IT security company Kaspersky has revealed that its systems have been breached by what it has described as an extremely sophisticated and likely state-sponsored attack.
While attacks on governments and businesses are common, a succesful attack on a security company is very rare. The attack used three previously unknown vulnerabilities - so-called zero day attacks - to penetrate its systems, and left very few traces. Eugene Kaspersky, the company's CEO described the attack as "almost invisible" and said the software was so sophisticated it could have cost $10m "maybe more" to build it and support it.
The malware is spread in the network through MSI (Microsoft Software Installer) files which are commonly used by system administrators to deploy software on remote Windows computers. The cyberattack didn't leave behind any disk files or change system settings, making detection extremely difficult.
Kaspersky said the attack was carefully planned and carried out by the same group that was behind the 2011 Duqu attack. The security firm believes this is a nation-state sponsored campaign.
The hackers were apparently interested in the company's research into the most sophisticated types of security attacks, ignoring Kaspersky's sales, marketing and legal departments. The firm said there is no impact on the company's products, technologies and services.
But the antivirus company said other victims have been found in Western countries, as well as in the Middle East and Asia. It said some of the infections are linked to venues related to the negotiations with Iran about a nuclear deal and said: "The threat actor behind Duqu appears to have launched attacks at the venues where the high level talks took place."
According to The Wall Street Journal the malware was found on the networks of three hotels which had hosted nuclear talks. The paper said that current and former US security officials believe Duqu was created "to carry out Israel's most sensitive intelligence-collection operations".
The malware was discovered when Kaspersky tested a new antivirus product on its own network.All three flaws that the attackers have exploited have now been patched: the last remaining zero-day (CVE-2015-2360) was patched by Microsoft on 9 June (MS15-061) after it was reported by Kaspersky.