Kaspersky said the attack exploited five vulnerabilities, four of which were unknown zero-days