Kaspersky being hacked is a lesson for us all

Kaspersky analyst

Often times it's not the fact that your business has been hacked that will lose your customers' confidence, but the way your company responds.

When a company suffers an attack (presuming it notices at all), it can take several courses of action.

1. Pretend it never happened. Don't tell your customers, and hope no-one ever finds out.

It's tempting to try to sweep the incident under the carpet, especially if you believe that sensitive customer data may not have been exposed.

But this approach is going to be disastrous for your reputation if the truth eventually leaks out, or it is later determined that the hack was more serious than you initially thought. Not to mention that the authorities may take a dim view if you didn't report an incident which could have put customer's private information at risk.

2. Put out a bland "security advisory" statement hidden away on a remote corner of your website, explaining how you take security very seriously.

Inevitably you will throw in words like APT and include vague murmurings from security specialists you have helicoptered in that the threat appears to have been "highly sophisticated" and probably the work of a hacking gang supported by a devious foreign government.

3. Admit, yeah, we got hacked. But it wasn't that bad and we don't believe customers or partners are affected.

That final option is the approach taken by Russian anti-virus outfit Kaspersky, who claimed yesterday that some of their internal systems had been compromised by malware.

That's an uncomfortable admission for any anti-virus company, and there may well have been meetings inside Kaspersky where the risks of "going public" about a hack.

But, to its credit, Kaspersky determined the best approach was to not only admit that it had been hacked, but also to provide extensive information on the malware (dubbed Duqu 2.0, it can be considered the son of the son of Stuxnet) that they found attempting to exfiltrate information from their servers.

Eugene KasperskyAnd the anti-virus company realised that the public's opinion of the incident would be coloured strongly by the media - and with that in mind it co-ordinated blog posts by founder Eugene Kaspersky on his own site and Forbes, live-streamed press conferences in London, and detailed technical analyses of the malware by its team of experts.

In short, it handled what could have been a corporate crisis well - and reassured customers and partners that their data was safe, and the integrity of its security products had not been compromised.

It also rose above the commonly-seen tactic of publicly blaming specific countries for an attack, even though everyone in the computer security business knows that reliable attribution is a minefield. Nonetheless, Eugene Kaspersky seems certain that a nation state was responsible for the hack:

"Governments attacking IT security companies is simply outrageous. We’re supposed to be on the same side as responsible nations, sharing the common goal of a safe and secure cyberworld. We share our knowledge to fight cybercrime and help investigations become more effective. There are many things we do together to make this cyberworld a better place. But now we see some members of this ‘community’ paying no respect to laws, professional ethics or common sense."

Kaspersky isn't the first anti-virus company to have suffered at the hands of hackers, and it certainly won't be the last.

And it shows that even the most security-conscious organisations can fall victim to determined hackers.

The truth is that most companies have probably been hacked to some extent or another - although most of the time they won't have been specifically targeted like Kaspersky probably was.

What's important is for companies to consider testing their own defences, and put effort into hacking themselves, finding vulnerabilities and weaknesses *before* the bad guys strike.

Tags: , , , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Listen now

Subscribe to the free GCHQ newsletter

, , , ,

13 Responses

  1. wcoke

    June 11, 2015 at 8:10 am #

    I think that this is just a sign of things to come the more people use the internet the more attacks are going to happen the fact kaspersky came forward and told everyone was the right thing todo. People are just to complacent when it comes to using the internet and I think peoples use of it needs to change because if we don't we will all have to move away from it .

  2. IamVendetta

    June 11, 2015 at 9:07 am #

    I guarantee it was done by the government. I also guarantee it was don't be the U.S. Government.

    • Graham Cluley in reply to IamVendetta.

      June 11, 2015 at 9:09 am #

      Are you sure it was don't be the U.S. Government? Because I thought maybe it wasn't don't be the U.S. Government. :)

      • AlainCo (@alain_co) in reply to Graham Cluley.

        June 11, 2015 at 10:59 am #

        Am I naive or is Kasperspy the only antivirus company who detected the virus targeted as iranian and Syrian (and probably French, german, Chinese too…) ?

        It is clear that in current context it is cold war of antivirus, and frightening the clients of one of the only non-Prism anti-virus provider is valuable for Prism.

        I'm worried, as with TV5, or Sony, to see manipulation involving IT forensic. It is killing trust. maybe is it good in fact?

    • whatevs in reply to IamVendetta.

      September 20, 2015 at 5:13 pm #

      Definitely seems like a government was to blame. Kaspersky is quoted as saying it was very impressive as well as VERY expensive attack to perform.

