When Governments Attack: Nation-State Malware Exposed

Gavin Phillips 15-09-2016

Cyberwar takes place every single day, all around us. We don’t see it and we’re not always directly affected by it, but we share the cost of every attack. Be that through monetary loss, services we cannot use, or even with the omnipresent backdrop that something might go down somewhere, malicious cyber activities perpetrated by nation-state threat-actors are on the rise.


It makes sense, really. You see how stupendously effective “regular” malware is. How easy is it to pick up an infection from an errant spam email Are You Spamming Your Email Contacts? How to Find Out & Fix the Problem Spam is annoying, but what happens when your email account is the one sending it out? Find out how to recognize the signs and defuse the problem. Read More , or for someone to plug an infected USB stick Why USB Sticks Are Dangerous & How To Protect Yourself USB drives are so pervasive in today’s world of technology, but when they first debuted, they revolutionized data exchange. The first USB flash drives had an 8MB capacity, which isn't much by today’s standards, but... Read More into a computer?

It stands to reason that governments with access to vast pools of knowledge, colossal funding, and an insurmountable desire to be one step ahead of both ally and enemy would realize the value in deploying incredible sophisticated spyware and malware variants.

Let’s take a look at some of the most famous nation-state threats we’re aware of.

Nation-State Threats

The discovery of the powerful Pegasus spyware in 2016 Pegasus Vulnerability Means It's Time to Patch Your Apple Device Just received an unexpected iOS update? It's a response to the Pegasus spyware: actual iPhone malware. We explain what it's all about, whether you're a target, and why you should update. Read More once again brought light to the prescient role of cyber warfare in the 21st Century. Every once in a while, security researchers discover a new strain of malware so significantly advanced that it points to only one thing: the funding and expertise of a nation-state threat-actor. These indicators vary, but can include specific infrastructure targets within a single target country Ukraine's Power Grid was Hacked: Could It Happen Here? A recent cyber attack on a Ukranian power grid has demonstrated that our fears were well-founded - hackers can target critical infrastructure, such as power grids. And there's little we can do about it. Read More , campaigns against specific dissident or terrorist groups, the use of previously unknown exploits, or simply the calling cards of specific language traces.

They’re usually well-funded, powerful, and designed for maximum damage Can A Cyberattack Cause Physical Damage To Your Hardware? Hackers and malware shut down nuclear centrifuges in Iran and severely damaged a German steel mill. Could software cause physical damage to your computer? Probably not, but anything connected to it is a different story. Read More or ultimate secrecy. Here are some nation-state malware and spyware variants security researchers have uncovered over the years.



Perhaps the only nation-state malware carrying a real global renown (outside of cyber security and technology buffs), Stuxnet is believed to have been designed by the USA and Israel with the purpose of sabotaging Iran’s nuclear program, infamously destroying a number of centrifuges used in the uranium enrichment process.

While neither country has ever claimed the malware or the attack as their own (for obvious reasons), security researchers noted the Stuxnet malware made use of two zero-day vulnerabilities What Is a Zero Day Vulnerability? [MakeUseOf Explains] Read More (out of some 20 zero-days included in the malware 5 Ways to Protect Yourself from a Zero-Day Exploit Zero-day exploits, software vulnerabilities that are are exploited by hackers before a patch becomes available, pose a genuine threat to your data and privacy. Here is how you can keep hackers at bay. Read More ) previously used by the Equation Group, one of the NSA’s internal hacking groups.


This is a Remote Administration Tool (RAT) How To Simply and Effectively Deal With Remote Access Trojans Smell a RAT? If you think you've been infected with a Remote Access Trojan, you can get easily get rid of it by following these simple steps. Read More that has been seen in many attacks against high-profile military, government, and other political entities in the US. Emerging in 2012, TrapX is still active, evolving to elude detection as researchers capture and log different variations in its code.

A Common TrapX Infection
Image Credit: Typical PlugX Infection via TrendMicro


This malware was widely suspected to have been created by members of Chinese hacking group NCPH, allegedly in the service of the Chinese People’s Liberation Army — the armed forces of the Chinese government. One of the latest TrapX variants even included a message, hidden in its code, stating “”.

PlugX Sorry.I.Have.To.Do.This
Image Credit: Sorry.I.Have.To.Do.This via SecureList


A systematic spying tool Viruses, Spyware, Malware, etc. Explained: Understanding Online Threats When you start to think about all the things that could go wrong when browsing the Internet, the web starts to look like a pretty scary place. Read More widely considered to display a degree of technical competence and expertise that could only have been achieved with funding from a nation-state backer. When installed, the spyware would provide an almost unprecedented level of surveillance over a target, likely used against “government organizations, infrastructure operators, businesses, researchers, and private individuals.”

The Five Stages of Regin Malware
Image Credit: Five Stages of Regin via Symantec


The initial strain was observed in a number of infections between 2008 and 2011, when it suddenly ceased to infect new systems. However, it resurfaced in 2013, and following an increase in reported infections and the release of the Snowden archives, German news publication Der Spiegel named the NSA as the developers of Regin, noting “the targets thus far known are consistent with Five Eyes surveillance targets as outlined in the Snowden documents.”


Another advanced malware variant linked to the Equation Group, at the time of its discovery was “certainly the most sophisticated malware” encountered. Flamer commenced operations as early as 2007, again focused on disrupting Iranian infrastructure projects, but infections were also found in a number of countries across the Middle East, including Israel, Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.

