Duqu 2 malware uncovered
Cybersecurity firm Kaspersky Lab said a new malware named Duqu 2.0 was used to target Iran nuclear talks venues

Detecting pieces of malware and powerful cyberweapons of all types is what cybersecurity companies do, therefore it is clear the creators of Duqu 2 were so confident that it would never be discovered they decided to attack one of the world's best-known cybersecurity companies directly.

Kaspersky Lab has revealed how it uncovered the Duqu 2 attack against its own network and believes it is "a generation ahead of anything we'd seen earlier" in terms of its thinking and the techniques it uses to remain undetectable.

So, what is Duqu 2, where did it come from and how was it detected?

An evolution of Duqu?

Duqu was a sophisticated piece of malware discovered in 2011 having been used in a number of intelligence-gathering attacks against a range of industrial targets. Duqu had a number of similarities to the infamous Stuxnet worm, leading many to believe it was also developed by the US and Israel.

Duqu was detected after being deployed in Hungary, Austria, Indonesia, the UK, Sudan and Iran, and there are clues that the cyberweapon was used to spy on the Iran nuclear programme and also to compromise certificate authorities to hijack digital certificates.

How was it discovered?

Stuxnet DuQu Flame Gauss
The state-sponsored family of malwareKaspersky

Duqu was discovered because it attacked the one group which could have possibly recognised it was under attack - Kaspersky Lab.

The Russian security company was testing a very early version of its Anti-APT solution - a piece of software designed to detect advanced state-sponsored cyberattacks such as Stuxnet, Gauss, Flame, Red October, The Mask... and of course Duqu.

Kaspersky said it detected the "exceptional attack" in early spring this year after the attackers had been inside their system for "a number of months" thanks to the "expertise of our researchers and our technologies".

How powerful is Duqu 2?

This is how Kaspersky Lab founder Eugene Kaspersky put it:

"We found something really big here. Indeed, the cost of developing and maintaining such a malicious framework is colossal. The thinking behind it is a generation ahead of anything we'd seen earlier – it uses a number of tricks that make it really difficult to detect and neutralise. It looks like the people behind Duqu 2.0 were fully confident it would be impossible to have their clandestine activity exposed."

Duqu 2 used multiple zero-day exploits and displayed some unique and earlier unseen features which left almost no trace.

Duqu 2 is unique in that there is very little persistence, as it exists almost entirely in the memory of an infected system, which means "the attackers are sure there is always a way for them to maintain an infection – even if the victim's machine is rebooted and the malware disappears from the memory" according to Kaspersky Labs.

Kaspersky has even said that the level of sophistication behind Duqu 2 surpasses even the Equation Group – revealed earlier in 2015 to be the NSA's " gods of cyberespionage".

What was Duqu 2 looking for?

By targeting Kaspersky Labs, the attackers were looking to - and succeeded - in accessing the company's intellectual property and proprietary technologies used for discovering and analysing APTs, and the data on current investigations into advanced targeted attacks.

The company said Duqu 2 was particularly interested in its product innovations, including Kaspersky Lab's Secure Operating System, Kaspersky Security Network, Kaspersky Fraud Prevention and the Anti-APT solutions which were ultimately used to detect it.

The security company is at pains, however, to point out that neither its products nor its services have been compromised, so customers are not at risk.

Who was it targeting?

Kaspersky Lab was just one of a range of specific targets which the threat actors behind Duqu 2 were looking to attack.

The security company has also uncovered a plot to use Duqu 2 to infect PCs in hotels being used for the high-profile nuclear talks between Iran and the P5+1 group of world powers over curtailing Tehran's nuclear program.

The Wall Street Journal reported in March 2015 that Israel had been behind the spying effort on the nuclear talks, though how they managed to monitor negotiations has only now been revealed.

Eugene Kaspersky Duqu 2
Eugene Kaspersky, believes there were many more victims of Duqu 2 than has been revealed. Mikko Hypponen/Twitter

Kaspersky Labs also discovered that Duqu 2 was used to launch a similar attack on an event to mark the 70th anniversary of the liberation of Auschwitz-Birkenau.

The highly stealthy malware would have gone completely undetected during these attacks while gathering a lot of highly sensitive information before uploading that data remotely to command-and-control servers.

Eugene Kaspersky believes "the prevalence of this attack is much wider and has included more top ranking targets from various countries".

However we are now unlikely to ever discover the extent of targets compromised by Duqu 2 as the operators of the cyberweapon are likely to have wiped its presence from infected networks once they knew Kaspersky Lab had detected its presence.

Who is behind Duqu 2?

Kaspersky Lab, as usual, does not go as far as pointing the finger at any one group, but it does say the people who created and maintained Duqu were state actors:

"Developing and operating such a professional malware campaign is extremely expensive and requires resources beyond those of everyday cybercriminals. The cost of developing and maintaining such a malicious framework is colossal: we estimate it to be around $50 million."

Duqu 2 shares a lot of the code base of the original Duqu, which leads Symantec to believe it has been created by the same group of attackers. Duqu, in turn, shares much of the code base of Stuxnet, widely believed to have been jointly developed by the US and Israel as part of the US government's covert operation Olympic Games.

Considering the US is unlikely to have spied on its own negotiations in Tehran, that increases the suspicion that Israel was involved in Duqu 2's creation.

Attribution in cyberattacks is notoriously difficult and at this level of sophistication is almost impossible and Israel will never admit to the use and/or creation of Duqu 2.

What has been the response to Duqu 2 attack?

Eugene Kaspersky is not very happy:

Governments attacking IT security companies is simply outrageous. We're supposed to be on the same side as responsible nations, sharing the common goal of a safe and secure cyberworld. We share our knowledge to fight cybercrime and help investigations become more effective. There are many things we do together to make this cyberworld a better place. But now we see some members of this 'community' paying no respect to laws, professional ethics or common sense.

The rest of the security industry will now be looking over its shoulder to see if it has been attacked, but one fellow cybersecurity expert has commended Kasperksy's transparency: