Foxconn, a Taiwanese company that makes some of the world's most instantly recognisable consumer electronics, has been dragged into a highly sophisticated state-sponsored cyberattack against the world's best known cybersecurity company.
Foxconn manufactures products for Apple, Samsung, Sony and Microsoft, among others, including the iPhone, Amazon Kindle and PlayStation 4.
It was a surprise, therefore, that a digital certificate signed by Foxconn's parent company, Kon Hai Precision Industries, was found on the systems of Russian security company Kaspersky Lab, which has been targeted by the highly sophisticated malware known as Duqu 2.0.
Digital certificates are the 'passports' of the software world, with operating systems and web browsers recognising them as authentication that the software being used is verified and safe.
The digital certificate used to sign a driver in the attack against Kaspersky Lab was signed by Hon Hai Precision Industry on 19 February 2015, but was subsequently stolen by the hackers behind the Duqu 2.0 attack, who many believe to be Israeli.
The reason for using this particular certificate is unknown, but it could be an attempt by the hackers to trick those investigating the attack into thinking it was coming from Asia, particularly China.
Echoes of Stuxnet
Duqu 2.0 was uncovered by Kaspersky Lab after a researcher noticed suspicious activity on their network while testing a new security tool designed to detect just this type of attack.
Duqu 2.0 has been described by the company's founder Eugene Kaspersky as a "generation ahead" in terms of thinking than anything he has seen before and the creators of the malware tool are said to be more advanced than the Equation Group – seen as the NSA's elite hackers.
The use of digitally signed malware is something that the researchers at Kaspersky Labs have seen previously with Stuxnet and the original Duqu attacks in 2011. In both cases the attackers used signed certificates from companies based in Taiwan.
Kim Zetter at Wired has even discovered that three of the digital certificates used in these attacks come from companies with offices located in the same business park – Hsinchu Science and Industrial Park in Hsinchu City, Taiwan – while the digital certificate used in the original Duqu attack came from C-Media Electronics, a maker of digital audio circuits located in Taipei.
The use of separate digital certificates in these attacks rather than reusing them is "extremely alarming" according to Kaspersky Lab researcher Costin Raiu.
"It's interesting that the Duqu attackers are also careful enough not to use same digital certificate twice. This is something we have seen with Duqu from both 2011 and 2015. If that's true, then it means that the attackers might have enough alternative stolen digital certificates from other manufacturers that are ready to be used during the next targeted attack. This would be extremely alarming because it effectively undermines trust in digital certificates."
Raiu also revealed that the attackers did not need to use digital certificates to gain access to Kaspersky systems, as Duqu 2.0 was exploiting several zero-day exploits in order to bypass the requirement on Windows to have all drivers digitally signed.
The reason the attackers took the extra risk of using the digital certificate was as a way of making sure that they could remain on the infected systems even if they were rebooted.
Duqu 2.0 resides entirely in the memory of the infected system, making it extremely difficult to detect as there is no persistence, but having the almost invisible digital certificate in place would have given the hackers a way of maintaining their presence even if one of the zero-day vulnerabilities gets patched.
The Foxconn certificate used in the attack would have been a very valuable asset for the attackers, giving them access to virtually any system in the world. The use of it in this attack indicates just how important accessing Kaspersky's systems was for the hackers.
The same Foxconn digital certificate was used to sign another driver with the driver file anonymously uploaded to VirusTotal on 15 June, indicating there is another unknown victim of Duqu 2.0.