A fascinating report from the WSJ:
When a leading cybersecurity firm discovered it had been hacked last year by a virus widely believed to be used by Israeli spies, it wanted to know who else was on the hit list. It checked millions of computers world-wide and three luxury European hotels popped up. The other hotels the firm tested—thousands in all—were clean.The mistake by the hackers seems to have been to use the same malware for attacking Kaspersky as for attacking the hotels.
Researchers at the firm, Kaspersky Lab ZAO, weren’t sure what to make of the results. Then they realized what the three hotels had in common. Each was targeted before hosting high-stakes negotiations between Iran and world powers over curtailing Tehran’s nuclear program.
The spyware, the firm has now concluded, was an improved version of Duqu, a virus first identified by cybersecurity experts in 2011, according to a Kaspersky report reviewed by The Wall Street Journal and outside security experts. Current and former U.S. officials and many cybersecurity experts believe Duqu was designed to carry out Israel’s most sensitive intelligence-collection operations.
Senior U.S. officials learned Israel was spying on the nuclear talks in 2014, a finding first reported by The Wall Street Journal in March. Officials at the time offered few details about Israel’s tactics.
Kaspersky’s findings, which the Moscow-based company is expected to disclose publicly Wednesday, shed new light on the use of a stealthy virus in the spying efforts. The revelations also could provide what may be the first concrete evidence that the nuclear negotiations were targeted and by whom.
No intelligence-collection effort is a higher priority for Israel’s spy agencies than Iran, including the closed-door talks which have entered a final stage. Israeli leaders say the emerging deal could allow Iran to continue working toward building nuclear weapons, a goal Iran has denied having.
Kaspersky, in keeping with its policy, doesn’t identify Israel by name as the country responsible for the hacks. But researchers at the company indicate that they suspect an Israeli connection in subtle ways. For example, the company’s report is titled “The Duqu Bet.” Bet is the second letter of the Hebrew alphabet.
Researchers at the company acknowledge that many questions remain unanswered about how the virus was used and what information may have been stolen. Among the possibilities, the researchers say, the intruders might have been able to eavesdrop on conversations and steal electronic files by commandeering the hotel systems that connect to computers, phones, elevators and alarms, allowing them to turn them on and off at will to collect information.
Israeli officials have denied spying on the U.S. or Israel’s other allies, although they acknowledge conducting close surveillance on Iranians generally. Israeli officials declined to comment specifically on the allegations relating to the Duqu virus and the hotel intrusions.
...
U.S. intelligence agencies view Duqu infections as Israeli spy operations, former U.S. officials said. While the new virus bore no overt links to Israel, it was so complex and borrowed so heavily from Duqu that it “could not have been created by anyone without access to the original Duqu source code,” Kaspersky writes in its report.
...
A Kaspersky employee in Moscow discovered the virus while testing a new security program on a company computer he assumed was bug-free. Rather than try to kick the hackers out, the company set up a special team to monitor the virus in action to figure out how it worked and what it was designed to do.
...
The company ran tests to determine if any of its 270,000 corporate clients world-wide had been infected. Kaspersky’s list of corporate clients includes big energy companies, European banks and thousands of hotels.
It found infections on a limited number of clients in Western Europe, Asia and the Middle East. None of Kaspersky’s clients in the U.S. were targeted. A targeted cyberattack against a hotel struck researchers as unusual but not unprecedented.
The first hotel with Duqu 2.0 on its computers piqued Mr. Raiu’s interest right away, in light of the revelations he read in the Journal about Israeli spying efforts, he said. The hotel, he said, was a well-known venue for the nuclear negotiations. But he wasn’t sure if it was an isolated case.
Soon thereafter, Kaspersky found the same virus at a second luxury hotel. Initially, Mr. Raiu didn’t see a connection between the hotel and the nuclear talks. Then, a couple of weeks after the discovery of the second hotel, he learned that the nuclear negotiations would take place there. His team was “shocked,” Mr. Raiu recalled. In both cases, the hotels were infected about two to three weeks before the negotiators convened.
Kaspersky provided information about Duqu 2.0 to one of its partners, which did its own round of tests. That search turned up a third infected hotel which hosted the nuclear talks. Mr. Raiu said the third hotel was discovered last but appeared to have been infected first, sometime in 2014.
...
In addition to the three hotels reported to have been hacked, the virus was found in computers at a site used to commemorate the 70th anniversary of the liberation of the Nazi death camp at Auschwitz. Some world leaders had attended events there.
A former U.S. intelligence official said it was common for Israel and other countries to target such international gatherings. “The only thing that’s unusual now is you hear about it,” the official said.
Mr. Raiu said Kaspersky doesn’t know what was stolen from the three hotels or from the other venues. He said the virus was packed with more than 100 discrete “modules” that would have enabled the attackers to commandeer infected computers.
One module was designed to compress video feeds, possibly from hotel surveillance cameras. Other modules targeted communications, from phones to Wi-Fi networks. The attackers would know who was connected to the infected systems, allowing them to eavesdrop on conversations and steal electronic files. The virus could also enable them to operate two-way microphones in hotel elevators, computers and alarm systems.
In addition, the hackers appeared to penetrate front-desk computers. That could have allowed them to figure out the room numbers of specific delegation members.
The virus also automatically deposited smaller reconnaissance files on the computers it passed through, ensuring the attackers can monitor them and exploit the contents of those computers at a later date.