When security firm Kaspersky Lab announced in June that a sophisticated attacker had infiltrated its network and stole research data, the apparent act of espionage became the latest incident to target a company whose products protect many other firms.
The attack, which also targeted nations and organizations involved in nuclear talks with Iran, used at least three zero-day attacks, incorporated fake breadcrumbs designed to implicate Chinese or Eastern European attackers, and had sophisticated technical capabilities.
Many parts of the code resembled the Duqu espionage platform, an attack tool discovered in 2011 and linked to U.S. and Israeli intelligence agencies. Kaspersky Lab dubbed the attack Duqu 2.0, and implicated Israel in the attack.
While the attack appears exceptional, the targeting of security firms will only become more commonplace as groups seeking information increasingly need to bypass security measures, Antti Tikkanen, director of technology strategy and research for Finnish security-software company F-Secure Corp., told eWEEK.
“This makes the conflict between intelligence agencies and security companies very concrete,” Tikkanen said. “We (security firms) are all targets, and often targets of high priority, and we should not be surprised.”
In 2011, security giant RSA suffered a major breach, with attackers gaining access to a database of critical seed data used by the company to generate the pseudo-random codes that many companies and government agencies use to enhance security.
A year later, attackers infiltrated security firm Bit9, which creates security devices to keep out unknown code, and stole a digital certificate that could allow malware to sneak past its customers’ defenses.
While private companies often have been been targeted by nations, the latest attacks underscore that security firms have become objectives in a global intelligence war, because they are front-line soldiers protecting customers against nation-states and other economic espionage. They hold the keys to their customers’ defenses, and that means security firms will always be an interesting target to government intelligence agencies.
Such attacks, however, pose a worrisome trend, according to Eugene Kaspersky, CEO of Kaspersky Lab.
“Spying on cyber-security companies is a very dangerous tendency,” he said in a statement released on June 10. “Security software is the last frontier of protection for businesses and customers in the modern world, where hardware and network equipment can be compromised.”
Kaspersky warned that such attacks only blaze a trail for less savvy attackers to follow. Cyber-criminals and hacktivists already have used methods demonstrated by Stuxnet, Flame and Duqu in subsequent attacks. “Sooner or later technologies implemented in similar targeted attacks will be examined and utilized by terrorists and professional cyber-criminals, and that is an extremely serious and possible scenario,” Kaspersky said.
Although security companies strive to create technology to keep attackers out of their customers’ networks, the industry as a whole has realized that prevention is only a small part of the overall security equation. Companies should expect to be breached and that goes doubly so for security firms.
Kaspersky Hack Reveals Conflict Between Spy Agencies, Security Firms
Certainly the defense-oriented companies understand attackers’ strategies and techniques, but they are not immune to compromise, F-Secure’s Tikkanen said.
“With targeted attacks, there’s always someone with a big enough budget and enough resources to make them a very scary adversary for anyone, including us,” he said.
Kaspersky’s rivals have different views about the sophistication of the latest attack. To F-Secure, the attack was “advanced, but nothing groundbreaking,” while Symantec called the attack “fairly unprecedented.”
When dealing with nation-state attacks, which can be so sophisticated that they escape initial detection, companies need to focus on spotting the telltale signs of compromise. A variety of anomalies should appear within networks under attack, which should tip off a victim that an attacker is in their network, Rob Sadowski, director of technology solutions for RSA, told eWEEK.
“Organizations are being attacked every day, and they are being compromised every day,” he said. “The absolutely most important capability that companies need today is the capability to detect and respond to these attacks, so that the attacker does not get out with the information.”
The trend of governments attacking private companies will continue, he said. Moreover, it is not just about security firms, but any company that has sensitive technology information that can be used in an attack.
“If you have something of value, especially to some of these more advanced actors who use cyber-attacks to accomplish their objectives, you need to recognize that,” Sadowski said.
Case in point, the component of Duqu 2.0 that kept it from being deleted had a valid digital signature stolen from another company, Hon Hai Precision Industry Co. Ltd., also known as Foxconn Technology Group.
The company manufacturers mobile devices and electronic components for Acer, Apple, Dell, Google, HP, Huawei, Microsoft, Sony and other major companies. By stealing a valid digital certificate from a well-known company, the attackers greatly increased the chances they will be able to plant spy programs onto their targets’ systems without notice.
“Stealing digital certificates and signing malware on behalf of legitimate businesses seems to be a regular trick for the Duqu attackers,” Kaspersky Lab’s researchers wrote in their analysis of the persistence module. “We have no confirmation that any of these vendors have been compromised, but our indicators definitely show that the Duqu attackers have a major interest in hardware manufacturers such as Foxconn, Realtek and Jmicron.”
Kaspersky Lab also stressed that the battle between government intelligence groups and security firms is not just about business. Governments will continue to seek out ways to bypass security technology to monitor citizens individually and on a mass scale.
“We would like to stress the need for security companies to work together as a community and fight for user privacy, the right to privacy on the Internet, thwart mass surveillance and make the world a safer place,” the company stated.