Duqu 2.0: ‘Almost Invisible’ Cyber Espionage Tool Targeted Russian Co., Linked to Iran Nuclear Talks

Cyber security firms say new spy tool linked to other next-gen worms.

ByABC News
June 10, 2015, 11:29 AM
A hacker types on a laptop in this stock image.
A hacker types on a laptop in this stock image.
Benjamin Howell/Getty Images

— -- A Russian cyber security firm says it has discovered a highly-sophisticated, “almost invisible” cyber espionage tool that targeted the company’s own servers, as well as systems around the world, including some linked to the controversial Iranian nuclear negotiations.

The Moscow-based firm Kaspersky Labs announced today the discovery of the worm, dubbed Duqu 2.0, which the company said it found this spring after the worm had been slinking through its system for “months.”

“The attack was very complicated, very smart… [But] come on, it’s stupid to attack a cyber-security company,” Kaspersky founder and CEO Eugene Kaspersky told reporters in London. “Sooner or later, we’ll find it anyway.”

When the company sought out other victims of the sneaky attack, Kaspersky said on its website that it found some of the “infections are linked to the P5+1 events and venues related to negotiations with Iran about a nuclear deal.”

Eugene Kaspersky declined to elaborate further, beyond saying some affiliated “businesses and events” were affected by the attack and that it “doesn’t smell good.”

The Wall Street Journal, which first reported on Duqu 2.0 today, said computers at three luxury European hotels where negotiations had been held were among the worm’s victims.

Eugene Kaspersky said the company cannot say for certain who is behind the attack, but he believes that due to its sophistication and technical links to previous next-generation computer worms, a nation-state is the likely culprit.

The worm was named Duqu 2.0 because Kaspersky said it appeared to be an upgraded version of the Duqu worm, another highly-sophisticated espionage tool discovered in 2011.

“We can’t prove attribution because they’re going through proxy servers,” Kaspersky said of Duqu 2.0. “There are technical attributions we can read from the code. This attack is a relative, it’s a new generation of the Duqu attack, most probably made by the same people, or they shared the source code with others.”

A major American cyber security firm, Symantec, agreed that Duqu 2.0 “is an evolution of the original threat, created by the same group of attackers.”

Symantec also reported Duqu 2.0 appears to have targeted European and North African telecom operators and a South East Asian electronic equipment manufacturer. Symantec had reported in 2012 that the Duqu threat had not abated and that a new version of the worm had been discovered then.

By sharing code with Duqu, Duqu 2.0 is also directly linked to Stuxnet, a revolutionary cyber-weapon that was believed to have physically damaged an Iranian nuclear facility and that was suspected of being the product of a joint U.S.-Israeli top secret operation.

When the original Duqu was discovered in 2011, Symantec reported it “shares a great deal of code with Stuxnet” and the same suspicions were raise about whether the attackers were the same or if source code had been shared.

In its report today, the Wall Street Journal said Duqu 2.0 was “widely believed to be used by Israeli spies.”

But the Duqu 2.0 code also included a number of what Kaspersky Labs called “false flag” clues as to who was behind it. One was a mention in the code of a nickname for a Chinese military officer who was one of five indicted by the U.S. in an unprecedented move by the Department of Justice against Chinese cyber espionage. Another pointed to a prolific Romanian hacker, Kaspersky reported.

“Nevertheless, such false flags are relatively easy to spot, especially when the attacker is extremely careful not to make any other mistakes,” Kaspersky wrote.

Contact the author at lee.h.ferran@abc.com.