Chief Research Officer at F-Secure and true computer security guru Mikko Hypponen outlines the state and scope of today’s cyber threatscape at Wired 2012 event.
My name is Mikko Hypponen, and his name is “Arashi”. He is one of the examples of Russian organized cyber criminals who create malware, spread it around the world, and make money out of it. In this case he and 8 of his partners in crime made something in the range of $9 million with different kinds of Trojans.
But today I’m not going to speak about cyber criminals who commit crimes to make money. I’ll speak more about cyber war, because when we go from the world of cyber crime to the world of offensive cyber attacks, things change.
And I actually don’t like the term Cyber War. Well, there’s nothing wrong with the term, but I think it’s way overused, because you keep hearing this word whenever there’s some denial-of-service attack somewhere, or something gets hacked. And I don’t think we’ve actually seen cyber war. How could we have seen cyber war if we haven’t seen a war? We will see in the future wars between technically advanced countries, and those wars will most certainly have cyber attacks as part of the real conflict. And that could be characterized as cyber war maybe. But right now what’s happening probably isn’t; even the Stuxnet saga – I wouldn’t call that a cyber war, because there is no war going on between the countries involved.
But it’s also important to understand that we have completely different players in place. People are worried about, in many cases, exactly the wrong thing. People read about things like Stuxnet, and then they worry about Stuxnet. Well, Stuxnet is nothing to worry about: here, in London, none of you will be infected by Stuxnet; you’re not the target. The local pizza place is not going to get infected by Stuxnet because they are not the target. Uranium enrichment facilities in Iran might get infected by Stuxnet, because they are the target.
So it’s important to understand different players we have, the different actors, and their different motives. And you can roughly split them into three: we have the criminals who write malware to make money, like “Arashi” who we saw in the video. Then we have hacktivists, who do their attacks not to make money but to send a message, to protest or to embarrass their target, for example. And then, as the third origin of attacks, we have governments: governments launching attacks, governments creating malware, writing Trojans, and infecting computers to gain their results. And these hacktivist groups or movements like Anonymous are a fairly new phenomenon.
Criminals have been writing malware to make money for a decade now: we saw the first moneymaking viruses in 2003. Movements like Anonymous really came into play only 3 or 4 years ago, and they have become one of the major players. But I’m not going to speak about Anonymous today either. We’ll focus on governments.
Within attacks coming from governments we have a range of stuff. We have espionage. You might have heard about what is often characterized as APT attacks, advanced persistent threats. These are espionage attacks. A company gets infected because they were targeted particularly. Someone created a malware from the very ground up just to target one organization, maybe to target one person inside that organization. So, when they gain access to his computer they gain access to his information, they can steal the info, and this is happening between countries and nation states.
So, spying has gone online. And, of course, it has gone online, because spying is the act of collecting information, and information has changed. Information used to be something physical; it used to be something that was printed on paper; if you wanted to get the information, you had to go where the paper was. Today it’s all data. You don’t actually have to go anywhere, you can reach the information from the other part of the world. And especially China gets blamed for these espionage cases, and these have been going on for quite a while.
Then we have cases where governments create malware and use the malware against their own citizens, and this is happening especially in totalitarian states. It’s happening in Syria, happening in Iran, it was happening in the old Egypt regime. But it’s also happening in democratic nations: it’s happening in the United States, it’s happening in the Netherlands, it’s happening in Germany.
Especially the Germans have been very active in creating malware and infecting their own citizens with this malware. There are several examples; one of the well known examples is the so-called R2D2 Trojan (see right-hand image), also known as Staatstrojaner, or Bundestrojan, which is being used by German government against German citizens. In fact, if you go to the website of the German government you will find that they are openly recruiting backdoor writers and Trojan creators to come work for the government so that they can create Trojans to infect German citizens (see image below).
They do this as part of criminal investigation, and it actually makes perfect sense: if you are the police and you are investigating a crime and you have a suspect – well, it has always been the case that you get a court order and you tap his phone, and then you tap his mobile phone. And if that’s not enough, than you tap his Internet connection, so the ISP or the Telco starts recording all the Internet traffic coming in and going to this individual.
But today that’s not going to get you very far. Today we extensively use services which are encrypted, everyday services, services like Gmail which is encrypted end to end, or Skype which is encrypted end to end. Even if your ISP is recording all of your traffic, they can’t see what you’re doing in Gmail or Skype, and this irritates the police, because they’d like to see what you’re doing if you are a suspect of a crime. And the way they get around this is with Trojans.
