In recent months numerous hacking campaigns have been uncovered by security firms. In many cases, they have been attributed to state-sponsored hackers.
Groups of hackers belonging to cyber units of several governments used sophisticated malicious code and hacking platforms to compromise computer networks worldwide. Private companies, government entities, critical infrastructure and citizens are all potential targets.
The overall activities of government entities in cyberspace are generally described as the “militarization of the cyberspace.” Governments are investing significant resources to improve their cyber capabilities, creating ‘cyberarmies’ to defend attacks from cyber space.
The debate about cyber weapons intensified after the discovery of the Stuxnet malware in 2010. Stuxnet was used by western entities to interfere with the Iranian nuclear program by sabotaging the centrifuges at the Natanz nuclear plant. A few months after the detection of Stuxnet, other malware was discovered - Flame and Duqu are two other high-profile cyber espionage tools that were used by state-sponsored actors.
Even when state-sponsored malware is discovered by security firms, the vulnerabilities it exploits are targeted by attackers for a long time, causing serious damage to unpatched systems. Consider the Stuxnet virus - its code exploited the Windows Shell in Microsoft Windows XP systems, coded as CVE-2010-2568 and patched four years ago. Unfortunately, the vulnerability is still being used in cyberattacks targeting millions of computers worldwide.
Malware researchers at Kaspersky Lab discovered that between November 2013 and June 2014, the same Windows Shell vulnerability was exploited 50 million times in attacks against nearly 19 million machines all over the world.
In late 2013 Kaspersky Lab’s Global Research & Analysis Team started a new investigation after several attacks hit the computer networks of various diplomatic service agencies. The attacks were part of a large-scale cyber-espionage operation dubbed “Red October,” inspired by the famous novel and movie “The Hunt For Red October”. The campaign acquired sensitive information from diplomatic, governmental and scientific research organizations in many countries, spanning Eastern Europe, the former USSR and Central Asia.
The malware and control infrastructure used in the attacks was highly sophisticated, which may indicate government involvement.
In March 2014 researchers at BAE Systems Applied Intelligence unearthed a cyber espionage campaign codenamed “Snake” that targeted governments and military networks. “Snake” had remained undetected for at least eight years.
Many other campaigns have been attributed to state-sponsored hackers. These are typically characterized by the nature of the targets, the level of sophistication and the duration of the attacks, which often take years to discover.
The U.S., Israel, Russia and China are considered the most advanced countries in cyber space, with their experts able to develop malware that could hit foreign networks and exfiltrate data in a covert way. They can also manage hacking campaigns that compromise their opponents’ infrastructures.
In many cases governments run operations concurrently with conventional attacks. Covert cyberattacks, for example, were blamed on Russia during its 2008 war with Georgia. The finger of suspicion was also pointed at Moscow over cyber offensives during the recent crisis in the Crimean peninsula.
European governments are also investing in malware development. Malicious code R2D2 (also known as “0zapftis” or “Bundestrojaner”) is an example of efforts by the German police and customs officials to spy on users and exfiltrate data from their PCs.
In March Mikko Hyppönen, chief research officer of security specialist F-Secure told the TrustyCon conference in San Francisco that almost every government is making an effort to improve its cyber capabilities.
Most of the hacking campaigns conducted by governments make use of highly sophisticated malware to compromise their targets - in many cases the code is designed to exploit zero-day vulnerabilities in the target’s infrastructure.
This malware, however, could easily go out of control. In another scenario, a “threat actor” could reverse engineer the source code and spread it “in the wild.” Cyber criminals, cyber terrorists and state sponsored hackers could enhance the malware and hit targets in an unpredictable way, making it difficult to identify the attack’s source.
The availability of government-built malware is also having a significant impact on the criminal underground - the main customers for zero-day exploits and malware coding services are governments. Some security experts, for example, believe that two different Ukraine-based malware factories were behind Stuxnet’s coding, acting like “sub-contractors” for the U.S. and Israeli Governments.
What is the role of security companies in the militarization of cyber space?
Some experts have argued that computer security companies may not prevent the spread of government-built malware in exchange for government favors.
The suspicion that security firms have “whitelisted” state-sponsored malware is certainly disconcerting - a policy like this would represent a serious menace to the overall Internet community. It also opens the door to a scary scenario in which a cyber weapon could run out of control.
Similar to nuclear armaments, the use of state-sponsored malware needs to be regulated by a legal framework and accepted on a global scale, establishing the rules of engagement.
Be aware, however - we are all nodes of a global network, and whoever controls this network will control the world. Governments will continue to focus their research on the development of new cyber weapons, including sophisticated malware that in the wrong hands, could be a dangerous menace.
Pierluigi Paganini is the author of the book “The Deep Dark Web” and founder of the Security Affairs blog.