Eugene Kaspersky, the Russian whose namesake company acknowledged that it had been infected with top-tier malware, struggled during a press conference to come up with reasons why the hackers targeted his firm.
After all, antivirus makers like Kaspersky Lab should be prepared to sniff out and snuff out an attack.
"They were not only stupid, but greedy," Kaspersky said during a London-based press conference Wednesday, which was also webcast to reporters elsewhere.
When asked why the attackers -- whose malware was dubbed Duqu 2.0 in a nod to 2011's Duqu, which in turn was thought to be an offspring of the infamous Stuxnet -- went head-to-head with his company, Kaspersky had theories but nothing more.
"They were not interested in our customers," he said after asserting that the intrusion did not appear to have touched any customer or partner data.
"I'm pretty sure they were watching," he said of the hackers during the months they had their malware running undetected on Kaspersky's network. He speculated that the attackers were doing reconnaissance and research, hoping to find out more about Kaspersky's security technology or how it found and analyzed malware.
Specifically, Kaspersky wondered if they had infected Windows PCs on the company's network to uncover how researchers decided what malware to manually examine.
The vast bulk of the malware that Kaspersky -- and any major antivirus firm -- collects is processed, evaluated and categorized by automated systems, which also craft the resulting "fingerprints," or signatures, that are sent to customers' devices. Only the occasional piece of attack code is interesting enough, different enough from the run-of-the-mill to justify a human touch.
How researchers make the decision to closely evaluate -- and root through -- one piece of malware while passing on another would obviously be information a hacker crew or state-sponsored group would love to have, as it would help them craft attack code and develop tradecraft that would be more likely to get shunted to the machines, where it would be one among millions, and its true purpose perhaps overlooked.
"[The bad guys] absolutely want to know what security researchers are doing, what's the state of the art on that side," said Tod Beardsley, the engineering manager at security vendor Rapid7, in an interview. "They want to know, is it better than what [they] have?"
It's certain, Beardsley continued, that just as security researchers launch projects to analyze attack technology and attackers' predilections, the other side does the same. "Having a hold in a security company is of great advantage," Beardsley said. "Just the operational intelligence would be valuable, as that would give them lots or preparation time for their next mission."
Sign up for CIO Asia eNewsletters.