  3. Suggestion

    June 11, 2015 at 11:53 am #

    Their software, Kaspersky Internet Security, will detect the Duqu malware so customers are protected. It was definitely a dumb thing to think that such a large, reputable company wouldn't uncover this.

    Like Kaspersky said: whoever created the malware will be licking their wounds now that such a 'valuable' virus has been detected and blocked.

    For something so complicated it has to be a state actor. Going public was definitely the right thing to do. Who knows other AV companies may have been attacked and have chosen not to go public.

  4. Bilal

    June 11, 2015 at 2:52 pm #

    Anyone can fall victim to hacks. The thing to do now is to find out who it was and expose the Ba$tards. Do everything you can to go after them in the world courts. Everyone Bull$HITS now days about WMD's but this is a worst nightmare than WMD's ever were!!!!

  5. Alex Eckelberry

    June 11, 2015 at 4:09 pm #

    Well…

    http://blog.eckelberry.com/what-the-kaspersky-breach-tells-us-about-the-state-of-antivirus/

    Detections are still poor.

    • Coyote in reply to Alex Eckelberry.

      June 11, 2015 at 10:22 pm #

      It tells us nothing of the sort. It reminds us, however, that it is still (unsurprisingly)[1] a game of cat and mouse. There's nothing else to it. This isn't just basic logic (antivirus corporations make money because they have a reason to exist!) it is logical in the terms of technology (including security): it evolves and given that it evolves there will always be new techniques (loosely defined), new ideas, new anything and everything. The names of old anti-antivirus techniques were given after antivirus programmers encountered the techniques. Think of the following of many others:

      1. Piggybacking.
      2. Multipartite.
      3. Polymorphism.

      I have deliberately excluded more general things like antidebugging/stealth/encryption. I've also excluded virus hosts (as in what the virus attaches to) with the note that multipartite does indeed refer to hosts but in the same virus.. I've excluded encryption above because it is an artefact to mankind (piggybacking refers to a virus piggybacking on an antivirus).

      Yet there is so much more. The above are names created to refer to specific virus properties. Many of those above would trip up heuristics. Piggybacking is even worse.

      This is summarised as such: it is how it has always been and how it always will be (and truthfully how it should be). Yes, yes, security breaches aren't good but the point is you shouldn't expect things to be perfect: there is no such thing as perfect, only continually improving. Any claim of 'perfection' is a suspicious claim at best. In addition, detection capability isn't binary in nature, even for the same strain of the same virus: false positives, false negatives, negative, positive.

      [1] I can think of another antivirus company, one that shall remain nameless, that was compromised. I know it because it was a friend that did it, years ago. I'll also refrain from stating what he did (except to say there wasn't software modification of any kind) and how long before it was uncovered. There have certainly been others and there will be more further. This is also expected.

    • Oisin G. in reply to Alex Eckelberry.

      June 12, 2015 at 1:56 am #

      Alex, have you read their 44 page technical analysis of duqu/2? It's ridiculously advanced. The entire thing is rigidly non-persistent: it lives entirely in memory, and infects entire networks of computers in an incredibly smart and insidious way. There has been nothing more advanced discovered in the history of AV, and you say "detection is poor?" Really? Frankly I'm surprised they found it at all.

      • Fred in reply to Oisin G..

        June 12, 2015 at 5:35 pm #

        Exactly so, Oisin G.

        I suspect it's more to do with their advanced detection techniques which understandably they'll be unwilling to discuss. To target, as their self-congratulatory spiel goes, a "world-class security company" shows real determination, gumption and (maybe) desperation. A large amount of resources would have been needed to get it this far.

        They're reputed for successfully uncovering a number of botnets along with cutting-edge malware and spyware. Somebody wants to find out how they're doing it.

        Barclays customers can get a free copy of Kaspersky Internet Security so now is as good an opportunity as any to protect yourself. I like to see a company at the forefront of protection and they certainly seem to be making their mark against hackers/crackers.

  6. Dave Holbon

    July 7, 2015 at 7:08 pm #

    It matters not how Kaspersky was hacked or what was hacked.

    Any exposure to the Internet will be hacked if it’s important enough or financially viable. There is just no way around this no matter how clever you think you’re company or you are.

    Remember some of the best hacks weren’t discovered for years after they were first implemented.

    Even worse are those that give hackers multiple choices by backing up their data to the “cloud”, as some companies have been talked into… madness.

    If you want to keep it secret don’t store it on a computer even without an internet connection (USB/DVD/CD drives are just as good).

    All Antivirus/Malware or other detection systems are always three to six months in arrears for new clever hacks; don’t rely on them for protection.

    Even worse are mobile Phones that you can connect to a computer, either to charge or to download photos or whatever.

Leave a Reply