Report From Russian Cybersecurity Firm Links Israel To Nuclear Talk Spy Virus

Earlier this year, relations between the US and Israel frayed after Israeli PM Benjamin Netanyahu — in an attempt to rally support for his reelection bid — implied that Arab Israelis shouldn’t vote before suggesting that a two-state solution to the Palestinian ‘issue’ would happen over his dead body. The Obama administration took that as a sign that Netanyahu was not dedicated to peace in the region. 

The tension only grew when reports surfaced that Israel had spied on nuclear talks with Iran. Washington and Jerusalem have long played a kind of spy vs. spy game which both countries generally accept and tolerate, but this time around, Israel apparently passed the intelligence it gathered on to Congress in an attempt to undercut negotiations with Iran, something The White House did not appreciate. Here’s our rather amusing summary: 

The US spied on Israel and discovered that Israel was spying on the US, which under normal circumstances would be fine, but this time the Israeli spying was aimed at undermining US diplomacy, so this spying was unacceptable, but Israel contends that in fact, it did not spy on the US to obtain the sensitive information but in fact gathered it from spying on other countries. 

On Wednesday, new details emerged about espionage and the Iran nuclear negotiations when Moscow-based cybersecurity firm Kaspersky Lab ZAO (more here) released a report detailing how an internal systems breach at the company led to the discovery of hacks at hotels which hosted the P5+1 Iran talks. 

Via Kaspersky Lab:

Earlier this year, during a security sweep, Kaspersky Lab detected a cyber intrusion affecting several of its internal systems.

 

Following this finding, we launched a large-scale investigation, which led to the discovery of a new malware platform from one of the most skilled, mysterious and powerful groups in the APT world – Duqu. The Duqu threat actor went dark in 2012 and was believed to have stopped working on this project - until now. Our technical analysis indicates the new round of attacks include an updated version of the infamous 2011 Duqu malware, sometimes referred to as the step-brother of Stuxnet. We named this new malware and its associated platform “Duqu 2.0”.

 

Victims of Duqu 2.0 have been found in several places, including western countries, the Middle East and Asia. The actor appears to compromise both final and utilitarian targets, which allow them to improve their cyber capabilities.

 

Most notably, some of the new 2014-2015 infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal. The threat actor behind Duqu appears to have launched attacks at the venues for some of these high level talks.

 

In addition to the P5+1 events, the Duqu 2.0 group has launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau. 

WSJ has more on the Israel connection:

When a cybersecurity firm discovered it had been hacked last year by a virus widely believed to be used by Israeli spies, it wanted to know who else was on the hit list.

 

The spyware, the firm has now concluded, was an improved version of Duqu, a virus first identified by cybersecurity experts in 2011, according to a Kaspersky report and outside security experts...

 

Senior U.S. officials learned Israel was spying on the nuclear talks in 2014, a finding first reported by The Wall Street Journal in March. Officials at the time offered few details about Israel’s tactics...

 

No intelligence-collection effort is a higher priority for Israel’s spy agencies than Iran, including the closed-door talks that have entered a final stage...


Kaspersky, in keeping with its policy, doesn’t identify Israel by name as the country responsible for the hacks. But researchers at the company indicate that they suspect an Israeli connection in subtle ways.

 

For example, the version of the company’s report viewed by the Journal before its release was titled “The Duqu Bet.” Bet is the second letter of the Hebrew alphabet. Kaspersky revised the title in the final version of the report released Wednesday, removing the “Bet” reference.

 

Costin Raiu, director of the global research and analysis team at Kaspersky, said the virus was packed with more than 100 discrete “modules” ...


One module was designed to compress video feeds, possibly from hotel surveillance cameras. Other modules targeted communications, from phones to Wi-Fi networks. The attackers would know who was connected to the infected systems, allowing them to eavesdrop on conversations and steal electronic files.


The virus could also enable them to operate two-way microphones in hotel elevators, computers and alarm systems. In addition, the hackers appeared to penetrate front-desk computers. That could have allowed them to figure out the room numbers of specific delegation members...

 


 

U.S. intelligence agencies view Duqu infections as Israeli spy operations, former U.S. officials said. While the new virus bore no overt links to Israel, it was so complex and borrowed so heavily from Duqu that it “could not have been created by anyone without access to the original Duqu source code,” Kaspersky writes in its report.

 

To check his conclusions, Mr. Raiu a few weeks ago emailed his findings to a friend, Boldizsár Bencsáth, a researcher at Budapest University of Technology and Economics’ Laboratory of Cryptography and System Security. Mr. Bencsáth in 2011 helped discover the original Duqu virus.


“They look extremely similar,” Mr. Bencsáth said in an interview Tuesday. He estimated a team of 10 people would take more than two years to build such a clean copycat, unless they were the original author.

In an interview with RT, Eugene Kaspersky says the sophisticated software would have cost at least $10 million to develop. He also notes that the P5+1 hotels may be just the tip of the iceberg in terms of "top ranking targets":

"There could be different motivations. Of course there is political information, which costs a lot, any other kind of data which is sensitive or very interesting to the attackers. As a software company, we can estimate the investment into a software project. This is a software project. How much did they invest to develop it, to test and to support it? I think it’s at least $10 million, maybe more. Maybe much more, because we still don’t know many victims there are affected around the world. The prevalence of this attack is much wider and has included more top ranking targets from various countries.”

 

(Kaspersky)

Of course no one should be particularly surprised that a state actor may have conducted large scale espionage around an event that has the potential to change the geopolitical landscape in the Middle East and could also impact global energy markets.

The more interesting story here may end up being the fact that Israel has targeted a Russian cybersecurity firm run by a KGB-educated CEO with strong ties to the FSB (Kaspersky reportedly never misses weekly sauna nights with Russian intelligence officers). We're sure there's more to come on the Israel connection especially given that nuclear negotiations with Iran are set to intensify in the coming weeks ahead of a June 30 deadline, but for now, we'll close with what Kaspersky told Bloomberg this year when asked about his loyalty to Vladimir Putin:

“I’m not the right person to talk about Russian realities, because I live in cyberspace,” 

*  *  *

Full Report:

The Mystery of Duqu 2 0 a Sophisticated Cyberespionage Actor Returns