Shifting the focus over to governmental attacks, Mikko Hypponen breaks nation states’ cyber warfare down into several types, depending on the objects targeted.Within attacks coming from governments we have a range of stuff. We have espionage. You might have heard about what is often characterized as APT attacks, advanced persistent threats. These are espionage attacks. A company gets infected because they were targeted particularly. Someone created a malware from the very ground up just to target one organization, maybe to target one person inside that organization. So, when they gain access to his computer they gain access to his information, they can steal the info, and this is happening between countries and nation states.
So, spying has gone online. And, of course, it has gone online, because spying is the act of collecting information, and information has changed. Information used to be something physical; it used to be something that was printed on paper; if you wanted to get the information, you had to go where the paper was. Today it’s all data. You don’t actually have to go anywhere, you can reach the information from the other part of the world. And especially China gets blamed for these espionage cases, and these have been going on for quite a while.
Then we have cases where governments create malware and use the malware against their own citizens, and this is happening especially in totalitarian states. It’s happening in Syria, happening in Iran, it was happening in the old Egypt regime. But it’s also happening in democratic nations: it’s happening in the United States, it’s happening in the Netherlands, it’s happening in Germany.Especially the Germans have been very active in creating malware and infecting their own citizens with this malware. There are several examples; one of the well known examples is the so-called R2D2 Trojan (see right-hand image), also known as Staatstrojaner, or Bundestrojan, which is being used by German government against German citizens. In fact, if you go to the website of the German government you will find that they are openly recruiting backdoor writers and Trojan creators to come work for the government so that they can create Trojans to infect German citizens (see image below). They do this as part of criminal investigation, and it actually makes perfect sense: if you are the police and you are investigating a crime and you have a suspect – well, it has always been the case that you get a court order and you tap his phone, and then you tap his mobile phone. And if that’s not enough, than you tap his Internet connection, so the ISP or the Telco starts recording all the Internet traffic coming in and going to this individual.
But today that’s not going to get you very far. Today we extensively use services which are encrypted, everyday services, services like Gmail which is encrypted end to end, or Skype which is encrypted end to end. Even if your ISP is recording all of your traffic, they can’t see what you’re doing in Gmail or Skype, and this irritates the police, because they’d like to see what you’re doing if you are a suspect of a crime. And the way they get around this is with Trojans.
And there really isn’t a problem here; it isn’t a problem at all. It isn’t a problem if the suspect turns out to be guilty. If the suspect turns out to be a potential school shooter or a drug lord, or whatever, then it’s great. But if the suspect turns out to be innocent, this is a major problem because it’s hard to imagine a bigger breach of privacy where your own government gains access to your computer, and not just gains access to your files, but sees all your network traffic, collects all your passwords, and can even turn on the microphone and record what’s being spoken close to your computer, or turn on the webcam. I don’t think we’ve really understood what it means when our own governments are using Trojans against us.And then we have the attacks which go beyond just criminal investigations and which start to go into the realm of intelligence agencies and the militaries, offensive cyber attacks. In most examples in this area, the targets are in the Middle East. Iran has been targeted extensively, so have many other countries in the area. This is the Bushehr nuclear plant in Iran (see left-hand image) which has been one of the targets of these attacks. What I find fascinating is that if you actually go to Google Maps and look up Bushehr, like I did, Google Maps actually labels different facilities. Like, here is the emergency feedwater building, and here is the ventilation chimney, and here’s the solid waste building, and that’s Google Maps telling us what’s what in Bushehr. It’s quite fascinating. Many of the researchers who work with the Iranian nuclear program work with the Atomic Energy Organization of Iran, and that organization has been targeted by what’s known as Operation Olympic which has been in the news since 2009; but the real major news, really, came out last May, when NY Times editor David Sanger wrote and released a book called “Confront and Conceal”. And in that book he provides evidence leaked from US government that all of the related malware in this operation are coming from the governments of the United States and Israel.
And this was what was being suspected already 2 years earlier, but we had no information, we couldn’t really prove it. And we weren’t really expecting to ever get concrete evidence on that. But they actually leaked the information proving it. They took the blame and they took the credit, and we don’t actually know exactly why. It’s pretty obvious this wasn’t leaked by accident; things like that don’t leak. This was leaked on purpose to David Sanger. Maybe it’s because it was the election year, maybe it made President Obama look strong and creative in using new kinds of technologies and techniques to go after their arch enemy, Iran.
And we must assume there has been a series of different attacks. We’ve only found 5 malware which have been related: Stuxnet, which was the first one we found in 2009; since then Flame, Duqu, Gauss, and just two weeks ago – Miniflame, which is a smaller version of the Flame malware, which was one of the largest malware we’ve ever seen in history.
Read previous: F-Secure’s Mikko Hypponen on Cyber Warfare at Wired 2012