Duqu spyware used stolen Foxconn certs

By , on
Duqu spyware used stolen Foxconn certs
Inside Kaspersky Labs' office in Moscow, Russia. Source: Reuters/Sergei Karpukhin
Reuters

Attackers target hardware manufacturers to steal digital credentials.

Research into the sophisticated malware used to hack into hotels where Iran nuclear talks took place has found it took advantage of digital credentials stolen from the world's top contract electronics maker Foxconn.

Russian security company Kaspersky Lab said its researchers learned that the Duqu 2.0 malware had redirected traffic by using a legitimate digital certificate from Taiwan's Foxconn.

Foxconn customers have included many of the world's biggest electronic vendors, including Apple, Blackberry, Google, Huawei and Microsoft.

Kaspersky revealed its initial findings in a report last week, in which it said it found the virus in conferencing equipment at three European hotels used in the P5+1 talks involving Iran and six world powers, among other targets.

Digital certificates are the credentials which identify legitimate computers on a network and authenticate and encrypt their traffic.

They act as the basis of e-commerce and other largely automated transactions on the web.

In recent years, cyberspies have begun to exploit stolen certificates to trick machines into thinking malicious software comes from legitimate computers, an escalation posing a grave threat to business done over the internet, security experts say.

Targeted attacks

The P5+1 group of six world powers have been negotiating with Iran on curbs to the country's controversial nuclear program and include the United States, Russia, China, Britain, France and Germany.

The on-again, off-again series of talks to reach a comprehensive nuclear deal with Iran have been held in Geneva, Lausanne, Montreux, Munich and Vienna since last year.

Both Kaspersky and security company Symantec said the malware shared some programming with previously discovered espionage software called Duqu, which security experts believe to have been developed by Israelis.

Israel, which has strongly opposed the powers' diplomatic opening to its arch-enemy Iran, denied any connection with the malware. 

Symantec and Kaspersky analysts have said there was overlap between Duqu and Stuxnet, a US-Israeli project that sabotaged Iran's nuclear programme in 2009-10 by destroying a thousand or more centrifuges that were enriching uranium.

The Stuxnet malware took advantage of stolen digital certificates from two other major Taiwanese companies, JMicron Technology and Realtek Semiconductor, Kaspersky said in a report it published in 2010.

"Duqu attackers are the only ones who have access to these certificates, which strengthens the theory they hacked the hardware manufacturers in order to get these certificates," Kaspersky said in a summary of its report this week.

Kaspersky said it had notified Foxconn of the stolen credentials. Foxconn was not immediately available to comment on steps it has taken to secure its systems.

Last week, Kaspersky said Duqu 2.0 had evolved from the earlier Duqu, which had been deployed against unidentified targets for years before it was discovered in 2011.

It said Duqu 2.0 used three previously unknown flaws in Microsoft software to infect machines, for which the software giant subsequently released patches to fix. The attack left almost no traces.

Kaspersky was itself victim of the Duqu 2.0 malware. The security vendor discovered in early 2015 that several of its internal systems had been compromised by the Duqu 2.0 advanced persistent threat.

Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?