Throwback attack: Duqu, one of the most skilled, mysterious and powerful APT groups

A hacker in the background.
Courtesy: CFE Media and Technology

In 2010, Stuxnet, one of the biggest industrial cybersecurity attacks in history, was discovered as it struck the Natanz nuclear facility in Iran. This would not be the last problem for Iran’s nuclear program, however. In the following year, more malware was discovered in Iranian nuclear companies’ systems, such as Duqu, which is a malware that gathers information. But Duqu went dormant just as quickly as it was found.

What happened

Duqu malware was discovered on Sept. 1, 2011, but could have been deployed as early as December 2010 based on the dates the binary files were compiled. This type of malware is able to steal sensitive information. One of the main goals of the Duqu attacks was to spy on Iran’s nuclear program. According to a Kaspersky report, “Infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal. The threat actor behind Duqu appears to have launched attacks at the venues for some of these high level talks.”

Some of the victims appear to have been attacked so the criminals could gain certain technical abilities, such as the ability to sign their malware with trusted certificates or to serve as platforms for further attacks. One example is a certificate authority in Hungary that was attacked, and ultimately led to the Duqu malware discovery.

Symantec researchers confirmed six possible infected organizations located in eight countries: France, Netherlands, Switzerland, Ukraine, India, Iran, Sudan and Vietnam. The organizations were only traceable back to their ISPs. Other security vendors reported infections in Austria, Hungary, Indonesia, the United Kingdom and Iran. Programs such as Duqu, an information stealing malware, are the first step in the cyber kill chain, which is recon that could lead to further attacks. However, after the public exposure of Duqu, the group behind it seemed to disappear from the threat landscape.

Duqu malware explained

Duqu is a collection of computer malware and is a remote access trojan (RAT). It got its moniker from the prefix “DQ” that it gives to the names of files it creates. It infects vulnerable systems and inserts itself into memory disguised as a trusted part of the process. Once a system has been hacked, other computers in secure zones can be infected and controlled through peer-to-peer command.

Each variant of the Duqu malware has different characteristics, making the malware harder to detect. At least two infostealer tools were used, as well. An infostealer is a piece of malware that steals information. Once the infostealer tools were implemented, the information was lightly encrypted and compressed on the infected system. This file was then changed to a .jpg file for retrieval. The use of the .jpg files was the threat actors’ attempt to disguise the data transmission as normal network traffic.

Duqu is thought to be related to the Stuxnet worm, as it exploited the same Microsoft Windows zero-day vulnerability as Stuxnet. According to Dr. Boldizsar Bencsath, “Duqu bears a striking similarity to Stuxnet in terms of design philosophy, internal structure and mechanisms, implementation details, and the estimated amount of effort needed to create it.” Both strains of malware deactivate themselves to avoid detection and share some of the same coding.

Unit 8200

Unit 8200 is an Israeli Intelligence Corps unit of the Israel Defense Forces and is the alleged group that was behind the Duqu malware. Because Unit 8200 was also likely behind the Stuxnet attacks, it was easy to make the connection. The unit consists of 18-21-year-olds, who have short service periods. There are after-school programs for 16-18-year-olds, which serve as feeder programs for the unit, where the students can learn computer coding and hacking skills. According to the director of military sciences at the Royal United Services Institute, “Unit 8200 is probably the foremost technical intelligence agency in the world and stands on a par with the NSA in everything except scale.”

The return of Duqu

After Duqu went dark in 2012, it created the assumption that people had stopped working on the project, but that was not the last of the Duqu malware. In 2015, there were new attacks that included an updated version of the Duqu from 2011. This led to the new Duqu 2.0 that targeted companies in Western countries, the Middle East and Asia.

The first attack was against Kaspersky Lab. This was a clear indication of how this landscape was changing and escalating because around 2011 hacks by APT groups were rare. The fact that Duqu 2.0 targeted a world-class security company meant that they were either overconfident they wouldn’t get caught or didn’t care if they did. This attack and other similar attacks proved that even security companies are not off limits and set the scene for future attacks that we have since seen, such as the attacks on Visser Precision and FireEye.




Keep your finger on the pulse of top industry news