Spotting and Avoiding Government Cyber Warfare Tactical Weapons

by Ted Dziekanowski,

According to a June 1st 2012 article in the New York Times, President Obama in his first months in office ordered increasingly sophisticated attacks on the computer systems that ran Iran’s main nuclear enrichment facilities expanding the first sustained use of cyber weapons. This decision, code named Olympic Games, was begun under President Bush and eventually revealed in 2010 when the world became aware of the malware known as Stuxnet.

In the number eight position in a list of top ten Insidious Hacking Techniques, Government Sponsored Malware is becoming the tactical weapon of choice in cyber warfare. While Stuxnet may be the most widely known of malware, it is far from the only variant used by nations across the globe. Looking at past incidents of state sponsored malware may be interesting as they pale and are amateurish in comparison to the sophistication of the payloads seen recently.

Regin, supposedly named by Microsoft in 2011 after the Norse dwarf Regin, has been extensively evaluated by both Symantec and Kaspersky Labs. This form of malware is so sophisticated that attributing it to any particular nation is proving to be difficult although the malware is rumored to be a collaboration between GCHQ (a British agency providing signals intelligence) and the NSA. According to reports employees at Belgacom were socially engineered or had their systems compromised so that the employees were sent to a fake LinkedIn page from which Regin infected the systems allowing full access to Belgacom’s networks. This in turn allowed access to information belonging to the European Commission, The European Parliament and the European Council. Other reported victims of Regin include Russia, Saudi Arabia, Mexico, Ireland, Belgium and Iran.
Regin is multi-staged and modular capable of the exfiltration of data from a variety of sources including Email servers allowing for continuous monitoring of the Intelligence Services intended target. Regin hides its stages using NTFS Extended Attributes splitting itself into blocks of limited size and hiding in the registry of Windows systems. One of the uses of Regin includes the monitoring of GSM communications allowing sophisticated levels of tracking of users of those systems. Regin and its variants are still active today.

Referred by Kaspersky Labs as the stepbrother of Stuxnet, Duqu 2.0 is being attributed to Israel. This nation-state surveillance malware had very intricate means of infection and survival including anti-sniffer defenses and packet-injection code. Living in random-access memory helped Duqu 2.0 avoid detection.

The more famous victims of Duqu 2.0 include Kaspersky Labs itself through a zero day in the Windows kernel and previously patched vulnerabilities. The reason for attacking Kaspersky is unknown but the other more famous attack is clearly a nation state using malware for purposes of intelligence gathering.

The hoteland conference venues which hosted the P5+1 meetings where the nuclear discussions with Iran were held were both infected with Duqu 2.0. The suspicion is the VoIP phone systems of these locations were compromised turning the phones into listening devices.

In what can best be described as State Sponsored Malware AS A Service, F-secure recently published a paper describing a group nicknamed the “Dukes”. This cyberespionage group has targeted a wide variety of entities ranging from western governments to groups associated with Chechen terrorism with a family of Duke malware including PinchDuke, GeminiDuke, MiniDuke, CozyDuke, OnionDuke, SeaDuke, HammerDuke and CloudDuke.

The Dukes appear to be well financed and coordinated with activities conducted by the Russian Federation. Given the group’s freedom of action, attacks taken by this actor can be safely assumed to be approved by a Security Service.

Our discussion of state sponsored malware must have a mention of what may be the most serious cyber breech we know of, the OPM data breech. The Office of Personnel Management breech resulted in the loss of 21 million records, 5.6 million fingerprints and countless highly sensitive SF-86 forms each containing 127 pages of information about individuals seeking security clearance. The good news is the Central Intelligence Agency did not use OPM. The bad news is anyone not involved in the data breech can instead be assumed to be a CIA employee.

While all of the details of the breech aren’t known, this much is known. The breech started around March of 2014. It may have been discovered not by the Einstein intrusion detection system but by a vendor demonstrating a commercial forensics product. A contractor, located in China, had root access and a group known as Deep Panda, a Chinese nation-state cyber instruction group, may have been involved. A seemingly separate data breech at Anthem Heath has investigators looking at a link between the OPM breech and the Anthem breech. The group thought to be responsible for both events used a type of malware called Sakula and that the objective of both attacks was to create a Facebook of sorts on every federal employee and their families. The deep analytics one could perform on that large of a data set could be useful for decades to come. While China has denied involvement, China and their allies would benefit greatly from the harvested information the OPM breech provided.

Nation-state actors involved in cyber intrusions have no political boundaries or limitation. Every government capable of doing so is engaged on an endless quest to use cyber as a tool to further their political ambitions or protect their populations. We have covered a very small subset of what is going on daily trying to be apolitical in the process. Every day brings forth new reports of successful exploits against very well defended networks. If you are responsible for an IT infrastructure that has some value to an intelligence service, I am sure you are wondering how can you protect your environment against an attack.

While a 100% bullet proof defense is impossible, the strategy that is being recommended by the Department of Homeland Security and other agencies is one that is based on Risk Mitigation with an increasing emphasis on the continuous monitoring of controls to ensure not only their effectiveness in protecting assets but the proper allocation of capital as well. Altering tactics to support NIST’s critical cyber infrastructure initiatives and developing your workforce’s cyber skills by focusing on the training that improves your organization’s ability to Identify, Protect, Detect, Respond and Recover will at a minimum improve the survivability against nation-state cyberattack.

To Hire Computer Security Subject Matter Expert Consultants, Contact us Today at 800-798-3901!


Leave a Reply