The malware that was used to hack the Russian security firm Kaspersky Lab as well as hotels where ongoing negotiations over Iran’s nuclear program were being held, used digital signatures that were stolen from the Chinese electronics manufacturer Foxconn, according to reports citing a report from the Russian company.
Kaspersky Lab said on Monday that researchers learned that the Duqu 2.0 virus, which redirects computer traffic, did so by faking a security certificate from the Taiwanese electronics giant. Foxconn manufactures products for several of the world’s leading companies, including Apple, Dell, Google and Microsoft. Moscow-based Kaspersky said it found the virus in three hotels where Iranian representatives were in talks with six other world powers, including the United States and Russia.
Digital certificates are used to verify the identity of a computer on a network, and are widely used in online transactions. The hackers who used the malware somehow acquired legitimate Foxconn certificates and used it to sign their own malicious code, which was then placed on Kaspersky servers and firewalls to steal information passing through the security firm’s network, Reuters reported.
Analysts say the Duqu 2.0 virus is a descendant of the Stuxnet virus -- used to sabotage Iran’s nuclear program in the early 2000s -- which was reportedly developed by a group of American and Israeli hackers. The use of the Foxconn certificate in the Kaspersky hack is the third time an advanced persistent threat (APT) attack has used certificates from a Taiwanese hardware manufacturer.
Previous attacks employing Stuxnet used the certificates of JMicron Technology Corp and Realtek Semiconductor Corp, and an attack with Duqu 1.0 used the certificate of C-Media Electronics, Kaspersky said in a 2010 report.
Kaspersky researchers cautioned that these incidents could mean the unknown attacker has a reliable supply of stolen security certificates.
"This is extremely alarming because it undermines all the trust we have in digital certificates. It means that digital certificates are no longer an effective way of defending networks and validating the legitimacy of the packages. It's also important to point out that these guys are careful enough not to use the same digital certificates twice," Costin Raiu, director of Kaspersky Lab's global research and analysis team, told reporters, according to Ars Technica.
Israel, which has condemned the negotiations between Iran and the other countries over regulating its nuclear program, has denied any link to the attacks. Recently, Washington accused Israel of leaking information from the talks in order to misrepresent its position.