It was reported on Monday that Stuxnet’s more sophisticated older brother Duqu 2.0, which was used in the recent attack on cybersecurity firm Kaspersky Lab, manages to penetrate high-security systems by using stolen digital certificates from major electronics manufacturers.
More on stolen Foxconn digital certificates used in Kaspersky hack
Kaspersky Lab released a statement on Monday noting it had discovered that the hack on its systems was accomplished using digital certificates belonging to Foxconn, the contract electronics manufacturer who makes the iPhone, Xbox and other products for a number of well-known firms.
Cryptographically-generated credentials such as digital certificates are required to install drivers on 64-bit versions of Windows, and Foxconn used one such certificate when installing several genuine drivers on Dell laptop computers in 2013. However, the attackers who hacked Kaspersky somehow appropriated the digital cert and used it to sign their own malware drivers.
Of note, the drivers were the only part of the Duqu 2.0 malware that was found on local hard drives. The malware drivers were found on Kaspersky firewalls and gateways that had direct Internet access, and were used to secretly divert important information to the hackers.
Not the first time
Kaspersky also pointed out that the Foxconn certificate is the third one used to sign malware that has been connected to the same attackers. The Stuxnet malware (supposedly developed by the U.S. and Israel to sabotage Iran), used a digital certificate from hardware manufacturer Realtek. Another driver from Jmicron was also compromised several years ago to sign Stuxnet-related malware in another incident. None of the three certificates has been found signing any other malware.
Statement on Kaspersky hack
“The fact that they have this ability and don’t reuse their certificates like other APT groups means they probably [used them only for targeted attacks],” Costin Raiu, the director of Kaspersky Lab’s Global Research and Analysis Team, explained in a media conference call. “This is extremely alarming because it undermines all the trust we have in digital certificates. It means that digital certificates are no longer an effective way of defending networks and validating the legitimacy of the packages. It’s also important to point out that these guys are careful enough not to use the same digital certificates twice.”
Kaspersky Lab has contacted Foxconn and alerted them to the theft and misuse of the certificate. They have not received a response. Kaspersky also contacted VeriSign, the certificate authority that signed the Foxconn certificate, to inform them. The digital cert used in the Kaspersky hack was issued to Hon Hai Precision Industry Co. Ltd., the official name of Foxconn.