When Governments Attack: Nation-State Malware Exposed
Cyberwar takes place every single day, all around us. We don’t see it and we’re not always directly affected by it, but we share the cost of every attack. Be that through monetary loss, services we cannot use, or even with the omnipresent backdrop that something might go down somewhere, malicious cyber activities perpetrated by nation-state threat-actors are on the rise.
It makes sense, really. You see how stupendously effective “regular” malware is. How easy is it to pick up an infection from an errant spam email , or for someone to plug an infected USB stick into a computer?
It stands to reason that governments with access to vast pools of knowledge, colossal funding, and an insurmountable desire to be one step ahead of both ally and enemy would realize the value in deploying incredible sophisticated spyware and malware variants.
Let’s take a look at some of the most famous nation-state threats we’re aware of.
The discovery of the powerful Pegasus spyware in 2016 once again brought light to the prescient role of cyber warfare in the 21st Century. Every once in a while, security researchers discover a new strain of malware so significantly advanced that it points to only one thing: the funding and expertise of a nation-state threat-actor. These indicators vary, but can include specific infrastructure targets within a single target country , campaigns against specific dissident or terrorist groups, the use of previously unknown exploits, or simply the calling cards of specific language traces.
They’re usually well-funded, powerful, and designed for maximum damage or ultimate secrecy. Here are some nation-state malware and spyware variants security researchers have uncovered over the years.
Perhaps the only nation-state malware carrying a real global renown (outside of cyber security and technology buffs), Stuxnet is believed to have been designed by the USA and Israel with the purpose of sabotaging Iran’s nuclear program, infamously destroying a number of centrifuges used in the uranium enrichment process.
While neither country has ever claimed the malware or the attack as their own (for obvious reasons), security researchers noted the Stuxnet malware made use of two zero-day vulnerabilities (out of some 20 zero-days included in the malware ) previously used by the Equation Group, one of the NSA’s internal hacking groups.
This is a Remote Administration Tool (RAT) that has been seen in many attacks against high-profile military, government, and other political entities in the US. Emerging in 2012, TrapX is still active, evolving to elude detection as researchers capture and log different variations in its code.
This malware was widely suspected to have been created by members of Chinese hacking group NCPH, allegedly in the service of the Chinese People’s Liberation Army — the armed forces of the Chinese government. One of the latest TrapX variants even included a message, hidden in its code, stating “SORRY.i.have.to.do.this”.
A systematic spying tool widely considered to display a degree of technical competence and expertise that could only have been achieved with funding from a nation-state backer. When installed, the spyware would provide an almost unprecedented level of surveillance over a target, likely used against “government organizations, infrastructure operators, businesses, researchers, and private individuals.”
The initial strain was observed in a number of infections between 2008 and 2011, when it suddenly ceased to infect new systems. However, it resurfaced in 2013, and following an increase in reported infections and the release of the Snowden archives, German news publication Der Spiegel named the NSA as the developers of Regin, noting “the targets thus far known are consistent with Five Eyes surveillance targets as outlined in the Snowden documents.”
Another advanced malware variant linked to the Equation Group, at the time of its discovery was “certainly the most sophisticated malware” encountered. Flamer commenced operations as early as 2007, again focused on disrupting Iranian infrastructure projects, but infections were also found in a number of countries across the Middle East, including Israel, Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.
In an interview with RT, Kaspersky malware expert Vitaly Kamlyuk indicated that Flamer was “actually on the same level as the notoriously known Stuxnet and Duqu [attacks] … we suspect that there is a nation state behind the development of this cyber attack, and there are good reasons for that.” He later continued “It’s pretty advanced — one of the most sophisticated [examples of] malware we’ve ever seen.”
Kaspersky Lab security experts discovered the Gauss threat in 2012, swiftly deciding it was a nation-state malware. Gauss was designed to target users throughout the Middle East, with a specific focus on the theft of “browser passwords, online banking credentials, cookies, and specific configurations of infected machines.” At the time of the report, the spread of infections covered the following countries:
As well as these ten countries, a further 15 reported one or two infections, the vast majority located in the Middle East.
