Banks Fall Victim to Nation-State Malware

In 2010, the Stuxnet computer worm was first exposed. Widely believed to be created by the U.S. and Israel, the software severely disrupted Iran’s nuclear program.

Stuxnet was extremely sophisticated. Unsurprisingly, variants of it popped up immediately, as threat actors adapted some of Stuxnet’s techniques for their own purposes.

In 2011, Duqu was discovered. This malware is extremely similar to Stuxnet, although designed for espionage rather than sabotage. It is widely believed to be from the same source.

The threat actors behind Duqu seemed to go dark in 2012. But then in 2014, they unleashed a much more powerful variant against Kaspersky Lab. This became known as Duqu 2.0. (It wasn’t discovered by Kaspersky researchers until 2015.)

Duqu 2.0 displayed a level of sophistication not seen before. Among other innovations, the malware does not reside in, or modify, any disk files. Instead, it remains completely in memory. This makes it invisible to most detection methods.

This also makes it extremely difficult to maintain active infections, since every infected machine becomes clean each time it is rebooted. Yet, as researchers noted, “the Duqu 2.0 threat actor was confident enough to create and manage an entire cyber-espionage operation just in memory — one that could survive within an entire network of compromised computers without relying on any persistence mechanism at all.”

And it did survive, undetected, for months.

Kaspersky researchers are certain that this is the product of a national government:

“We believe this is a nation-state sponsored campaign…

“The philosophy and way of thinking of the Duqu 2.0 group is a generation ahead of anything seen in the APT world. Its level of sophistication surpasses even the Equation Group — supposedly the ‘crème de la crème’ in this sphere…

“Developing and operating such a professional malware campaign is extremely expensive and requires resources beyond those of everyday cybercriminals. The cost of developing and maintaining such a malicious framework is colossal: we estimate it to be around $50 million.”

Duqu 2.0 pioneered the malware-only-in-memory approach. Now this technique is being used against enterprise targets, including banks, telecoms, and government organizations.

The number of victims identified so far: 140.

The source of the malware is unclear. It’s unknown whether these penetrations were done by the original nation-state authors of Duqu, or an innovative group of private cybercriminals.

But these attack do seem to have different motives than the initial deployments of Duqu. As one researcher commented:

“”What’s interesting here is that these attacks are ongoing globally against banks themselves… [The attackers are] pushing money out of the banks from within the banks,” by attacking ATM systems.

As we’ve discussed before, government-developed malware is (usually) developed for political purposes. But once it gets into the wild, governments can no longer control its use.

It doesn’t really matter whether the bank infections are being done by the original nation-state, or if some hackers adapted Duqu for their own use instead.

The banks are being attacked regardless.

This is yet another example of how government-developed malware can pose a grave threat to private organizations.

Photo credit: U.S. National Security Agency