Duqu 2 malware uncovered
Cybersecurity firm Kaspersky Lab said a new malware named Duqu 2.0 was used to target Iran nuclear talks venues IB Times

A leading cybersecurity firm claims several venues for international negotiations over Iran's nuclear programme have been targeted by a surveillance virus, reportedly linked to Israeli intelligence.

Kaspersky Lab ZAO said it discovered several of its own internal systems had been infected by highly sophisticated malicious malware earlier this year.

As the company researchers set off to investigate the cyber-attack, they found out that the same virus had been used to infiltrate a series of other targets in the West and the Middle East, including, most notably, hotels where the Iranian delegates met with the P5+1 group to discuss Tehran nuclear ambitions.

Kaspersky, a Moscow-based firm, said the "highly sophisticated" malware platform was a developed version of Duqu, which it described as "one of the most skilled, mysterious and powerful threat actors in the APT [advanced persistent threat] world".

It added that the level of complexity of Duqu 2.0 was so high that they believe its use could only be part of "a nation-state-sponsored campaign."

"The people behind Duqu are one of the most skilled and powerful APT groups and they did everything possible to try to stay under the radar," said Costin Raiu, Director of Kaspersky Lab's Global Research & Analysis Team.

"This highly sophisticated attack used up to three zero-day exploits, which is very impressive – the costs must have been very high."

The firm added that perpetrators were confident they could act with impunity as the high-quality of Duqu 2.0 would let their activity go unnoticed.

"To stay hidden, the malware resides only in kernel memory, so anti-malware solutions might have problems detecting it. It also doesn't directly connect to a command-and-control server to receive instructions. Instead, the attackers infect network gateways and firewalls by installing malicious drivers that proxy all traffic from the internal network to the attackers' command and control servers," explained Raiu.

Kaspersky didn't name Israel as a suspect but the previous version of Duqu was very similar to the infamous Stuxnet worm, believed to have been developed by the US and Israel.

Israel has long opposed the nuclear talks, as it considered a positive outcome could have greatly increased Tehran's threats to Israel's security. Disagreement on the issue also dragged Israel-US relations to a record low.

In March, Washington directly accused Israeli spies of having snooped on the talks to gather intelligence used to fuel opposition to the nuclear deal in the US congress.

Kaspersky's revelation that venues where the 'P5+1' group met their Iranian governments were targeted is likely to substantiate the claim.

The company didn't identify the hotels and said the attack on its own internal systems was primarily aimed at acquire information "on the company's newest technologies".

"Kaspersky Lab is confident that its clients and partners are safe and that there is no impact on the company's products, technologies and services," the firm said in a statement.

Duqu 2.0 malware

Duqu was a sophisticated piece of malware discovered in 2011 having been used in a number of intelligence-gathering attacks against a range of industrial targets. It had a number of similarities to the infamous Stuxnet worm, leading many to believe it was developed by the US and Israel.

Duqu 2.0 is an evolution of the original malware and is believed to have been created by the same group of attackers by Symantec, and is once again being used to hit very specific targets including the P5+1 nuclear talks and the events marking the 70th anniversary event of the liberation of Auschwitz-Birkenau.

The highly stealthy malware would have gone completely undetected while gathering a lot of highly sensitive information before uploading that data remotely to command-and-control servers.

By David Gilbert