[at-fates-hands]

"Despite the beefed up operational security of the malware, its unmistakable connection to the Duqu 1.0 and the times of day Duqu attackers manually entered Kaspersky's network leave little doubt in the minds of company researchers that the 2011 and 2014 attacks were carried out by the same group."

Not only is this a total stretch, it's complete hearsay.

The reasons for hackers to go after Kaspersky are just as numerous as state sponsored teams to. I find it hard to say it was definitively one or other without further evidence. But in this "government surveillance" panic people are currently in, it's easy to just point a finger and say it was the NSA because this version "looks similar" to another version already deployed.

It's about as solid as saying there were similarities between the type of malware used in the Sony Pictures attack and code used to attack South Korea last year - which was laughed off by most of the info sec community.

[mirimir]

Yes, once malware has been found, it can be reverse-engineered and reused. Also, I recall reading that the NSA relied in part on independent consultants in developing Stuxnet etc. Maybe some of those consultants have other pseudonyms, and other clients. So we have malware proliferation. And it's far worse than, for example, nuclear proliferation. Because it's all just bits.

[igravious]

Incorrect.

https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0...

[rjaco31]

Did you actually read the report? There are similarities that are way more consistent than just "looking similar". I tend to agree that attribution is usually a hard guess, but in this case, it's pretty hard to argue against them. Keep in mind that most of those similarities are totally not on the exploit parts, but on the very little quirks on how to handle the 'trivial' things that are extremely specific to your coder. (Also keep in mind that developing such a framework takes tons of time & money, we're talking about years & millions).