And there really isn’t a problem here; it isn’t a problem at all. It isn’t a problem if the suspect turns out to be guilty. If the suspect turns out to be a potential school shooter or a drug lord, or whatever, then it’s great. But if the suspect turns out to be innocent, this is a major problem because it’s hard to imagine a bigger breach of privacy where your own government gains access to your computer, and not just gains access to your files, but sees all your network traffic, collects all your passwords, and can even turn on the microphone and record what’s being spoken close to your computer, or turn on the webcam. I don’t think we’ve really understood what it means when our own governments are using Trojans against us.
And then we have the attacks which go beyond just criminal investigations and which start to go into the realm of intelligence agencies and the militaries, offensive cyber attacks. In most examples in this area, the targets are in the Middle East. Iran has been targeted extensively, so have many other countries in the area.
This is the Bushehr nuclear plant in Iran (see left-hand image) which has been one of the targets of these attacks. What I find fascinating is that if you actually go to Google Maps and look up Bushehr, like I did, Google Maps actually labels different facilities. Like, here is the emergency feedwater building, and here is the ventilation chimney, and here’s the solid waste building, and that’s Google Maps telling us what’s what in Bushehr. It’s quite fascinating.
Many of the researchers who work with the Iranian nuclear program work with the Atomic Energy Organization of Iran, and that organization has been targeted by what’s known as Operation Olympic which has been in the news since 2009; but the real major news, really, came out last May, when NY Times editor David Sanger wrote and released a book called “Confront and Conceal”. And in that book he provides evidence leaked from US government that all of the related malware in this operation are coming from the governments of the United States and Israel.
And this was what was being suspected already 2 years earlier, but we had no information, we couldn’t really prove it. And we weren’t really expecting to ever get concrete evidence on that. But they actually leaked the information proving it. They took the blame and they took the credit, and we don’t actually know exactly why. It’s pretty obvious this wasn’t leaked by accident; things like that don’t leak. This was leaked on purpose to David Sanger. Maybe it’s because it was the election year, maybe it made President Obama look strong and creative in using new kinds of technologies and techniques to go after their arch enemy, Iran.
And we must assume there has been a series of different attacks. We’ve only found 5 malware which have been related: Stuxnet, which was the first one we found in 2009; since then Flame, Duqu, Gauss, and just two weeks ago – Miniflame, which is a smaller version of the Flame malware, which was one of the largest malware we’ve ever seen in history.
Stuxnet is the only one which actually does physical damage. It controls the PLC gear inside the Natanz nuclear enrichment facility, blowing up centrifuges. All the others here are like supporting malware: they gather information, gather intelligence, which then can be used to launch attacks like Stuxnet. We believe some of the information that was needed to launch the Stuxnet attack was collected with Duqu or other related malware before the actual attack was launched.
Now, there’s one key aspect about Stuxnet which is often missed, and that’s the fact that it’s perfectly possible that Stuxnet killed people. We don’t know that. We don’t know whether Stuxnet killed people or whether it did not kill people. But the possibility is there, because what it did was it exploded centrifuges, 2 meter high centrifuges made out of carbon fiber, spinning at very high speeds, and filled with Uranium gas. And when they start failing, they fail catastrophically and they easily create a chain reaction, where one exploding centrifuge will make other centrifuges explode as well. And if there are scientists in the control room, it’s not a good place to be.
We don’t know if this happened, but I think the key point here is that the countries launching these attacks must have known that at least a possibility of killing people with this malware is there, and they went ahead and did it anyway. And when they did that, I think we crossed an important line.
It can be argued that nuclear scientists lost their innocence in 1945 (see image), when we, the mankind, used the atom bomb for the very first time. And if that’s the case, then we could argue that exactly in the same way computer scientists lost their innocence in 2009, when we started using malware as an offensive attack weapon.
That is a Siemens S7-400 PLC (see left-hand image). This is the basic building block of any modern society. This runs our factories, this runs our power plants, runs our nuclear plants, runs our food processing plants, runs our chemical plants, most likely runs the elevators in this building. These are being used everywhere, and that’s what Stuxnet infected.
So, Iranian Atomic Energy Organization – that’s where they do their research. They publish scientific papers about nuclear radiation and nuclear power and related things (see right-hand image). And I’m bringing this up because in June I got an email from the Atomic Energy Organization of Iran. And I don’t usually get emails from the Atomic Energy Organization of Iran…
But I got an email, this email right here (see left-hand image), which was sent by a scientist working in there, and he explains that they’ve had problems and he wants the world to know that they are under attack again. And then he explains that some of the computers inside their nuclear research facility were waking up in the middle of the night and starting to play music, starting to play AC/DC, specifically playing Thunderstruck at full volume. Nuclear research machines playing Thunderstruck in the middle of the night…Doesn’t sound very plausible, does it? Was it really happening?
