Not long after blowing the lid off a National Security Agency-backed hacking group that operated in secret for 14 years, researchers at Moscow-based Kaspersky Lab returned home from February's annual security conference in Cancun, Mexico to an even more startling discovery. Since some time in the second half of 2014, a different state-sponsored group had been casing their corporate network using malware derived from Stuxnet, the highly sophisticated computer worm reportedly created by the US and Israel to sabotage Iran’s nuclear program.
Some of the malware's stealth capabilities were unlike anything Kaspersky researchers had ever seen, and in many respects, the malware was more advanced than the malicious programs developed by the NSA-tied Equation Group that Kaspersky just exposed. More intriguing still, Kaspersky antivirus products showed the same malware has infected one or more venues that hosted recent diplomatic negotiations the US and five other countries have convened with Iran over its nuclear program. Also puzzling: among the other 100 or fewer estimated victims were parties involved in events remembering the 70th anniversary of the liberation of the Auschwitz-Birkenau extermination camp.
Developers planted several false flags in the malware to give the appearance its origins were in Eastern Europe or China. But as the Kaspersky researchers delved further into the 100 modules that encompass the platform, they discovered it was an updated version of Duqu, the malware discovered in late 2011 with code directly derived from Stuxnet. Evidence later suggested Duqu was used to spy on Iran's efforts to develop nuclear material and keep tabs on the country's trade relationships. Duqu's precise relation to Stuxnet remained a mystery when the group behind it went dark in 2012. Now, not only was it back with updated Stuxnet-derived malware that spied on Iran, it was also escalating its campaign with a brazen strike on Kaspersky.