Spies Hacked Iran Nuclear Talk Hotels

Kaspersky Labs says that the malware in play was an enhanced version of Duqu, spyware tied to Israel that was first identified by cybersecurity experts in 2011. 

Three hotels were infiltrated by the new-and-improved virus, dubbed Duqu 2.0, before hosting negotiations between Iran and world powers over curtailing Tehran’s nuclear program.

U.S. officials knew Israel had spied on nuclear talks in 2014, but officials offered few details about the techniques used at the time.

The malware was packed with more than 100 discrete “modules” that would have enabled the attackers to hijack infected computers.

One module was designed to compress video feeds, possibly from hotel surveillance cameras. Other modules targeted communications, from phones to Wi-Fi networks. The attackers would know the identities of the targets connected to the infected systems, allowing them to eavesdrop on conversations and steal electronic files.

The virus could also enable them to operate microphones in hotel elevators, computers and alarm systems. In addition, the hackers appeared to penetrate front-desk computers. That capability could have allowed them to figure out the room numbers of specific delegation members.

The virus also automatically deposited smaller reconnaissance files, or backdoors, on the computers, ensuring the attackers could exploit the contents of those machines at a later date.

The first hotel determined to have Duqu 2.0 on its computers was a well-known venue for the nuclear negotiations.

Later, Kaspersky, a cyber firm with ties to the Russian government, found the same virus at a second luxury hotel. Initially, researchers didn’t see a connection between the hotel and the nuclear talks. Then, a couple of weeks after the discovery of the second hotel, they learned that the nuclear negotiations took place there. In both cases, the hotels were infected about two to three weeks before the negotiators convened.

Kaspersky provided information about Duqu 2.0 to one of its partners, which did its own round of tests. That search turned up a third infected hotel that hosted the nuclear talks. That third hotel was discovered last but appeared to have been infected first, sometime in 2014. Kaspersky declined to identify the three hotels.

Hotels that served as venues for the talks include: the Beau-Rivage Palace in Lausanne, Switzerland, the Intercontinental in Geneva, the Palais Coburg in Vienna, the Hotel President Wilson in Geneva, the Hotel Bayerischer Hof in Munich and Royal Plaza Montreux in Montreux, Switzerland.