Spy Virus Linked to Israel Targeted Hotels Used for Iran Nuclear Talks
Cybersecurity firm Kaspersky Lab finds three hotels that hosted Iran talks were targeted by a virus believed used by Israeli spies.
Three hotels that hosted the Iran nuclear program talks have been targeted by a spy virus linked to Israeli spies. WSJ’s Adam Entous reports. Photo: Brendan Smialowski/Press Poll
When a cybersecurity firm discovered it had been hacked last year by a virus widely believed to be used by Israeli spies, it wanted to know who else was on the hit list.
The Moscow-based firm, Kaspersky Lab ZAO, checked millions of computers world-wide and three luxury European hotels popped up. The other hotels tested—thousands in all—were clean. Researchers at the firm weren’t sure what to make of the results. Then they realized what the three hotels had in common.
Each was infiltrated by the virus before hosting high-stakes negotiations between Iran and world powers over curtailing Tehran’s nuclear program.
The spyware, the firm has now concluded, was an improved version of Duqu, a virus first identified by cybersecurity experts in 2011, according to a Kaspersky report and outside security experts. Current and former U.S. officials and many cybersecurity experts say they believe Duqu was designed to carry out Israel’s most sensitive intelligence collection.
Senior U.S. officials learned Israel was spying on the nuclear talks in 2014, a finding first reported by The Wall Street Journal in March. Officials at the time offered few details about Israel’s tactics.
Kaspersky’s findings, disclosed publicly in a report on Wednesday, shed new light on the use of a stealthy virus in the spying efforts. The revelations also could provide what may be the first concrete evidence that the nuclear negotiations were targeted and by whom.
Israeli officials have denied spying on the U.S. or other allies, although they acknowledge conducting close surveillance on Iranians generally. Israeli officials declined to comment specifically on the allegations relating to the Duqu virus and the hotel intrusions.
But no intelligence-collection effort is a higher priority for Israel’s spy agencies than Iran, including the closed-door talks that have entered a final stage. Israeli leaders say the emerging deal could allow Iran to continue working toward building nuclear weapons, something Iran denies it is trying to do.
Kaspersky, in keeping with its policy, doesn’t identify Israel by name as the country responsible for the hacks. But researchers at the company indicate that they suspect an Israeli connection in subtle ways.
For example, the version of the company’s report viewed by the Journal before its release was titled “The Duqu Bet.” Bet is the second letter of the Hebrew alphabet. Kaspersky revised the title in the final version of the report released Wednesday, removing the “Bet” reference.
U.S. Secretary of State John Kerry, right, talks to Iranian Foreign Minister Mohammad Javad Zarif on May 30 in Geneva. Photo: susan walsh/PRESS POOL
Kaspersky researchers acknowledge that many questions remain unanswered about how the virus was used and what information may have been stolen.
Costin Raiu, director of the global research and analysis team at Kaspersky, said the virus was packed with more than 100 discrete “modules” that would have enabled the attackers to commandeer infected computers.
One module was designed to compress video feeds, possibly from hotel surveillance cameras. Other modules targeted communications, from phones to Wi-Fi networks. The attackers would know who was connected to the infected systems, allowing them to eavesdrop on conversations and steal electronic files.
The virus could also enable them to operate two-way microphones in hotel elevators, computers and alarm systems. In addition, the hackers appeared to penetrate front-desk computers. That could have allowed them to figure out the room numbers of specific delegation members.
The virus also automatically deposited smaller reconnaissance files on the computers it passed through, ensuring the attackers can monitor them and exploit the contents of those computers at a later date.
The Federal Bureau of Investigation is reviewing the Kaspersky analysis and hasn’t independently confirmed the firm’s conclusions, according to people familiar with the discussions. U.S. officials, though, said they weren’t surprised to learn about the reported intrusions at the hotels used for the nuclear talks and took the findings seriously.
Israeli Prime Minister Benjamin Netanyahu, center-left, speaks to his cabinet on May 31, hours after warning against making concessions to Iran in the nuclear talks. Photo: menahem kahana/PRESS POOL
“We’re trying to keep as much security as we can, but nothing ever stays completely secret in this world we live in these days,” a senior U.S. official told reporters Wednesday.
