The Stuxnet-derived malware that hit Kaspersky Lab in a recent cyberattack used digital certificates from the Taiwanese electronics manufacturer Foxconn, according to analysis by the security vendor.
Digital signatures on the Duqu malware which are supposed to be attached to legitimate products were found by Kaspersky to have been exploited because of a requirement on 64-bit Windows systems to supply one with each driver.
As part of the attack the hackers installed the malicious drivers on firewalls, gateways and other servers, increasingly the longevity of Duqu and gaining access to the internal structure of the infected network.
Writing online Kaspersky’s global research team said: "It’s interesting that the Duqu attackers are also careful enough not to use same digital certificate twice.
"This is something we have seen with Duqu from both 2011 and 2015. If that’s true, then it means that the attackers might have enough alternative stolen digital certificates from other manufacturers that are ready to be used during the next targeted attack."
Kaspersky added that the fact it has not found any other malware with the same certificates suggests that the hackers are the only one with access to them.
"It also seems to indicate the Duqu attackers are the only ones who have access to these certificates," the company said. "Which strengthens the theory they hacked the hardware manufacturers in order to get these certificates."
However the company added that it had no confirmation that any of the hardware manufacturers in its report had been compromised, but it had seen signs the hackers had an interest in the sector including Foxconn, Realtek and Jmicron.
