'Up to 100' targets in cyber espionage case implicating Israel

US has accused Israel of spying on the Iran nuclear talks in the past; security firm identifies widespread use of complex virus.

A member of a delegation talks on the phone in the Beau Rivage Palace Hotel during a break in the Iran nuclear program talks in Lausanne March 31, 2015  (photo credit: REUTERS)
A member of a delegation talks on the phone in the Beau Rivage Palace Hotel during a break in the Iran nuclear program talks in Lausanne March 31, 2015
(photo credit: REUTERS)
WASHINGTON – A cybersecurity firm has identified breaches in its software at three luxury European hotels from a virus considered a hallmark of Israeli intelligence operations.
Investigating the matter, the firm, Kaspersky Lab ZAO, discovered that all three hotels hosted talks between world powers and Iran over its nuclear program in the past year, the Wall Street Journal first reported on Wednesday.
According to the company's own report, Kaspersky crosschecked thousands of hotels in search of similar breaches. It found only three. The firm declined to name those hotels, but the negotiations have been held in only six hotels in Switzerland and Austria since the diplomatic effort first began.
But Kurt Baumgartner, principal security researcher at Kaspersky Lab, told The Jerusalem Post on Wednesday afternoon that the hack was not limited to the hotels and that "up to 100" targets were subjected to the attack.
“It’s important to know that Kaspersky Lab products identified the infection within various victims," Baumgartner said. "In addition to several unknown victims, we are quite sure that at least three of the venues where P5+1 talks about a nuclear deal with Iran were held have been attacked."
In addition to the high-level Iran negotiations, Baumgartner said they had found that the perpetrator also launched a similar attack surrounding the 70th anniversary event of the liberation of Auschwitz-Birkenau.
While their findings are preliminary, the firm concludes that the targets, beyond the hotels, all shared the characteristics of being of "the highest level" security and "including geo-political interests."
The tool of choice was a sophisticated virus known as Duqu 2.0, which may allow its handlers to monitor activity, steal computer files and eavesdrop from the rooms in which they are operating.
The firm also reported that the front desks of the hotels were hacked, which, according to the Journal report, would allow the hackers to identify the room numbers of specific delegates and ministers.
Neither the Prime Minister's Office nor the Foreign Ministry would comment on the report.
US officials publicly accused Israel of spying on the talks back in 2014, and have repeated those allegations ever since on multiple occasions. Israel's intelligence effort, they say, began in 2012, when the Obama administration first opened a covert channel with Tehran.
Responding to the Kaspersky findings, the Obama administration expressed confidence in its own security procedures.
"I can say that we take steps, certainly, to ensure that confidential, that classified negotiating details stay behind closed doors in these negotiations," said Jeff Rathke, a State Department spokesman, declining to elaborate.
Addressing the annual Herzliya Conference this week, Prime Minister Benjamin Netanyahu lamented Israel's absence at the negotiating table, given the impact a deal will have on the Jewish state.
"No one from this region, except Iran, is at the negotiating table," Netanyahu said. "Somebody once said: ‘If you’re not at the table, you’re on the menu.’ The states with the most at stake are not even in the room."
Two years of negotiations among the US, Britain, France, Russia, China, Germany and Iran produced a political framework agreement in April at the Beau-Rivage Palace Hotel in Lausanne. Diplomats hope to conclude the talks with a final, comprehensive agreement sealed by June 30.
Asked whether the firm could support claims that the virus is connected to Israel, Baumgartner said doing so with confidence is a tall order.
"In the case of Duqu, the attackers use multiple proxies and jumping points to mask their connections. This makes tracking an extremely complex problem," he said, adding: "It’s important to stress that we are absolutely sure that Duqu 2.0 is an updated version of the infamous 2011 Duqu malware, which is associated with an APT [advanced persistent threat] group that went dark in 2012.”