Now, I don’t know if this actually happened or not, all I know is that this guy was telling me this, and this guy was emailing from the Atomic Energy Organization of Iran, and I checked it: he was sending it from there. And the name he was using belonged to a real nuclear scientist. I don’t know if this was true or not. But if it was true; assume for a second it really happened. Why would any attacker do this? Why would they start playing AC/DC or any music in the middle of the night? Because, obviously, they blow their cover and everybody will know that there is a problem. But maybe that was the idea, to begin with?
If you actually read Sanger’s book, one of the key points about Operation Olympic was to make the enemy feel stupid. Many of the attacks they were doing with the centrifuges were very slow in the beginning, they were just failing; and Iranian nuclear scientists ended up firing tons of people because they couldn’t get the job done, and they didn’t realize why they weren’t getting the job done. They were feeling stupid.
So, maybe, here what they want to do is show the employees of this organization that your IT department can’t protect you. If your computer plays AC/DC, you know that something’s going on, and your own IT department looks stupid, because they can’t stop it, they can’t keep the malware out. Maybe it’s mind games, or maybe it never happened; maybe this guy was just playing some kind of a joke.
But I did find it interesting that around 4 weeks after this, when the Gauss malware was found, if you look at the network traffic (Gauss collects information and sends it out, and it encrypts the information before it sends it out), the encryption it uses – uses the encryption key, and that key is 4 characters, and those characters are A, C, D, C, which could be a coincidence, right?
If you look at Miniflame which was found recently, one of the files actually contains country information, which tells us in which country that file was created, and the country information belongs to Australia, and AC/DC is from Australia. Maybe we can’t jump into any conclusions here; maybe they are all mind games, maybe there’s smoke and mirrors in play here. But it’s quite clear that we’ve entered a new era of cyber arms race, and it’s only going to get more and more active.
Iran is one of the key locations; for example, Iranians themselves have been very active in using technology to monitor their own people and find dissidents and revolutionary people inside Iran.
But the critical infrastructure as a whole is what’s at stake here, because over the last decade or two we have completely switched to computer automation to run our factories, and this does make us vulnerable. In fact, the United States, which is arguably one of the most active attacking partners right now, is actually the one with most to lose. They are much more dependent on computers than any other country probably anywhere in the world.
And there is possible retaliation. The largest company in the world, Saudi Aramco, company which is about twice the size of Apple in wealth, was attacked 6 weeks ago. They were attacked with an attack which wiped 30,000 computers, around 75% of their computers were wiped overnight, wiped with an attack that was overwriting all the files with an image, and the image was a burning flag of the United States. And if you read New York Times, there’ve been two articles that put the blame directly on Iran. We can’t prove that, but at least it’s being claimed, a sort of retaliation.
These attacks are very hard to defend against. Defending against Stuxnet, or Flame, or Duqu, or any of these is almost like a nightmare. We missed Stuxnet. We missed Flame. We missed them all for a year; some of them we missed for two years, which is really embarrassing. We are supposed to build security products which detect malware, and we didn’t. And it wasn’t just us, it was the whole antivirus industry; we all missed all of it, which is embarrassing.
I’ve been asked many times about it: “How could that happen? Why didn’t you detect them?” And the way I explain it is that if you look at the attackers and try to find a comparison from the real world – well, here is an attacker, street robber from somewhere in South America, stopping cars by gunpoint, stealing the wallets of the passengers (see image); and his cyber equivalent would be a banking Trojan, or a ransom Trojan, or a botnet, run by somebody who tries to make money with malware. This person doesn’t really care who he stops as long as he gets the money. So everybody’s a target.
Banking Trojans and credit card stealing keyloggers – they don’t really care whose credit card they steal. It could be a UK credit card, or a German credit card, or Italian, it doesn’t actually matter as long as they get the credit card. Everybody and anybody is the target. And we can protect against him. We can protect against the everyday threats, the criminal threats. This is doable. However, Stuxnet and Flame did not look like this guy.
Stuxnet and Flame looked like this guy (see image), the guy with the latest and greatest technology and gadgets, with unlimited budget, with the best possible training, with unlimited resources. And if James Bond wants to kill you, James Bond will kill you. It doesn’t matter if you run and hide; he will find you and he will kill you. It doesn’t matter if you have a helmet and a bulletproof vest, he will kill you anyway. And that’s how hard it is to defend against government-funded organized attacks with unlimited resources and unlimited budgets. It’s very hard. We’re not giving up either; I’m not saying that, I’m just saying it’s very hard. And, most importantly, while we might not yet have entered the era of cyber war, at the very least we have entered the era of cyber arms race. Thank you very much!