According to a June 1, 2012, article in the New York Times, during President Obama’s first months in office, he ordered increasingly sophisticated attacks on the computer systems that ran Iran’s main nuclear enrichment facilities, expanding the first sustained use of cyber weapons. This attack, code named Olympic Games, had begun under President Bush and was eventually revealed in 2010 when the world became aware of the malware known as Stuxnet.
Ranked number eight out of ten of the most insidious hacking techniques, government-sponsored malware is becoming the tactical weapon of choice in cyber warfare. While Stuxnet may be the most widely known malware, it is far from the only variant used by nations across the globe. Looking at past incidents of state-sponsored malware may be interesting, as they pale and are amateurish in comparison to the sophistication of the payloads seen recently.
Regin, supposedly named by Microsoft in 2011 after the Norse dwarf Regin, has been extensively evaluated by both Symantec and Kaspersky Labs. This form of malware is so sophisticated that attributing it to any particular nation is proving to be difficult, although it’s rumored to be a collaboration between Government Communications Headquarters (GCHQ), a British agency providing signals intelligence, and the National Security Agency (NSA).
According to reports,employees at Belgacom were socially engineered or had their systems compromised so that the employees were sent to a fake LinkedIn page from which Regin infected the systems and allowed full access to Belgacom’s networks. This in turn allowed access to information belonging to the European Commission, the European Parliament and the European Council. Other reported victims of Regin include Russia, Saudi Arabia, Mexico, Ireland, Belgium and Iran.
Regin is multistaged and modular, so it’s capable of exfiltrating data from a variety of sources, including email servers, allowing for continuous monitoring of the intelligence services’ intended target. Regin hides its stages using New Technology File System (NTFS) extended attributes, splitting itself into blocks of limited size and hiding in the registry of Windows systems. One of the uses of Regin includes monitoring Global System for Mobile Communications (GSM), allowing sophisticated levels of tracking users of those systems. Regin and its variants are still active today.
Referred to by Kaspersky Labs as the stepbrother of Stuxnet, Duqu 2.0 is attributed to Israel. This nation-state surveillance malware had very intricate means of infection and survival, including anti-sniffer defenses and packet-injection code. Living in random-access memory (RAM) helped Duqu 2.0 avoid detection.
The more famous victims of Duqu 2.0 include Kaspersky Labs itself through a zero day in the Windows kernel and previously patched vulnerabilities. The reason for attacking Kaspersky is unknown, but the other more famous attack is clearly a nation state using malware for purposes of intelligence gathering.
The hotel and conference venues that hosted the P5+1 meetings where the nuclear discussions with Iran were held were both infected with Duqu 2.0. The suspicion is that the VoIP phone systems of these locations were compromised, turning the phones into listening devices.
In what can best be described as state-sponsored Malware as a Service, F-secure recently published a paper describing the antics of a group nicknamed the “Dukes.” This cyber espionage group has targeted a wide variety of entities, from western governments to groups associated with Chechen terrorism, with a family of Duke malware that includes PinchDuke, GeminiDuke, MiniDuke, CozyDuke, OnionDuke, SeaDuke, HammerDuke and CloudDuke.
The Dukes appear to be well-financed and coordinated with activities conducted by Russia. Given the group’s freedom of action, the Dukes attacks can be safely assumed to be approved by a security service.
Our discussion of state-sponsored malware must include a mention of what may be the most serious cyber breach we know of: the Office of Personnel Management (OPM) data breach. The OPM breach resulted in the loss of 21 million records, 5.6 million fingerprints and countless highly sensitive SF-86 forms, each containing 127 pages of information about individuals seeking security clearance. The good news is that the Central Intelligence Agency (CIA) did not use OPM. The bad news is any federal employee not affected by the data breach can be assumed to be a CIA employee.
While all of the details of the breach aren’t known, this much is: It started around March of 2014. It may have been discovered not by the Einstein intrusion detection system but by a vendor demonstrating a commercial forensics product. A contractor located in China had root access, and a group known as Deep Panda, a Chinese nation-state cyber instruction group, may have been involved.
A seemingly separate data breach at Anthem Health has investigators looking at a link between it and the OPM breach. The group thought to be responsible for both events used a type of malware called Sakula, and the objective of both attacks was to create a Facebook of sorts on every federal employee and their families. The deep analytics one could perform on that large of a data set could be useful for decades to come. While China has denied involvement, China and their allies would benefit greatly from the harvested information the OPM breech provided.
Staying Secure When There Are No Boundaries
Nation-state actors involved in cyber intrusions have no political boundaries or limitation. Every government capable of doing so is engaged on an endless quest to use cyber as a tool to further their political ambitions or protect their populations. Every day brings forth new reports of successful exploits against very well-defended networks. If you are responsible for an IT infrastructure that has some value to an intelligence service, I am sure you are wondering how you can protect your environment against an attack.
While a 100 percent bulletproof defense is impossible, the strategy that the Department of Homeland Security and other agencies recommends is one based on risk mitigation, with an increasing emphasis on continuously monitoring controls to ensure not only their effectiveness in protecting assets, but also the proper allocation of capital. You can improve your chances of survivability against nation-state cyberattacks by supporting the National Institute of Standards and Technology (NIST)’s critical cyber infrastructure initiatives and developing your workforce’s cyber skills by focusing on cybersecurity training that improves your organization’s ability to identify, protect, detect, respond and recover.
You can find Global Knowledge courses that focus on the NIST Cybersecurity Framework here. I welcome your comments below.
NIST Cybersecurity Framework Training