(REUTERS/Ruben Sprich) The computers in three luxury hotels that hosted high-stakes negotiations on Iran's nuclear program were infected with an improved version of one of the world's most powerful computer viruses, The Wall Street Journal reports.
The discovery of the Duqu virus — a collection of malware used primarily for sensitive intelligence-collection operations — by cybersecurity firm Kaspersky Lab ZAO provides the first solid evidence that Israel had in fact been spying on the talks, a suspicion that was first reported in March 2015.
Kaspersky has not officially named Israel as the source of the attack. But the uncovered virus "was so complex and borrowed so heavily from Duqu that it 'could not have been created by anyone without access to the original Duqu source code," according to the Journal and Kaspersky's report.
Duqu — and malware linked to it — has been used by Israel to spy on Iran in the past, copying blueprints of Iran’s nuclear program. The malware has a variety of functions to suck up information.
"Since Duqu uses root capabilities and exploits vulnerabilities that allows for an elevation of privileges, Duqu can be used to install other code that can keystroke log, record conversations, record video, extract files, track any activity that occurs on the infected Windows PC or laptop," Jeff Bardin, chief intelligence officer of Treadstone 71, told Business Insider. "This includes the capturing of user ids, passwords, and sensitive files."
Bardian added: "Once the code is installed, most anti-virus software cannot detect or remove this malware. Duqu allows for the complete takeover of the target Windows devices."
In 2012, Kasperskpy told The New York Times that that it believed that Duqu was created by the same state-sponsored program as the Stuxnet and Flame viruses, which also targeted Iran's nuclear program.
Stuxnet, a joint US-Israel project, is known for reportedly destroying roughly a fifth of Iran’s nuclear centrifuges by causing them to spin out of control. Flame is a massive program that leaves a back door (i.e., Trojan) on computers through which it sucks information from networks by actions Bardin described as functions of Duqu.
Chris Weber, cofounder of Casaba Security, told Business Insider that the improved version of Duqu, dubbed Duqu 2.0, "is extremely advanced malware platform with delivery mechanisms on par with Stuxnet."
"Once infected, the Duqu platform offers its operators ability to install either a simple, memory-resident backdoor or a more persistent and fully featured command and control package," Weber explained. "After that the platform allows for leverage into other parts of the network."
Weber called Duqu 2.0 "bad-ass" and said the malware "is the tool of choice for nation-state spying."
After intercepting communications between Israeli officials, the White House suspected that Israel had been spying on the negotiations to gather sensitive information that it could then reveal to Congress in hopes of sinking the deal.
The administration did not elaborate on the tactics used, however, saying only that Israeli officials couldn't have possibly known certain details surrounding the talks without actually being in the room.
Kaspersky researchers were alerted to Duqu's resurgence after detecting the virus in their own system earlier this year — it had been there, Kaspersky believes, for at least six months.
The FBI is investigating Kaspersky's claims, according to The Journal. The firm has declined to name the three European hotels that were targeted.
Nuclear talks were held at the Beau-Rivage Palace in Lausanne, Switzerland, the Intercontinental in Geneva, the Palais Coburg in Vienna, the Hotel President Wilson in Geneva, the Hotel Bayerischer Hof in Munich and Royal Plaza Montreux in Montreux, Switzerland.
More From Business Insider