The purpose of this post is not to give the technical details behind the attack on Kaspersky and the various attributes of the Duqu 2.0 malware that was used in the attack. For those interested in such details, I would suggest reading Kaspersky’s informative, in-depth report. For the present, I will only give the basic framework of the attack so that I can delineate some possible implications that may have arisen from it.
In the beginning, there was Stuxnet. It is commonly believed that the U.S. and Israel jointly developed the famed Stuxnet virus to attack Iran’s nuclear power program. That proved a huge success and completely changed the malware landscape. The success of Stuxnet inspired other variations on it that appeared in the form of Flame and the original Duqu. There were probably other variations along the way. Probably every major nation-state interested in cyber attacks has something like it. Duqu was supposedly developed by Israel. I say, “supposedly”, because all of these nation-state malware designers try to hide their location by putting in false code that tries to mislead researchers into believing it was developed by other countries. However, let’s assume, for the sake of this post, that Israel was behind the original Duqu as most believe. According to Kaspersky, Duqu 2.0 bears enough similarities to the original Duqu to assume that it was developed by the same people.
Kaspersky found that, in the original Duqu code, the time stamps indicated that the malware was developed by workers living in the Middle East time zone who did not work on Saturdays and began their work week on Sundays. The Duqu 2.0 designers, seemingly aware of these findings, took special care to fake their time stamps. Kaspersky says that the code in both are too similar to have been created by different developers. “Since these [codes] have never been made public and considering the main interest appears to have remained the same, we conclude the attackers behind Duqu and Duqu 2.0 are the same.” However, Kaspersky falls short of actually naming Israel even though the report contains page after page of proof of how similar the two programs are.
Nonetheless, if we look at who was targeted and add that to the similarities in the two codes, it seems pretty clear that Israel is behind Duqu 2.0. The goal was the same as in the original Duqu: To gain insight into developments in the Iran nuclear program. Duqu 2.0 targeted venues (hotels) in which negotiations on the Iran nuclear program were discussed. It seems the malware was designed to ‘listen in’ on discussions and intercept email from the participants. The operators of the malware, therefore, must have gained a lot of information from both sides. In other words, they knew more about Iran’s plans and capabilities than any other participant.
But why target Kaspersky? Actually, it’s not even clear to Kaspersky why Duqu 2.0 targeted them. It could be simple spying. The attackers may have just wanted to find out what Kaspersky was doing. In any event, they got into Kaspersky’s network by spear phishing an employee and then used a series of three zero-day exploits to move laterally within the network. They were able to stay hidden for months (possibly 6 months) before being discovered. The attackers may have been trying to learn how Kaspersky was building defenses against malware like Duqu 2.0 and may have wanted to discover who these defenses were being distributed to. They could then learn how to circumvent this defense for their own purposes. A final reason they may have gotten into Kaspersky may have been to see when and how their Duqu 2.0 malware was discovered. Once they saw that their time was up, those operating the malware could begin wiping all traces of it from the network and elsewhere.
So what, if anything, does Israel know about Iran’s nuclear program after all of this work? Back in April, Newsweek asserted that Iran, is, indeed, trying to hide something. If not, the argument goes, why would they be so adamantly against unscheduled inspections? The report further points out that a credible Iran opposition group claimed that Iran had a parallel nuclear program engaged in producing weapons-grade uranium. This secret site is known among insiders as, Lazivan-3 and is located on a military base near Tehran. The group released this information in February, 2015.
Israel Prime Minister, Benjamin Netanyahu, was scheduled to give his speech before the joint session of Congress in March, but, before he arrived, the Pentagon declassified a top-secret document on Israel’s nuclear weapon development and then quietly released it. It is not clear what the purpose of this was, especially since it is generally acknowledged that Israel does, indeed, have nuclear weapons. Maybe it was just to distract attention from Netanyahu’s speech or undermine his credibility as there was, at that time, a feeling that Netanyahu might have been a bit too paranoid about Iran and its goal of nuclear weapons development.
However, it now seems more likely that Netanyahu was not really being overly paranoid after all. Information about Iran’s activities to the present time show that they have made no changes in their nuclear program, in fact, the IAEA found that production had increased 20%. This agrees with information from the Pentagon and the Institute for Science and International Security, which issued a report in June 2015 showing that Iran had produced four tons of enriched uranium since a preliminary deal came into effect in January 2014. This seems to indicate a total disregard for any compliance by Iran.
For all of this time, Israel was continuing to spy on the Iran nuclear program negotiations with their Duqu 2.0 malware. It is quite likely that the Israeli secret service gained some valuable insights and passed these onto Netanyahu before he gave his US speech. Why didn’t Netanyahu, then, tell Congress about it? Did he mention it to President Obama? First of all, Obama refused to meet with him. Secondly, he could not give any information he received through Duqu 2.0 to anyone. Doing so would compromise the zero-day exploits that Duqu 2.0 depended on. As a consequence, Netanyahu would, by default, appear to be paranoid about Iran’s nuclear program because he would appear to have an insufficient rationale for his strong stance against them.
For their part, Iran claimed they always suspected that Israel was spying on the negotiations. They said they were not surprised by the recent revelations. But the malware targeted the hotels’ reception so that the operators knew the exact rooms that all the negotiators were staying in. Did the Iranians suspect that their rooms were being targeted as well?
Once Duqu 2.0 was discovered, the information Israel found could have been passed onto the US and other negotiators. If it was found that Iran was truly pursuing a nuclear weapons program, we could expect to see a hardening of the West’s position towards Iran, especially with regard to unscheduled inspections of military bases. Iran, for their part, would take the opposite position. They would, of course, deny any parallel program. They would also refuse to agree to any unscheduled inspections and any inspections of military bases. In other words, there would inevitably be a deadlock. This seems to be where the negotiations are now. Iran says that military bases are off-limit because this would amount to spying on its military. They also say that any unscheduled inspections must occur with a 24-day notice, which doesn’t seem much like an unscheduled inspection.
Iran wants a complete dropping of sanctions when an agreement is signed with no return to sanctions if future violations of the agreement occur. On the other hand, the West, at least Europe, Israel, and some members of the US Congress, want sanctions to snap back immediately if a violation occurs. It looks like a deadlock and a deadlock can only help Iran if its goal is to develop nuclear weapons. Sure, they’d like to be free of sanctions but, barring that, they could accept becoming a nuclear state as a consolation prize. Naturally, it would be best if they could do both.
The current negotiations have a June 30th deadline. It now seems unlikely that an agreement will be reached by that time and, as usual, there will be an emergency extension. It is unclear what the Duqu 2.0 attack uncovered or how much of the information it gleaned was given to Western negotiators. I suppose this will eventually be leaked. However, it now appears that the West will have to proceed with more than the usual caution and Iran, if they are serious about ridding themselves of sanctions, will have to give unconditional access to the IAEA. Anything other than this can no longer be an option.