Quantcast

Securing our future 4: Governmental malware

As per Mikko Hyppönen’s contemplations, nation states have been coining the most advanced samples of malicious software, so read this follow-up to learn more.

I suppose the biggest surprise, to me personally, over the last 25 years that I have been fighting online attacks is the fact that governments themselves became one of our opponents, or enemies. One of the main sources of the most advanced new malware we see is actually now coming from governments. It’s coming from the military; it’s coming from intelligence agencies; it’s coming from law enforcement. We are seeing backdoors being deployed by intelligence agencies to gain access to data they otherwise wouldn’t get access to. And of course, intelligence agencies are interested in hacking, because that’s what they do, I mean, they collect the information. Spying is collecting information. 20 years ago, it meant that you had to physically go to where the information was, because the information was printed on paper and so you had to copy the paper or steal the paper. Well, you know what, information is no longer on paper. Information is data, and that means that you don’t have to physically go to where the information is to steal it.

Chinese military marching

Chinese military marching

And there’s a reason why I chose this clip (watch right-hand animation) as the backgrounder when I speak about governments and malware writing. But just take a moment and look at these guys, look at the Chinese military marching. I’ve seen your military march, they don’t march like this. That’s pretty neat. That’s pretty impressive. The very first governmental malware case that we ever saw is our labs was in 2003 – 12 years ago. And that was from the Chinese government. That particular case was a targeted attack against a European defense contractor, where one of the key managers received an email from one of their customers. That email spoke about an ongoing project and had a PDF file attached to the email. And as he opened up the PDF file, the PDF file actually contained an exploit which took over his computer and installed a backdoor, which gave an outside attacker full access to his computer and full access to all the data he could see in their corporate network.

That email was never sent by the customer. That email was spoofed. It was made to look like a real email. And this is the type of attack we still see today in 2015: targeted attacks against key employees in key companies, which come over email, which look like a credible email coming from someone you know and trust, coming in your own local language. And it doesn’t contain a program, it contains a word document, or an Excel spreadsheet, or a PowerPoint slideshow, or a PDF file. And as you open up the file, it works, you get the data, but you also get infected at the very same time.

Countries known to spread viruses

Countries known to spread viruses

The thing about cyber-attacks that are coming from governments is that it’s not only the superpowers that are playing this game. You don’t have to be a superpower to have credible offensive capability in the online world. We are seeing attacks from the Chinese, from the Americans, from the Russians; but we are also seeing offensive cyber-attacks coming from much smaller countries, including Iran and North Korea (see right-hand image). Many of these attacks are very well orchestrated. They obviously put a lot of money into development of these things. And the whole idea that governments themselves are writing viruses would have been science fiction 20 years ago, but this is actually happening. It’s happening right now.

Chinese governmental virus

Chinese governmental virus

One example of the kind of governmental malware we see is a piece of malware that we call “Medre” (see left-hand image). It’s coming from China. We believe it’s coming from the Chinese government. And it’s unusual because this malware is written in an unusual language, a language which we almost never see with malware. It’s written in Lisp.
AutoCAD drawing

AutoCAD drawing

The reason why it’s written in Lisp is that this malware actually infects engineering drawings created with the AutoCAD program. And AutoCAD is the de facto standard tool used by all engineering houses all of the world as they build models of buildings, and houses, and bridges, and devices (see right-hand image). And the macrolanguage inside AutoCAD is Lisp. So, this this Medre malware actually infects the 3D drawings that you create with AutoCAD.

And as these engineering houses share these drawings with their clients and with other engineering houses, they actually spread the infection. When they give an infected drawing to their client, the client then infects the rest of their drawings automatically. And when they share those drawings with other engineering houses, the infection spreads from one engineering house to another engineering house, from one country to another country. And right now there are tens of thousands of infections all over the world. And Medre doesn’t just infect your drawings – it actually takes a copy of your engineering drawings and sends that copy to Mainland China. So, what’s happening here is governmental industrial espionage at a global scale.

Malware most likely coming from the Russian government

Malware most likely coming from the Russian government

Another example of governmental malware writing is what we’ve seen lately from Russia (see left-hand image). Over the last two years, we’ve analyzed five members of the so-called Duke family, and we believe all these are coming from the Russian government. An interesting detail about Duke malware infection, especially the last version of this family, is that almost all of the victims are in one country. And that country is Ukraine. The victims include Ukrainian military, Ukrainian government, Ukrainian defense contractors, and so on. Obviously, in the middle of this crisis between Russia and Ukraine, intelligence is more important than ever, and this seems to be the way they gather that intelligence.

President Obama and his laptop

President Obama and his laptop

But Duke versions have been found elsewhere as well. One place where this Russian governmental malware was found was in the White House. In fact, if you go and look at the White House photostream on Flickr, you’ll find plenty of pictures of Mr. Obama at his computer (see right-hand image). In fact, if you look at this computer, it seems to be a Dell, Dell Latitude, maybe E6430, or E6420 maybe, running as an operating system, I don’t know, maybe, what do you think – Windows XP Service Pack 1? I’m joking, actually. There’s another photo where you can actually see the operating system – he’s running Windows 7.

Kaspersky Lab headquarters

Kaspersky Lab headquarters

This building (see left-hand image) is in Moscow. It’s not the Russian government; this is actually a private company. This is the headquarters of a security company called Kaspersky Lab, one of the largest security companies in the world. I know many of the engineers who work at Kaspersky – world-class research, excellent people. And they broke the news a month ago that they were hacked themselves. They were hit with a targeted attack launched by a foreign government. We believe the government behind this attack was the Israelis. The way they found out that they were infected was that one of their engineers was developing a new prototype of a security program, which would detect unknown advanced malware; and once he compiled the first test version of the program and he ran it on his own computer, it detected an anomaly in his own computer. And he was really confused, so he rechecked the source code and recompiled, and it still found an anomaly. So then he ran it on his colleague’s computer and found the same anomaly. And then they realized that they had actually been infected by themselves, and they had been infected for several months. And we have to give Kaspersky full credit for making this public. Most companies would have never told the world, but they came publicly out with this information to warn others. And this also means that security companies are clearly now a target of foreign governments and of intelligence agencies.

'Legitimate military targets'

‘Legitimate military targets’

So, with all of these cases going around, I actually went back to read through the Geneva Convention. The Geneva Convention, as you might remember, maps the laws and rules of war. The Geneva Convention, for example, defines that during war you should not bomb hospitals, or you should not bomb churches, and that you should not use chemical weapons. The Geneva Convention also defines what a legitimate military target is during a time of war (see right-hand image). And the way I read this text is that during a time of war our company, a security company, an online security company, would be a legitimate military target. A legitimate target, for example, for bombing.

And let me tell you, 25 years ago, when I started analyzing first viruses I ever analyzed, written by teenage boys, spreading on 5 ¼-inch floppy disks – 25 years ago, I would have never imagined this. And I definitely didn’t sign up for this. But this is where we are today. This is where we are today.

So, we have two problems to solve: security and privacy. When we all first got online, when we first started surfing the web – remember installing Netscape Navigator and getting online – it changed our world. And what we got was a free and open Net. That’s what we all received. We received a free and open Net. And right now, it’s up to us whether we will be able to give the free and open Net to the next generation. Thank you very much!
 

Read previous: Securing our future 3: The Internet of Things

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: