Stuxnet-Like Digital Attack on Iran Nuclear Talks May Have Come from Israel, Security Researchers Say

Federica Mogherini, High Representative of the Union for Foreign Affairs and Security Policy and Vice-President of the EC with Iranian Foreign Minister Javad Zarif in Hotel Beau Rivage in Lausanne during the talks of E5/EU+1.

Federica Mogherini, High Representative of the Union for Foreign Affairs and Security Policy and Vice-President of the EC with Iranian Foreign Minister Javad Zarif in Hotel Beau Rivage in Lausanne during the talks of E5/EU+1. This photo is used under CC BY-NC-ND 2.0 from the European External Action Service's Flickr photo stream.

Moscow-based technical security company Kaspersky Lab last week revealed evidence of a new cyber attack on both its own network and those of several European hotels that hosted nuclear negotiations between Iran and the P5+1 (US, Russia, China, Britain, France and Germany) last year.

This follows a March 2015 Wall Street Journal report that revealed senior White House officials knew Israel was spying on talks surrounding Iran's nuclear program. The report explained, “the spying operation was part of a broader campaign by Israeli Prime Minister Benjamin Netanyahu's government to penetrate the negotiations and then help build a case against the emerging terms of the deal.”

Kaspersky Lab is an internationally recognized software security research group and antivirus developer headquartered in Russia and registered in the UK. The group is a leading institution in the field of software and network security and regularly publishes research on security vulnerabilities and digital attacks.

Kaspersky and the US technical security company Symantec Corp independently verified that the virus used in the attack appears to be an offshoot of the espionage software called Duqu, which security experts linked to the Israeli government. In a June 10 report, Ars Technica explained that Duqu appeared to be an ancestor of the now infamous Stuxnet virus, the US-Israel digital espionage project targeting Iran's nuclear program and designed to sabotage the centrifuges enriching uranium.

Developers planted several false flags in the malware to give the appearance its origins were in Eastern Europe or China. But as the Kaspersky researchers delved further into the 100 modules that encompass the platform, they discovered it was an updated version of Duqu, the malware discovered in late 2011 with code directly derived from Stuxnet. Evidence later suggested Duqu was used to spy on Iran's efforts to develop nuclear material and keep tabs on the country's trade relationships. Duqu's precise relation to Stuxnet remained a mystery when the group behind it went dark in 2012. Now, not only was it back with updated Stuxnet-derived malware that spied on Iran, it was also escalating its campaign with a brazen strike on Kaspersky.

Kaspersky researchers couldn't explain whether individual participants in the nuclear talks were targeted, but they say the video and audio conference systems of the hotels may have been targets of spying.

A screenshot of the windows installer files used by Duqu 2.0. Kaspersky explains this to be a "malicious stub" in their technical report.

A screenshot of the windows installer files used by Duqu 2.0. Kaspersky explains this to be a “malicious stub” in their technical report. Image taken from Kaspersky Lab's “The Duqu 2.0: Technical Details.”

Israel's Deputy Minister of Foreign Affairs Tzipi Hotovely has denied Israel's involvement:

There is no basis for the international reports claiming Israel was involved in the matter. What’s much more important is that we prevent a bad deal, otherwise, at the end of the day, we will find ourselves under Iran’s nuclear umbrella.

While it is hard to directly link these viruses to state surveillance activities, the series of events beginning with Stuxnet can offer some clues. Ars Technica surmises that Duqu is likely the work of “a wealthy nation-state”:

While neither the US nor Israel has officially acknowledged any involvement with Stuxnet, New York Times reporter David Sanger's book Obama's Secret Wars and Surprising Use of American Powerleaves little doubt the computer weapon was jointly developed by the two countries in an attempt to sabotage Iran's uranium enrichment program. Nearly identical code signatures in Stuxnet and the 2011 version of Duqu mean that whoever developed the latter had broad access to the Stuxnet source. And given the work schedules of the Duqu attackers, it seems likely they were physically located in or near Israel….even if Israel wasn't directly involved, there's little doubt Duqu is the work of a wealthy nation-state or at least supported by one.

For the technical report of the Kaspersky findings, see here.

1 comment

Join the conversation

Authors, please log in »

Guidelines

  • All comments are reviewed by a moderator. Do not submit your comment more than once or it may be identified as spam.
  • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.