Iranian officials could not be reached for comment. The German, French and British governments declined to comment.
Kaspersky, which protects hundreds of millions of computers from intruders, didn’t realize its own computers were compromised for more than six months after the 2014 breach.
Hackers and intelligence agencies have long targeted security companies, given the valuable information they can learn about the Internet’s defenses.
Mr. Raiu said the attackers first targeted a Kaspersky employee in a satellite office in the Asia-Pacific region, likely through email that contained an attachment in which the virus was hidden.
By opening the attachment, the employee inadvertently would have allowed the virus to infect his computer through what Kaspersky believes was a hacking tool called a “zero day exploit.” Such tools take advantage of previously unknown security holes—giving software companies no opportunity to prevent hackers from sneaking in through them. Kaspersky says the hackers used up to two more “zero day exploits” to work further into Kaspersky’s system.
That alone, Kaspersky and outside experts say, offers evidence of the hackers’ sophistication. These kinds of tools are expensive to create and are guaranteed to work only the first time they are used. After that, companies can build up digital antibodies through software patches.
Security researchers such as Kaspersky’s Mr. Raiu often strive not just to find hackers, but also to find links between breaches through digital detective work. It is a mix of computer science, instinct and luck. In this case, Mr. Raiu saw links between this new virus and Duqu.
U.S. intelligence agencies view Duqu infections as Israeli spy operations, former U.S. officials said. While the new virus bore no overt links to Israel, it was so complex and borrowed so heavily from Duqu that it “could not have been created by anyone without access to the original Duqu source code,” Kaspersky writes in its report.
To check his conclusions, Mr. Raiu a few weeks ago emailed his findings to a friend, Boldizsár Bencsáth, a researcher at Budapest University of Technology and Economics’ Laboratory of Cryptography and System Security. Mr. Bencsáth in 2011 helped discover the original Duqu virus.
“They look extremely similar,” Mr. Bencsáth said in an interview Tuesday. He estimated a team of 10 people would take more than two years to build such a clean copycat, unless they were the original author.
In the early spring, Kaspersky found itself on the other side of the digital intrusions it investigates. A Kaspersky employee in Moscow discovered the virus while testing a new security program on a company computer he assumed was bug-free.
Rather than try to kick the hackers out, the company set up a special team to monitor the virus in action to figure out how it worked and what it was designed to do.
The way the virus operated took the team by surprise. It jumped from one system to another, slowly attacking an increasing number of computers. The virus sought to cover its tracks, abandoning machines the attackers deemed of no additional interest, while leaving a small file that would allow them to return later.
Mr. Raiu said the company had been bracing for cyberintrusions but didn’t expect anything this sophisticated. The attackers moved slowly through Kaspersky’s systems to avoid attracting attention. Mr. Raiu concluded that they probably valued stealth more than anything else.
The company dubbed the new-and-improved virus Duqu 2.0. The company ran tests to determine if any of its 270,000 corporate clients world-wide had been infected. Kaspersky’s list of corporate clients includes big energy companies, European banks and thousands of hotels.
In a written statement with the report that was reviewed by the Journal, Kaspersky said it didn’t expect the incident to make customers more vulnerable to hackers.
“Kaspersky Lab is confident that its clients and partners are safe and that there is no impact on the company’s products, technologies and services,” it said.
It found infections on a limited number of clients in Western Europe, Asia and the Middle East. On Wednesday, the American security company Symantec Corp. said it had found Duqu 2.0 on U.S. computers.
A targeted cyberattack against a hotel struck researchers as unusual but not unprecedented.
The first hotel with Duqu 2.0 on its computers piqued Mr. Raiu’s interest right away, in light of the revelations he read in the Journal about Israeli spying efforts, he said. The hotel, he said, was a well-known venue for the nuclear negotiations. But he wasn’t sure if it was an isolated case.
FOR ENTIRE ARTICLE CLICK LINKClick here for the Top 12 Moments in Jewish History...LET THE ADVENTURE BEGIN! »