The nation-state malware used to hack the Russian security firm Kaspersky Lab, as well as hotels associated with Iranian nuclear negotiations, used a digital certificate stolen from one of the world's top electronics makers: Foxconn.
The Taiwanese firm makes hardware for most of the major tech players, including Apple, Dell, Google, and Microsoft, manufacturing the likes of iPhones, iPads and PlayStation 4s. Taiwanese companies have been fruitful for this hacking group, who many believe to be Israeli: This marks at least the fourth time they have used a digital certificate taken from a Taiwan-based firm to get their malware successfully onto systems.
It's unclear why the attackers focus on digital certificates from Taiwanese companies, but it may be to plant a false flag and misdirect investigators into thinking China is behind the malware attacks, says Costin Raiu, director of Kaspersky's Global Research and Analysis Team.
The strategy of stealing and corrupting otherwise-legitimate certificates is particularly galling to the security community because it undermines one of the crucial means for authenticating legitimate software.
Digital certificates are like passports that software makers use to sign and authenticate their code. They signal to browsers and computer operating systems that software can be trusted. But when attackers use them to sign their malware "the whole point of digital certificates becomes moot," says Costin Raiu, director of Kaspersky's Global Research and Analysis Team.
In order to sign malware with a legitimate digital certificate, the attackers have to steal the signing certificate a company uses for its software. This requires the attackers to first hack these companies.
The attack against Kaspersky, dubbed Duqu 2.0, is believed to have been conducted by the same hackers responsible for a previous Duqu attack uncovered in 2011. They are also widely credited with playing a role in Stuxnet, the digital weapon that attacked Iran's nuclear program. While Stuxnet was likely created jointly by teams in the US and Israel, many researchers believe Israel alone created Duqu 1.0 and Duqu 2.0.
In all three attacks—Stuxnet, Duqu 1.0 and Duqu 2.0—the attackers employed digital certificates from companies based in Taiwan.
Two digital certificates were used with Stuxnet—one from RealTek Semiconductor and one from JMicron—both companies located in the Hsinchu Science and Industrial Park in Hsinchu City, Taiwan. Duqu 1.0 used a digital certificate from C-Media Electronics, a maker of digital audio circuits located in Taipei, Taiwan. Foxconn, from which the fourth digital certificate was stolen, is headquartered in Tucheng, New Taipei City, Taiwan, about 40 miles away from RealTek and JMicron. But it also has a branch office in the Hsinchu business park.
The fact that the attackers appear to have used a different certificate in each attack, instead of re-using the same certificate in multiple attack campaigns, suggests they have a stockpile of stolen certs. "Which is certainly alarming," says Raiu.
Duqu 2.0 targeted not only Kaspersky, but also some of the hotels and conference venues where the UN Security Council held talks with Iran about its nuclear program.
The Foxconn certificate had been found only on Kaspersky's systems until a few days ago when someone uploaded a driver file to VirusTotal. VirusTotal is a Web site that aggregates multiple antivirus scanners. Security researchers and anyone else can submit suspicious files to the web site to see if any of the scanners detect it. The driver file uploaded to VirusTotal had been signed with the same Foxconn certificate, suggesting that another victim of Duqu 2.0 has found it on their system as well. Because submissions to VirusTotal are made anonymously, it's not known who found the malicious file on their system.
In the case of the attack on Kaspersky, the hackers used the Foxconn certificate to sign and install a malicious driver on a Kaspersky server. The server was a 64-bit Windows server. The latest 64-bit versions of the Windows operating system don't allow drivers to install unless they are signed with a valid digital certificate.
The driver was signed with the certificate on February 19 of this year. The certificate indicated it belonged to Hon Hai Precision Industry Co. Ltd., also known as Foxconn Technology Group.
The driver was crucial to the attack on Kaspersky. Because most of the Duqu 2.0 toolkit the attackers installed on Kaspersky's systems was stored in the memory of these systems, any time an infected system got rebooted the malware would disappear. With nothing on disk to re-install it, the attackers ran the risk of losing infected machines. So to combat this, they stored the signed driver on another machine on the network. Any time an infected machine got rebooted, the driver could then relaunch an infection on the cleaned machine.
The driver served another purpose, though. It helped the attackers communicate stealthily and remotely with infected networks. Often, criminal hackers will have every infected machine on a network communicate with their external command-and-control server. But large amounts of traffic like this can raise alerts. So the Duqu 2.0 attackers limited the traffic by using this driver to tunnel communication to and from infected machines on the network and steal data from them. They installed the driver on Kaspersky firewalls, gateways and servers that were connected to the internet in order to establish a bridge between infected systems and their command-and-control servers.
Raiu says that in some ways it's a mystery why the attackers decided to sign their driver with a certificate, since they also used zero-day exploits in their attack. The exploits attacked vulnerabilities in the Windows operating system that allowed the intruders to bypass the Windows requirement that all drivers be signed. "They didn't need to sign anything else because they had administrative access and they relied on [zero-day exploits] to load the code into kernel mode," he says.
So Raiu thinks they signed the driver to provide additional assurance that they would be able to reinfect systems even if the vulnerabilities got patched.
"If any of the [zero-day] vulnerabilities get patched and all the computers are rebooted and the malware is evicted from the network, they still have the signed driver, which is almost invisible and will allow them to come back to the infected networks," he says.
Why they used a Foxconn certificate in particular—surely one of the most valuable certificates they must have owned—instead of one from a lesser Taiwanese company indicates to him "that it was a very high-profile attack" and they wanted to ensure its success.
But it was the digital certificate that helped Kaspersky find the stealth driver.
Kaspersky uncovered the breach of its networks after an engineer, testing a new product on a company server, spotted anomalous traffic that caused him to further investigate. Eventually the company determined that a couple dozen Kaspersky systems had been infected. In the course of that investigation, Raiu says they didn't just look for anomalous behavior on their systems, but also for any anomaly such as an unusual digital certificates. Knowing that such certificates had been used in past attacks, they suspected one might be involved in their breach as well.
The fact that the Foxconn certificate was extremely rare—it had only been used in the past by Foxconn to sign very specific drivers in 2013—immediately raised suspicions and resulted in them finding the malicious Duqu 2.0 driver.