In an interview with RT, Kaspersky malware expert Vitaly Kamlyuk indicated that Flamer was “actually on the same level as the notoriously known Stuxnet and Duqu [attacks] … we suspect that there is a nation state behind the development of this cyber attack, and there are good reasons for that.” He later continued “It’s pretty advanced — one of the most sophisticated [examples of] malware we’ve ever seen.”


Kaspersky Lab security experts discovered the Gauss threat in 2012, swiftly deciding it was a nation-state malware. Gauss was designed to target users throughout the Middle East, with a specific focus on the theft of “browser passwords, online banking credentials, cookies, and specific configurations of infected machines.” At the time of the report, the spread of infections covered the following countries:


Gauss Total Infection Users

As well as these ten countries, a further 15 reported one or two infections, the vast majority located in the Middle East.

Gauss bore some of the same attack-threats as Stuxnet and Flamer, though used especially advanced methods to infect USB sticks. It also has the capability to disinfect a drive under certain circumstances.


Also known as PS, this hasn’t caught too many lines in the news, because it is just so rare.  It also possesses a level of sophistication that would only be achieved through multiple years of development, with many dedicated teams working on the project. Incredibly, the first instance of PS was found in 2015, but security researchers estimate it had been active for at least five years. The “ProjectSauron” name reflects a reference in the code to “Sauron,” antagonist of The Lord of the Rings.

ProjectSauron APT
Image Credit: ProjectSauron APT via Kaspersky

PS is impressive for a number of reasons, but here are two: it treats each target individually, e.g. the software artifacts are unique for each infection, and it has been found on computers so sensitive they have no network connections whatsoever. The infection has been found on “government agencies, scientific research centers, military organizations, telecommunication providers, and financial institutions in Russia, Iran, Rwanda, China, Sweden, Belgium, and possibly in Italian-speaking countries.”

The threat actor behind ProjectSauron commands a top-of-the-top modular cyber-espionage platform in terms of technical sophistication, designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim.


In 2013 Edward Snowden leaked highly sensitive data Hero or Villain? NSA Moderates Its Stance on Snowden Whistleblower Edward Snowden and the NSA's John DeLong appeared on the schedule for a symposium. While there was no debate, it seems the NSA no longer paints Snowden as a traitor. What's changed? Read More to a number of news outlets concerning the operation of numerous top secret government data surveillance schemes. Operated by the NSA in the US, and GCHQ in the UK, these programs intercept data from the fibre-optic cables making up the backbone of the internet, and are used to access vast amounts of private and personal information without any prior suspicion or targeting.

The revelation of these colossal spying networks caused international fallout as it emerged that not only the public were being spied upon, but high level members of governments around the globe were equal (and desirable) targets.

Tip of the Iceberg

As you can see, these nation-state threat-actors contain some of the most powerful malware and spyware variants currently known to security researchers. ProjectSauron also makes it painfully clear that it is highly likely we will stumble across similar variants or worse in the coming years, a list that we can already add Pegasus too.

World War C

Cyber conflict will become perpetual. Exacerbated by growing resource consumption, an ever growing global population and unyielding mistrust between global powers, the battle can only go one way.

Cyber conflict often mirrors traditional conflict. For example, China uses high-volume cyber attacks similar to how it used infantry during the Korean War. Many Chinese soldiers were sent into battle with only a handful of bullets. Given their strength in numbers, they were still able to achieve battlefield victories. On the other end of the spectrum lie Russia, the U.S., and Israel, whose cyber tactics are more surgical, reliant on advanced technologies and the cutting-edge work of contractors who are driven by competition and financial incentives.

Dubbed “World War C” by eminent security research firm FireEye, continued escalation is likely to cause civilian deaths when one nation-state oversteps the mark. Take the above example, and consider the ongoing situation in Syria. We have sets of rebels being armed, without an understanding of the legacy this will leave. Granting hacking groups free reign to attack other nations could easily end with unexpected results for both victim and perpetrator.

Serious cyber attacks are unlikely to be motiveless. Countries carry them out to achieve certain ends, which tend to reflect their broader strategic goals. The relationship between the means chosen and their goals will look rational and reasonable to them if not necessarily to us.

— Martin Libicki, Senior Scientist at RAND Corp

The emergence of extremely powerful malware and spyware also raises questions of exactly how nation-state developers maintain their own security The NSA Is Storing Its Data In The Cloud. But Is It Secure? In the wake of the Edward Snowden leaks, the National Security Agency (NSA) is turning to cloud storage for their data. After they have collected information about you, how secure will it be? Read More and stop these variants falling into cybercriminal hands. For instance, security research firm SentinelOne discovered “a sophisticated malware campaign specifically targeting at least one energy company.” But they found the malware on an underground forum, which is extremely rare for such an advanced tool.

Everyone Loses

Like most wars, there are very few winners, versus a colossal amount of losers. Vitaly Kamlyuk also had this to say:

I think that humanity is losing to be honest, because we are fighting between each other instead of fighting against global problems which everyone faces in their lives.

Whenever there is war, physical or cyber, it diverts attention and resources from other problems facing the global community. Perhaps this is just another battle, out of our control, that we’ll all have to learn to live with 10 Great Security Tools You Should Be Using You can never be too careful out there in the wild west that we like to call the Internet, so using free and low cost security tools is a good idea. The following are recommended. Read More .

Do you think “war is war” or does cyberwar have the potential to spiral out of control? Are you worried about the actions of your government? How about “weaponized” malware falling into “common” cybercriminal hands? Let us know your thoughts below!

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *