapon creation, without adequate consideration to long-term repercussions.

Other government agencies and the public know more now about this new threat because Kaspersky was open with its own exposure and with its findings. Risk reduction techniques can be improved because Kaspersky was willing to share this information.

Public exposure of cyber attacks also has a deterrent effect, as seen with Flame; the malware “suicided” after media reports.

Duqu’s current reconnaissance operations are scary enough. Imagine next not an inert Duqu, but a focused Stuxnet 3.0 launched on the private sector — likely beginning with suppliers linked to federal employees.

Imagine businesses and individuals unable to defend themselves because they could not request by FOIA government-held information about cyber attacks.

Should the public accept exposure to a next-gen Duqu 3.1 or 4.0 because Sen. Richard Burr insisted on greater opacity in undead CISA?

Blogger since 2002, political activist since 2003, geek since birth. Opinions informed by mixed-race, multi-ethnic, cis-female condition, further shaped by kind friends of all persuasions. Sci-tech frenemy, wannabe artist, decent cook, determined author, successful troublemaker. Mother of invention and two excessively smart-assed young adult kids. Attended School of Hard Knocks; Rather Unfortunate Smallish Private Business School in Midwest; Affordable Mid-State Community College w/evening classes. Self-employed at Tiny Consulting Business; previously at Large-ish Chemical Company with HQ in Midwest in multiple marginalizing corporate drone roles, and at Rather Big IT Service Provider as a project manager, preceded by a motley assortment of gigs before the gig economy was a thing. Blogging experience includes a personal blog at the original blogs.salon.com, managing editor for a state-based news site, and a stint at Firedoglake before landing here at emptywheel as technology’s less-virginal-but-still-accursed Cassandra.
17 replies
  1. Rayne says:

    Kaspersky researcher notes, “…the malware remains the same [as Duqu 1], so that means we’re talking about the same guys here. And from 2014, the activity times suggest the same time zones. So based on the activity of these guys in 2014, they appear to be at the same GMT+2 and GMT+3.

    Countries in GMT +2 time zone:

    Botswana, Burkina Faso, Democratic Republic of Congo (part), Ethiopia, Lesotho, Libya, Malawi, Mozambique, Rwanda, South Africa, Swaziland, Zambia, Zimbabwe

    Countries in GMT +3 time zone:

    Bahrain Comoros, Djibouti, Eritrea, Kuwait, Kenya, Madagascar, Republic of Moldova (Transnistria Region only) Qatar Saudi Arabia, Somalia, Sudan, Tanzania, Uganda, Yemen

    Hmm. Oblique, but effective narrowing of identification. Still sloppy opsec, which we can only hope continues.

        • jo6pac says:

          That can’t be because their Amerikas friends right? The strange circle of who does what to others in if they’re so-called friends. Then again do I care if this totally sold out govt has friends. Not so much

      • orionATL says:

        israel would of course be the logical suspect, though djibouti is u.s. mil. with israel and saudi arabia making up in private, even communications from s.a. could be suspect.

        • Rayne says:

          I’ve had HORRIBLE computer problems all morning. Started about the time I dug back into research on Kaspersky’s infection. I did find this little nugget at Der Spiegel; note the tiny bit more they add about the time zone.

          …In den Programmzeilen der Vorgängerversion Duqu hatten die Kaspersky-Analysten 2011 einige Auffälligkeiten gefunden, die den Verdacht erhärten könnten. Demnach stammten die Autoren aus einem Land mit der passenden Zeitzone “GMT +2” und arbeiteten freitags auffallend weniger und samstags gar nicht – was zur israelischen Arbeitswoche passt, in der freitags die Sabbatruhe beginnt. …

          Bah-dum-bum.

          • orionATL says:

            “…In 2011, Kaspersky analysts found a few oddities in the program code for the previous version of Duqu, which confirmed the suspicions. These suggested that the code’s authors were from a country in the GMT + 2 time zone, and that they worked noticeably less on Fridays and not at all on Saturdays, which corresponds to the Israeli work week, in which the Sabbath begins on Friday… ”

            how do you like my translation?

            .
            .
            .
            .

            ok. ok. so i got it here :

            http://m.spiegel.de/international/world/a-1037960.html

  2. orionATL says:

    was kaspersky labs really using microsoft in their system? why in the world unless to bait?

    • P J Evans says:

      Office people, probably, with network connections. (Also, contrary to popular belief, not using windows will not protect you from this kind of stuff.)

    • Rayne says:

      I imagine they had WinPCs for a number of reasons, from testbeds to honeypots. In the case of the “non-technical Kaspersky employee,” there could have been other limitations based on applications in use, local laws, or just plain stupid (like using a personal WinPC at home to open work emails).

      • P J Evans says:

        The company I worked at had a portal so that we could get to our work email accounts from home. You couldn’t get to anything else without (a) a Citrix account with access permission and (b) a dongle. (Even at work, inside the corporate network, permissions were required to access stuff – some things were open to everyone, and others were extremely limited.)

        • Rayne says:

          Even using Citrix to access a corporate VPN combined w/dongle has at least two or more weaknesses.

          — If user accesses from a personal PC or networked work PC with USB port, keylogger malware infection can capture all keystrokes;

          — Dongle and PC are likely made to NIST standards, probably have backdoors due to subverted standards.

          While far more secure than substantive majority of remote logins, still has breach risks.

          • P J Evans says:

            They didn’t allow many people that kind of access. Most of those who worked from home had corporate laptops. I wasn’t in on that – it was mostly for managers. (The security software also didn’t stop people from opening virus-loaded emails.)

Comments are closed.