A powerful computer virus linked to Israel is thought to have been used to spy on the recent Iran nuclear talks after being found in the networks of three hotels that hosted the negotiations.
The security company Kaspersky discovered the virus, which it said was a new variant of the Duqu worm, itself a variant of the state-sponsored computer virus Stuxnet, used to attack Iran’s nuclear infrastructure in 2010.
Known as Duqu 2.0, the new worm was, Kaspersky said, used to attack three European hotels where the P5+1 talks involving the US, UK, Germany, France, Russia, and China with the EU concerning Iranian nuclear capabilities were held over the last 18 months.
Kaspersky did not identify the hotels or say who was behind the attack. However, Israel is thought to have deployed the original Duqu worm to carry out sensitive intelligence gathering.
In March, the US accused Israel of spying on the international negotiations over Iran’s nuclear programme and using the intelligence gathered to persuade Congress to undermine the talks.
Iranian nuclear talks: spies around the table
The worm infects computer systems through network gateways and firewalls, the parts of a computer system exposed to the internet. Once on target computers it remains hidden, staying in the computer’s memory and leaving no trace of infection on the computer’s hard drive, making it difficult to detect.
Costin Raiu, director of Kaspersky Lab’s global research and analysis team, said: “The people behind Duqu are one of the most skilled and powerful advanced persistent threat groups and they did everything possible to try to stay under the radar.”
’Hallmarks of a nation-state attack’
A rival security company, Symantec, confirmed Kaspersky’s findings.
“This highly sophisticated attack used up to three zero-day exploits, which is very impressive – the costs [of development] must have been very high,” said Raiu.
The worm attacks a variety of computers in a sophisticated pattern, jumping from computer to computer slowly making its way up from low priority systems into more valuable machines with greater access to sensitive systems or data.
Independently reviewing the report, Trend Micro’s head of security research, Rik Ferguson, said: “It certainly has all the hallmarks of a nation-state attack and reuses much from its ancestor the original Duqu, but in new and improved ways.”
Kaspersky researchers said it was not possible at this stage to tell precisely what impact the attack had on the P5+1 talks beyond infecting computers. The report says it is possible that infected computers were used to control other systems within the hotels, including the cameras, microphones and phone systems to spy on the talks.
The worm was first discovered by Kaspersky on its own systems, although the company reports that it did not compromise any key systems. “Spying on cybersecurity companies is a very dangerous tendency,” said Eugene Kaspersky, chief executive of Kaspersky Lab. “Security software is the last frontier of protection for businesses and customers in the modern world, where hardware and network equipment can be compromised.”
Once the attack was identified, researchers tried to find other attack victims, identifying only three hotels after scanning thousands. It was only later that the researchers found the common link: they had all been venues for P5+1 discussions over Iran’s nuclear capabilities.
Although Israel has denied being behind the latest attack, the country’s security agencies are reported to have had the Iran talks under intensive surveillance. .
In March, the Wall Street Journal cited senior US administration officials as saying an Israeli espionage operation began soon after the US opened up a secret channel of communications with Tehran in 2012, aimed at resolving the decade-long standoff over Iran’s nuclear aspirations. It said American diplomats attending the talks in Austria and Switzerland were briefed by US counter-intelligence officials about the threat of Israeli eavesdropping. It also raised the possibility that Israel gathered intelligence about the US position by spying on other participants in the negotiations, from western Europe, Russia, China or Iran.
Israel has said that a deal emerging from the talks could allow Iran to continue working towards building nuclear weapons, something Iran has denied is under way.
While the report indicates one important target impacted by Duqu 2, its true impact on the wider world is likely to be realised somewhat indirectly. “The average consumer or small business won’t be affected directly by Duqu 2,” assured Ferguson. “[The] bigger issue is, as we saw with Stuxnet and many others, this research and development effort made by nation states almost invariably filters down to the more widely spread cybercrime.”
A highly sophisticated computer worm which has many of the same characteristics of the virus used to attack Iran’s nuclear programme has been discovered targeting companies in Europe.
Although the virus appears to have been spying on the systems it infiltrates – rather than attempting to vandalise them – experts say its code is so similar to the Stuxnet worm that attacked Iran, that it may have been engineered by the same people.
The US and Israel were widely thought to be behind Stuxnet, which sent many of the centrifigues at Tehran’s nuclear facilities spinning out of control. It took this kind of cyberwarfare to a new level.
The new virus was discovered by Symantec, a leading cybersecurity firm, and has been called Duqu.
Symantec would not disclose which firms had been targeted, but the company said one of its customers raised the alarm on Friday. An internal system at the firm “raised a number of red flags” and an investigation was launched.
“The majority of the code is consistent with the Stuxnet code,” said a spokesman for Symantec. “So this new worm either came from the authors of Stuxnet, or someone was given access to the Stuxnet source codes.”
Symantec said that the information Duqu gathers is sent to a server in India, but that this doesn’t give any likely indication of who launched it, or who is accessing the material it finds.
It believes Duqu has been targeting a specific number of organisations in Europe and was designed to automatically remove itself from systems after 36 days.