Duqu 2.0: To Attribute or Not?

As I said before, the latest revelation in the world of cybersecurity, at least of this writing, is the re-emergence of the Duqu group of Advanced Persistent Threat (APT). On June 10, 2015, Kaspersky Labs disclosed that they had been the target of an intrusion that they believe was carried out by the APT group Duqu, which had previously surfaced in 2011. They reached this conclusion by analyzing the code used to carry out the attack, finding several similarities to the code originally used by the Duqu group. At the same time, the code also exploited several zero-day vulnerabilities including in the Windows operating system.

The sophistication of the attack, as well as incremental improvements to the code, lead Kaspersky to conclude that the same actors were behind the attack, as opposed to another group simply reusing the code. One particularly sophisticated feature was that the attack itself ran strictly in-memory, making it both harder to detect but also more fragile (the payload was wiped out on reboot of the computer).

The basic manner of action of the attack was as such:

1. Gain exposure to a computer on the target network, using a technique such as spearphishing
2. Exploit a zero-day vulnerability to gain kernel level access to the Windows operating system
3. Use that access to give yourself immunity from common security software packages, such as those made by Kaspersky
4. Exploit another zero-day vulnerability to gain higher level privileges in Kerberos, which is a protocol for allowing nodes in a network to communicate with each other in a secure manner
5. Infect a domain controller or other control-node in the network for use in propagating the attack to other computers on the network, and reinitializing the malware on computers that have rebooted
6. Use the computers that you have infected to gather information, make changes, and generally do your bidding
7. Exfiltrate your data in the form of blank image files

You can read more about the attack here, but the topic at hand is attribution, or the question of, “If we are reasonably sure of the perpetrator of an attack, do we name them publicly”?

Kaspersky Labs (through Eugene Kaspersky) is on the record as saying that attribution can sometimes do more harm than good, and is a practice that he and his business purposefully stop short of. Attribution is always tricky, especially because there are incentives, on the purpose of attackers, to redirect blame onto other groups. Furthermore, many cyber attacks are carried out by nation-states, or groups affiliated with nation-states. This makes attribution a political game. Researchers, by training, tend to be academics and are hesitant to get dragged into that world.

It’s pretty much a given in cybersecurity: attribution is rarely possible, and made all the more difficult if the cybercriminals involved are smart, which, alas, is most often the case in the world of cyber-espionage -Eugene Kaspersky

There is certainly some merit to naming and shaming, however. Kaspersky found the same malware on a number of different systems across the world, including other software firms and hotels and event venues. Without going so far as to name an actor, they provided all of the information needed to come to the conclusion themselves. Reading between the lines, Wired concluded that the most likely perpetrator of the attack was Israel. The timing of the attacks, for example, coincided with the P5+1 negotiations with Iran over its nuclear capabilities, a negotiation out of which Israel was decidedly not involved.

Wired’s expert contact, Costin Raiu of Kaspersky Labs, speculated that the intent of the attack was to surveil the progress of the negotiations, and he suggested that one of the ways they might have gathered information was by activating VoIP phones in the rooms where the negotiations were being held to record audio, even if they were not activated. Of course, the official line from Kaspersky being that they do not attribute, he said it in a very “if I wanted to do this” kind of way.

There are definitely reasons why attribution is a valuable tool in the fight against cybercrime, and reasons why it can be a bit of double edged sword.

As a closing note, Sir Christopher Lee, the actor who played the aptly name Count Dooku, died this week at the age of 93. Suffice it to say, Count Dooku was not his most famous role.