Kaspersky has revealed that its own systems were recently compromised by hackers, meaning that the online security firm has become a victim of the very malware that it had discovered three years before.
Kaspersky Lab said it believed the attack from the DuQu bug was designed to spy on its newest technologies.
It said the intrusion involved up to three previously unknown techniques.
The Russian firm added that it was continuing to carry out checks, but believed it had detected the intrusion at an early stage.
“Spying on cybersecurity companies is a very dangerous tendency,” said the company’s chief executive Eugene Kaspersky. “The only way to protect the world is to have law enforcement agencies and security companies fighting such attacks openly. We will always report attacks regardless of their origin.”
Known as Duqu 2.0, the new worm was, Kaspersky said, used to attack three European hotels where the P5+1 talks involving the US, UK, Germany, France, Russia, and China with the EU concerning Iranian nuclear capabilities were held over the last 18 months.
Kaspersky did not identify the hotels or say who was behind the attack. However, Israel is thought to have deployed the original Duqu worm to carry out sensitive intelligence gathering.
The attack exploited zero-day vulnerabilities and after elevating privileges to domain administrator, the malware was spread in the network through MSI files. The attack didn’t leave behind any disk files or change system settings, making detection difficult.
— Eugene Kaspersky (@e_kaspersky) June 10, 2015
Commenting on this, Gavin Reid, VP of threat intelligence at Lancope, said: “This attack is unique and one of the first times we have seen a nation-state attack on the private security industry. Kaspersky is credited with finding the original Duqu, so it is not too surprising the authors would want to add Kaspersky to the list of companies it targeted with the newer harder-to-detect Duqu 2.0. This compromise shows how at risk the private sector is from advanced adversaries – even companies that are expert in this area. The fact this malware runs completely in memory makes many host-based detection capabilities ineffective.”