If the NSA can track you – and we know it can – so can cybercriminals.
Theories and rumour and conjecture suggested that the security services had the means to monitor digital communications for years, but we never really knew for sure until Edward Snowden blew the whistle on the whole sorry situation.
Since these revelations came to light, the NSA in America and GCHQ in the UK have become forever linked with the paranoia of population monitoring, using software to establish a virtual panopticon and look out for undesirable behaviour. (What they do next, of course, depends upon who you are, but we believe that you can avoid their surveillance.)
Recently, various tools that are believed to have been employed by the NSA have come to light. And they’re being used against you.
Cyber-Espionage Techniques: Because No Idea Is Unique
Remember that idea for a book you had, only to find out that someone else had already done it? Or the Android app that was totally your idea, until you had the guile to check and find that actually, no, it wasn’t only your idea.
The same is true of malware and government-sponsored software designed to find out more about what you’re doing. If the NSA has these tools at their disposal, it won’t be long before foreign powers will have them too (if they don’t already).
But the real threat to your day-to-day online security and privacy doesn’t come from governments. It comes from those scammers, the criminals out to steal your identity, extort your bank balance and ruin your life so that they can line their pockets.
Over past few years, cyber-espionage techniques and tools have been spotted, anti-privacy weapons that governments can use against you. But who’s to say that the scammers can’t use those same, or similar, tools?
Spyware In Your Hard Disk Drive
You may have recently read about the discovery of an international spyware operation that has been traced back to the NSA. It involves sophisticated surveillance software secreted on hard disk drives built by Western Digital, Toshiba and Seagate (and compatible with devices by IBM, Micron, and Samsung Electronics), and is described by Kaspersky as “outstandingly professional.”
“Kaspersky Lab’s experts can confirm they have discovered a threat actor that surpasses anything known in terms of complexity and sophistication of techniques.”
The spyware hides by rewriting the disk firmware, preventing detection by anti-virus software and even attempts at erasure when the HDD is reformatted. Other secure HDD deletion tricks are believed to be useless. Upon connection to the internet, the spyware allows files to be stolen from infected devices. So far most infections have been found in Iran, Russia, Pakistan, Afghanistan, China and several others, and targets have included governments, banks, military installations and even Islamic activists.
How this spyware found its way into these devices is not yet known, although introduction at the manufacturing plants or some unofficial acquiescence by the manufacturers shouldn’t be ruled out. What also shouldn’t be ruled out is the potential for this same tactic to be used by malware developers who target consumers – you and I.
Stuxnet: Because You Don’t Have To Be Processing Nuclear Materials
We all know Stuxnet as the worm that was used to attack Iran’s nuclear power program. In an interview with Jacob Applebaum published in German daily Der Spiegel in May 2013, Snowden stated that “The NSA and Israel wrote Stuxnet together,” but this only confirmed suspicions around the world.
But Stuxnet can be a threat beyond the world of industrial applications. Designed to target programmable logic controllers running in systems overseen by Windows and the Siemens Step7 software, PLCs aren’t only used in centrifuges and factory assembly lines. PLCs allow the controlling of some very heavy machinery, such as that found at amusement parks.
That’s right: a rollercoaster at a busy theme park could be targeted by a Stuxnet-like virus. I think we can all agree that the results would be catastrophic.
Stuxnet has three components: the worm, which executes the attack; the link file that creates copies of the worm; and the rootkit which hides malicious files used in the attack.
Most importantly, Stuxnet is introduced to a system via a USB flash drive, and if Siemens Step7 software or computers controlling a PLC are found, it becomes active (otherwise staying dormant). This worm’s ability to propagate infection via USB drives has been copied by other malware, such as BadUSB and Flame, while Duqu is another similar malicious tool used for capturing data from industrial systems.
Regin: The Stealthy Spyware Platform
As if the prospect of Stuxnet impacting systems where families are out to enjoy themselves isn’t bad enough, you really need to hear about Regin, a nation-state sponsored spyware platform that is designed to remain stealthy.
First believed to have been used in 2011 (but probably developed in 2008) in a trio of attacks against the European Commission and the European Council, Belgian telecoms company Belgacom and notable Belgian cryptographer Jean-Jacques Quisquater, remnants of the code were sent to Microsoft who dubbed the spyware “Regin” and added detection for it to its security software (although Regin.A was soon followed by Regin.B).
The principles used in this spyware could, and perhaps have already, been adopted by criminal scammers targeting you. But why copy Regin?
“In the world of malware threats, only a few rare examples can truly be considered groundbreaking and almost peerless.”
Finger pointing fell in the direction of GCHQ and the NSA, and this was confirmed in January 2015. Interestingly, Regin’s ability to target GSM base stations of cellular networks is very similar to NSA programs (identified thanks to Edward Snowden’s leaks) called MYSTIC and SOMALGET, which hijack mobile networks, collect metadata and record calls without the knowledge of those chatting (and perhaps even the owner of the network).
Regin is a malware developer’s nirvana. Carrying a remote access Trojan, keystroke logger, clipboard sniffer, password sniffer, tools to detect and read USB devices and the ability to scan and retrieve deleted files, Regin decrypts itself in five stages. The Symantec summary can be appreciated more upon reading this.
It’s basically a nightmare. While the smart money is on Regin targeting at private companies, governments, and educational/research institutions (and employees, such as German Chancellor Angela Merkel’s staff), you should still beware. Even if you don’t find yourself infected by Regin, consumer-targeted malware using some or all of the design principles cannot be far away.
Call of the Wild
All of these tools have been “caught” in the wild, either uploaded to virus checking sites such as VirusTotal or had the source code released to prove their origins.
Currently anti-virus tools can be used to protect and remove these threats, and while they’re unlikely to target you in their current form, there is a good chance that their design principles and concepts could be adopted – and in some cases already have been – by criminal malware developers.
These tools were ostensibly developed to protect you, but they will eventually be used to harm you.
Featured Image Credit: NSA via Shutterstock, GCHQ via Philip Bird LRPS CPAGB / Shutterstock.com, Image Credit: HDD via Shutterstock, Image Credit: Iran radiation via Shutterstock, Image Credit: Spyware via Shutterstock