Kaspersky: Iran talks spyware uses Foxconn’s credentials

Russian security firm reveals Duqu virus found in conferencing equipment redirected information using Foxconn’s digital credentials

Photo by: Reuters
Photo by: Reuters

Updated Jul 28, 2015

Further research into the sophisticated computer virus used to hack into hotels where the Iran nuclear talks took place has found it took advantage of digital credentials stolen from the world's top contract electronics maker Foxconn.

Russian security company Kaspersky Lab said on Monday that researchers learned the Duqu 2.0 virus had redirected computer traffic by using a legitimate digital certificate from Taiwan's Hon Hai, also known as Foxconn.

Foxconn customers have included many of the world's biggest electronic makers, including Apple, Blackberry, Google, Huawei and Microsoft.

Kaspersky revealed its initial findings in a report last week in which it said it found the virus in conferencing equipment at three European hotels used in talks involving Iran and six world powers, among other targets.

Digital certificates are the credentials which identify legitimate computers on a network. They act as the basis of e-commerce and other largely automated transactions on the Web.

In recent years, cyberspies have begun to exploit stolen certificates to trick machines into thinking malicious software comes from legitimate computers, an escalation posing a grave threat to business done over the Internet, security experts say.

The "P5+1" group of six world powers have been negotiating with Iran on curbs to its disputed nuclear program - the United States, Russia, China, Britain, France and Germany.

The on-again, off-again series of talks to reach a comprehensive nuclear deal with Iran have been held in Geneva, Lausanne, Montreux, Munich and Vienna since last year.

Both Moscow-based Kaspersky and US security company Symantec said the virus shared some programming with previously discovered espionage software called Duqu, which security experts believe to have been developed by Israelis.

Israel, which has strongly opposed the powers' diplomatic opening to its arch-enemy Iran, denied any connection with the virus. In February, the United States accused Israel of using selective leaks from the talks to distort the US position.

The West suspects Iran wants to develop a nuclear weapons capability from its enrichment of uranium. Iran says it wants nuclear energy only for electricity and medical isotopes.

Symantec and Kaspersky analysts have said there was overlap between Duqu and Stuxnet, a US-Israeli project that sabotaged Iran's nuclear program in 2009-10 by destroying a thousand or more centrifuges that were enriching uranium.

The Stuxnet virus took advantage of stolen digital certificates from two other major Taiwanese companies, JMicron Technology and Realtek Semiconductor, Kaspersky said in a report it published in 2010.

"Duqu attackers are the only ones who have access to these certificates, which strengthens the theory they hacked the hardware manufacturers in order to get these certificates," Kaspersky said in a summary of its report on Monday.

Kaspersky said it had notified Foxconn of the stolen credentials. Foxconn was not immediately available to comment on steps it has taken to secure its systems.

Last week, Kaspersky said Duqu 2.0 had evolved from the earlier Duqu, which had been deployed against unidentified targets for years before it was discovered in 2011.

It said Duqu 2.0 used three previously unknown flaws in Microsoft software to infect machines, for which the software giant subsequently released patches to fix. The attack left almost no traces.