Related:

11 June 2015, Kaspersky Lab: The Duqu 2.0: Technical Details (PDF)

10 June 2015, WSJ: Spy Virus Linked to Israel Targeted Hotels Used for Iran Nuclear Talks

23 March 2015, WSJ: Israel Spied on Iran Nuclear Talks With U.S.

---

http://www.theguardian.com/technology/2015/jun/11/duqu-20-computer-virus-with-traces-of-israeli-code-was-used-to-hack-iran-talks

Duqu 2.0: computer virus 'linked to Israel' found at Iran nuclear talks venue

Internet security company Kaspersky says software was used to infiltrate venues for international negotiations on Tehran's nuclear programme

Samuel Gibbs

11 June 2015

A powerful computer virus linked to Israel is thought to have been used to spy on the recent Iran nuclear talks after being found in the networks of three hotels that hosted the negotiations.

The security company Kaspersky discovered [1] the virus, which it said was a new variant of the Duqu worm, itself a variant of the state-sponsored computer virus Stuxnet, used to attack Iran's nuclear infrastructure in 2010.

Known as Duqu 2.0, the new worm was, Kaspersky said, used to attack three European hotels where the P5+1 talks involving the US, UK, Germany, France, Russia, and China with the EU concerning Iranian nuclear capabilities [2] were held over the last 18 months.

Kaspersky did not identify the hotels or say who was behind the attack. However, Israel is thought to have deployed the original Duqu worm to carry out sensitive intelligence gathering.

In March, the US accused Israel of spying on the international negotiations [3] over Iran's nuclear programme and using the intelligence gathered to persuade Congress to undermine the talks.

The worm infects computer systems through network gateways and firewalls, the parts of a computer system exposed to the internet. Once on target computers it remains hidden, staying in the computer's memory and leaving no trace of infection on the computer's hard drive, making it difficult to detect.

Costin Raiu, director of Kaspersky Lab's global research and analysis team, said: "The people behind Duqu are one of the most skilled and powerful advanced persistent threat groups and they did everything possible to try to stay under the radar."

'Hallmarks of a nation-state attack'

A rival security company, Symantec, confirmed Kaspersky's findings. [4]

"This highly sophisticated attack used up to three zero-day exploits, [5] which is very impressive -- the costs [of development] must have been very high," said Raiu.

The worm attacks a variety of computers in a sophisticated pattern, jumping from computer to computer slowly making its way up from low priority systems into more valuable machines with greater access to sensitive systems or data.

Independently reviewing the report, Trend Micro's head of security research, Rik Ferguson, said: "It certainly has all the hallmarks of a nation-state attack and reuses much from its ancestor the original Duqu, but in new and improved ways."

'Last frontier of protection'

Kaspersky researchers said it was not possible at this stage to tell precisely what impact the attack had on the P5+1 talks beyond infecting computers. The report says it is possible that infected computers were used to control other systems within the hotels, including the cameras, microphones and phone systems to spy on the talks.

The worm was first discovered by Kaspersky on its own systems, although the company reports that it did not compromise any key systems. "Spying on cybersecurity companies is a very dangerous tendency," said Eugene Kaspersky, chief executive of Kaspersky Lab. "Security software is the last frontier of protection for businesses and customers in the modern world, where hardware and network equipment can be compromised."

Once the attack was identified, researchers tried to find other attack victims, identifying only three hotels after scanning thousands. It was only later that the researchers found the common link: they had all been venues for P5+1 discussions over Iran's nuclear capabilities.

Although Israel has denied being behind the latest attack, [6] the country's security agencies are reported to have had the Iran talks under intensive surveillance.

In March, the Wall Street Journal cited [7] senior US administration officials as saying an Israeli espionage operation began soon after the US opened up a secret channel of communications with Tehran in 2012, aimed at resolving the decade-long standoff over Iran's nuclear aspirations. It said American diplomats attending the talks in Austria and Switzerland were briefed by US counter-intelligence officials about the threat of Israeli eavesdropping. It also raised the possibility that Israel gathered intelligence about the US position by spying on other participants in the negotiations, from western Europe, Russia, China or Iran.

Israel has said that a deal emerging from the talks could allow Iran to continue working towards building nuclear weapons, something Iran has denied is under way.

While the report indicates one important target impacted by Duqu 2, its true impact on the wider world is likely to be realised somewhat indirectly. "The average consumer or small business won't be affected directly by Duqu 2," assured Ferguson. "[The] bigger issue is, as we saw with Stuxnet and many others, this research and development effort made by nation states almost invariably filters down to the more widely spread cybercrime."

[1] https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/

[2] http://www.theguardian.com/world/julian-borger-global-security-blog/2015/mar/18/showdown-in-lausanne-iran-nuclear-talks-enter-their-final-stretch

[3] http://www.theguardian.com/world/2015/mar/24/israel-spied-on-us-over-iran-nuclear-talks

[4] http://www.symantec.com/connect/blogs/duqu-20-reemergence-aggressive-cyberespionage-threat

[5] http://en.wikipedia.org/wiki/Zero-day_(computing)

[6] http://www.wsj.com/articles/spy-virus-linked-to-israel-targeted-hotels-used-for-iran-nuclear-talks-1433937601

[7] http://www.wsj.com/articles/israel-spied-on-iran-talks-1427164201