The Russian antivirus firm Kaspersky Lab is used to exposing sophisticated cyberattacks staged by powerful spy agencies against other countries. But this time, they found that the target was on their own heads.
On Wednesday, the firm disclosed that a hacking group likely connected to a nation-state had compromised Kaspersky Lab's own network last year. Kaspersky Lab researchers believe the sophisticated attack used a new generation of a previously discovered malware—Duqu—which is thought to have been developed and used by Israeli spies. Kaspersky analyzed Duqu 2.0's older sibling in detail in 2011 when it was first uncovered.
The attack might be a sign of things to come—a future where spy agencies regularly target security companies to find out who else these companies are watching, and gather intelligence on how not to get caught. In other words, companies such as Kaspersky Lab are now apparently considered legitimate targets by very same state hackers that the company routinely exposes.
"Security companies have become a valid target of foreign governments."
"Security companies have become a valid target of foreign governments," Mikko Hypponen, a renowned security expert and chief research officer for F-Secure, told Motherboard. "We build security solutions that are trying to bring down their spying operations, so obviously they see us as adversaries."
For Hypponen, that's actually not the worst case scenario. In his view, the Geneva Convention—the de-facto law of war—could even be interpreted to allow for real life attacks on cybersecurity firms, he said.
"During a time of war, our company would be legitimate target for, say, bombings," Hypponen wrote in an email, referring to a specific passage of the convention. "When I started analyzing viruses on 5.25-inch floppy disks in 1991 I sure as hell did not sign up for this shit."
"When I started analyzing viruses on 5.25-inch floppy disks in 1991 I sure as hell did not sign up for this shit."
Others in the cybersecurity world, such as Cesar Cerrudo, a security researcher at IOActive, agreed.
"Governments attacking IT security companies is simply outrageous," Cerrudo said on Twitter. "We're supposed to be on the same side."
Even Eugene Kaspersky, the founder and CEO of the eponymous firm, wrote in an op-ed for Forbes that hacking a security firm is like "deliberately attacking medics on a battleground," something that is "simply despicable and disgraceful."
Regardless of whether such attacks are fair or ethical, it might just be the new reality for cybersecurity firms. "No one should be surprised that governments are hacking security firms to find out what they know about government hacking campaigns," tweeted Kim Zetter, a longtime security reporter at Wired.
Still, Kaspersky remained defiant, despite revealing that the hackers successfully intruded its own network for a "few months."
"Come on, it's stupid to attack a cybersecurity company, sooner or later we'll find it anyway," Kaspersky said during a press conference held on Wednesday in London. "Please don't hack me, it's a bad idea."
"Please don't hack me, it's a bad idea."
Kaspersky described the attack against his own company as a "mix of Alien, Terminator and Predator," because it was "invisible, very aggressive and very effective."
The attack used at least three unknown bugs, also known as "zero days," to exploit Kaspersky Lab's computers, and used a slew of tricks to go undetected as long as possible.
Yet, Kaspersky was able to detect the attack in February, as Ars Technica recounts in a detailed article. As a result, Kaspersky researchers, as well as other security firms who have access to the attack data, now know how to catch this new generation of advanced malware.
Kaspersky declined to say who he believed is behind the attacks, but all signs point to Israel, given that the first generation of Duqu was reportedly developed by the country's spies, and that the hackers behind Duqu 2.0 used it to target hotels where nuclear talks between Western governments and the Iranian government were held. Those negotiations were closely watched by the Israeli government, which wasn't at the table.
Kaspersky described the attack against his own company as a "mix of Alien, Terminator and Predator."
When asked about the Israel attribution, which The Wall Street Journal reported on with the most emphasis, Kaspersky avoided pointing the finger.
"As a newsreader I will say 'uhm, interesting,'" Kaspersky said, adding that, however, as the CEO of a security company, he didn't have any technical data to back up any attribution claims.Yet, even his own researchers hinted that Israeli spies were behind the attack, sometimes referring to the malware in the full technical report as "Duqu Bet," using second letter of the Hebrew alphabet.