SAN FRANCISCO — None of the luxury hotels that hosted sensitive nuclear discussions between Iran and world powers were aware of a new report that said a virus previously linked to Israel had possibly infected their systems.
Hotels in Switzerland and Austria have hosted the talks between Iran and world powers — France, China, Russia, Germany, the United Kingdom, and the United States — on reaching a final deal since early 2014. The report from Kaspersky Labs, a Moscow-based cybersecurity company, stopped short of naming the hotels. BuzzFeed News reached all of the hotels that hosted negotiations, and none appeared to know of a breach in their systems.
"We are not aware of any of these problems. We don't have any of these types of issues at our hotel and the last [malware] incident we had was six or seven years ago," said Patrick De Rosa, a manager at the Intercontinental Hotel in Geneva where talks were held that led to an interim deal.
Managers at the Palais Coburg in Austria, and Beau-Rivage Palace in Switzerland told BuzzFeed News that they were also not aware of any breaches, but asked to be given time to look into the Kaspersky report. Austrian and Swiss officials said they were investigating the breach, but stopped short of naming the nation-state behind the attack.
Israeli officials denied Thursday that they spied on the negotiations over Iran's nuclear program, or that they had anything to do with a virus which infected hotel computers where the negotiations took place.
Israel is strongly opposed to a nuclear deal with Iran, with Israeli Prime Minister Benjamin Netanyahu saying he feels it is his duty to stop such a deal from happening. Netanyahu's office has repeatedly lambasted the talks for not being tough enough on Iran, a position which has created tension with the Obama administration.
On Thursday, Israel's newly-sworn in foreign minister, Tzipi Hotovely told the country's Army Radio that "there was no basis" to the reports of Israel spying on the talks.
"There is no basis to the all the international reports on Israel's involvement in the affair. What is much more important is that we prevent a bad agreement, otherwise at the end of the day we'll find ourselves with an Iranian nuclear umbrella," said Hotovely.
Kaspersky researchers said they were still assessing how the virus works, and expect to release a full report in the coming weeks. They believe the virus was capable of eavesdropping on conversations, stealing files, and could gain control of any computer-linked system at the hotel, such as phones, elevators and alarms. The virus was also able to access the hotel's front-desk computes, which gives it access to the room numbers of all the officials taking part in the talks, according to the report. It is unclear whether the virus is still active in the hotels' systems.
Kaspersky did not name the country behind the virus, but the Wall Street Journal, which first reported the findings, said it was hinting that it was Israel. The report was named "Duqu Bet" with Bet being the second letter of the Hebrew alphabet and the virus widely being called "Duqu 2.0" by Kaspersky researchers.
There had already been accusations of Israel spying on the negotiations. In March, the Wall Street Journal reported that Israel had spied on the closed-door meetings, and "acquired information from confidential U.S. briefings, informants and diplomatic contacts in Europe." The report said U.S. intelligence agencies spying on Israel found that the Israelis had obtained details of the talks, though at the time Israeli officials claimed they had been briefed by other countries participating in the negotiations.
Kaspersky's researchers concludes that the virus was an improved version of spyware first discovered by the Symantec cybersecurity firm in 2011, and named as Duqu because it creates files with "DQ" in the prefix. Kaspersky has since said the virus appeared to be very similar to Stuxnet, a computer worm that hit computers at Iranian nuclear facilities.
"The people behind Duqu are one of the most skilled and powerful APT (Advanced Persistent Threats) groups and they did everything possible to try to stay under the radar," said Costin Raiu, director of Kaspersky Lab's Global Research & Analysis Team, in a statement emailed to BuzzFeed News. Advanced persistent threats refer to sophisticated software created by nation-states and often used for cyber espionage or complex cyber crime.
Raiu said the cost of creating such sophisticated malware must have been "very high." In addition to running a 19-megabyte toolkit, capable of sophisticated data theft, the virus could operate stealthily from inside an infected computer by operating only in the machine's memory, rather than its hard drive.
In addition to the hotels, Kaspersky said they also found the virus on computers used during the commemoration ceremony of the 70th anniversary of the liberation of the Nazi death camp Auschwitz, an event that was attended by world leaders.
The virus in the systems was discovered only after Kaspersky first identified the virus in their own systems. A Kaspersky researcher testing the company's new detection software noticed an anomaly and discovered the virus. The virus was gathering information on how Kaspersky detected new malware, likely in an effort to better hide itself.
It appeared that the actors behind Duqu 2.0 knew they were being discovered as it happened. Just four hours after Kaspersky identified an employee's machine in Asia that had been the first to upload the virus (by opening a spear-phishing email), the machine's mailbox and browsing history were wiped, preventing Kaspersky from fully analyzing it.
In the coming weeks, Kaspersky researchers said they would study backups and logs which should have more details on how the virus spreads through systems.
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Got a confidential tip? Submit it here.