Gauss bore some of the same attack-threats as Stuxnet and Flamer, though used especially advanced methods to infect USB sticks. It also has the capability to disinfect a drive under certain circumstances.
Also known as PS, this hasn’t caught too many lines in the news, because it is just so rare. It also possesses a level of sophistication that would only be achieved through multiple years of development, with many dedicated teams working on the project. Incredibly, the first instance of PS was found in 2015, but security researchers estimate it had been active for at least five years. The “ProjectSauron” name reflects a reference in the code to “Sauron,” antagonist of The Lord of the Rings.
PS is impressive for a number of reasons, but here are two: it treats each target individually, e.g. the software artifacts are unique for each infection, and it has been found on computers so sensitive they have no network connections whatsoever. The infection has been found on “government agencies, scientific research centers, military organizations, telecommunication providers, and financial institutions in Russia, Iran, Rwanda, China, Sweden, Belgium, and possibly in Italian-speaking countries.”
The threat actor behind ProjectSauron commands a top-of-the-top modular cyber-espionage platform in terms of technical sophistication, designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim.
In 2013 Edward Snowden leaked highly sensitive data to a number of news outlets concerning the operation of numerous top secret government data surveillance schemes. Operated by the NSA in the US, and GCHQ in the UK, these programs intercept data from the fibre-optic cables making up the backbone of the internet, and are used to access vast amounts of private and personal information without any prior suspicion or targeting.
The revelation of these colossal spying networks caused international fallout as it emerged that not only the public were being spied upon, but high level members of governments around the globe were equal (and desirable) targets.
Tip of the Iceberg
As you can see, these nation-state threat-actors contain some of the most powerful malware and spyware variants currently known to security researchers. ProjectSauron also makes it painfully clear that it is highly likely we will stumble across similar variants or worse in the coming years, a list that we can already add Pegasus too.
World War C
Cyber conflict will become perpetual. Exacerbated by growing resource consumption, an ever growing global population and unyielding mistrust between global powers, the battle can only go one way.
Cyber conflict often mirrors traditional conflict. For example, China uses high-volume cyber attacks similar to how it used infantry during the Korean War. Many Chinese soldiers were sent into battle with only a handful of bullets. Given their strength in numbers, they were still able to achieve battlefield victories. On the other end of the spectrum lie Russia, the U.S., and Israel, whose cyber tactics are more surgical, reliant on advanced technologies and the cutting-edge work of contractors who are driven by competition and financial incentives.
Dubbed “World War C” by eminent security research firm FireEye, continued escalation is likely to cause civilian deaths when one nation-state oversteps the mark. Take the above example, and consider the ongoing situation in Syria. We have sets of rebels being armed, without an understanding of the legacy this will leave. Granting hacking groups free reign to attack other nations could easily end with unexpected results for both victim and perpetrator.
Serious cyber attacks are unlikely to be motiveless. Countries carry them out to achieve certain ends, which tend to reflect their broader strategic goals. The relationship between the means chosen and their goals will look rational and reasonable to them if not necessarily to us.
— Martin Libicki, Senior Scientist at RAND Corp
The emergence of extremely powerful malware and spyware also raises questions of exactly how nation-state developers maintain their own security and stop these variants falling into cybercriminal hands. For instance, security research firm SentinelOne discovered “a sophisticated malware campaign specifically targeting at least one energy company.” But they found the malware on an underground forum, which is extremely rare for such an advanced tool.
Like most wars, there are very few winners, versus a colossal amount of losers. Vitaly Kamlyuk also had this to say:
I think that humanity is losing to be honest, because we are fighting between each other instead of fighting against global problems which everyone faces in their lives.
Whenever there is war, physical or cyber, it diverts attention and resources from other problems facing the global community. Perhaps this is just another battle, out of our control, that we’ll all have to learn to live with .
Do you think “war is war” or does cyberwar have the potential to spiral out of control? Are you worried about the actions of your government? How about “weaponized” malware falling into “common” cybercriminal hands? Let us know your thoughts below!