“We’re not creative enough when we imagine cyber warfare,” F-Secure Security Advisor Sean Sullivan recently told me. “It’s not kinetic explosions. It could be a guy whose crimeware business has dried up and is looking for new business.”
Over the last week, F-Secure Labs has taken a look at attacks from the “Energetic Bear” hacking group, Havex, which targets the energy sector, and now CosmicDuke, which is aimed at targets in Ukraine, Poland, Turkey, and Russia.
The goal of these attacks seems to be espionage or gathering information up for a buyer, which could be a government. But the methods don’t match the precision and massive investment of manhours that went into an attack like Stuxnet, which was designed to take down Iran’s nuclear capabilities.
“They rely on plausible deniability and using resources that don’t seem to be created specifically for the task,” Sean said. “It matches the modular methodology of what we conventionally think of as crimeware.”
“You look at one element and it looks like crimeware,” said F-Secure Senior Researcher Timo Hirvonen, who wrote the CosmicDuke analysis. “You look at it from a different angle and you say, ‘I’ve never seen it aimed like that before.'”
“The conventional wisdom is that anything related to cyber warfare will be shiny and new,” Sean said. These attacks instead suggest “semi-professionalism”.
Here are three questions Sean is pondering in the wake these attacks:
What do we mean when we say state-sponsored?
“Cyber warfare models real life,” Sean said. “Some countries have a massive cyber intelligence infrastructure that works from the top down. Others seem to have a more grassroots origin, co-opting existing technologies that seem to be built on existing crimeware.”
He wonders if state-focused campaigns are using malware that isn’t necessarily state-sponsored. “Countries who use troops with black masks and no insignias standing on a peninsula may have the same kind of thing going online.”
Opportunistic and pragmatic governments may be paying people to co-opting technology that exist for international espionage purposes.
He suggests the goals of such attacks may fit into Sun Tzu’s advice from The Art of War: know your enemy.
Armed with information, countries can use soft power to turn allies against each other and dissuade retribution like economic sanctions.
What do we mean by APT — advanced persistent threat?
These attacks are not complex in the way Stuxnet was. And they don’t need to be.
CosmicDuke — a variant of a malware family that has existed since 2001– infects by tricking targets into opening either a PDF file which contains an exploit or a Windows executable whose filename makes it look like a document or image file.
Once the target opens the malicious file, CosmicDuke gains access starts collecting information with a keylogger, clipboard stealer, screenshotter, and password stealers for a variety of popular chat, e-mail and web browsing programs. CosmicDuke also collects information about the files on the system, and has the capability to export cryptographic certificates and their private keys. Once the information has been collected, it is sent out to remote servers via FTP. In addition to stealing information from the system, CosmicDuke allows the attacker to download and execute other malware on the system. Pretty standard stuff.
Is the war against crimeware driving criminals to cyber espionage? Or: Could be fighting cybercrime be counterproductive?
“Some of these guys may be working for the government and themselves,” Sean said.
A wave of successes in the international war on cybercrime may be driving criminals to new buyers.
“The talent developed on its own,” he said. “And now there’s a government taking advantage of talent in their borders. Law enforcement has been going after crimeware. But it doesn’t go away. It’s fungible. The talent’s still there it needs to make a buck.”
Sean believes there’s a message in these attacks for everyone.
“It’s not just the NSA that hunts system admins. If you have any sort of credentialed access to important systems, you are a target. Keep calm and secure your stuff.”
He hopes that businesses will recognize that prevention is always the best remedy.
“For IT managers: ask for the security budget you need – and fight for it. There is more evidence than ever that letting cost dictate security is bad management.”
If governments are willing to work with increasingly opportunistic malware authors, risks could grow exponentially.
“Is today’s crimeware botnet, tomorrow’s national security nightmare?” Sean asks. “What happens when these guys get out of jail? I’m sure they won’t let the talent go fallow.”
IT companies used to have a pretty bad image. It’s not that they’re bad companies giving people bad jobs. They just never screamed “job satisfaction” to the general public. The stereotype of IT companies as inhuman, mundane places to work became so well-known that a hilarious comedy from the 90’s called Office Space satirized the idea. The movie told the story of a disgruntled programmer who rebelled against the soulless, life-sucking office environment of the IT company he worked for in order to find happiness. The movie and the stereotype are a bit old now. But I think it’s still safe to assume that the environment represented in Office Space, and the lifestyles of the people who work there, is something everyone would like to avoid. And according to Universum – a research firm that specialized in employer branding – F-Secure is ahead of the game in offering people a place where they’d actually LIKE to work. At least according to IT students. F-Secure was ranked as the 4th most attractive employer amongst Finnish IT students in Universum’s 2016 Most Attractive Employers ranking (up from 5th in last year’s rankings), beat out only by Google, Microsoft, and Finnish game company Supercell. So what is it that makes F-Secure such an appealing employer? Well, here’s a few things we’re doing that separates us from the kind of company shown in Office Space. We don't box people into cubicles People at F-Secure aren’t expected to isolate themselves from other Fellows and sit by themselves in cubicles. Our Fellows work together in whatever way makes them feel comfortable. In fact, as a global company with offices and people working all over the world, we often think outside the box and take whatever approach lets people work together to get the best results. We don’t stop at securing computers – we secure society This sentiment, recently expressed by F-Secure Chief Research Officer Mikko Hypponen, highlights the importance of what we do at F-Secure. We deal with real adversaries and security threats, whether that’s an advanced persistent threat group working on behalf of a government, or a gang of online extortionists looking to spread ransomware or steal data to blackmail people. Having active adversaries to work against presents us with a constantly evolving set of threats to people and companies. The opportunity to combat those threats makes our days challenging, but exciting and fulfilling. We know how to chill out Cyber security is a tough business. As mentioned above, we deal with real adversaries and threats. When we’re doing our jobs, we’re focused 100% on winning. But we also understand it’s important to be able to unwind, so Fellows are encouraged to enjoy themselves at work. Our HQ has things like a sauna, a gym, games, and other things for people to enjoy when they need to step out of the fight for a few minutes. With great power comes great responsibility, but everyone needs some time to chill out (even if it’s in a scorching hot sauna). So F-Secure has a lot going for it, and based on Universum’s rankings, it looks like that’s paying off. But why don’t you tell us what’s most important to you in a workplace. Finnish IT students already think F-Secure would be a great place to work, but we’re always ready to do more. And why not check out our current openings to see if there’s a place that’s right for you. [polldaddy poll=9407357] Image: A team of Aalto University students that won an award for a software project sponsored by F-Secure. Read more here.
Today is World Press Freedom Day – a day created by UNESCO in recognition of the importance of free speech, as well as the important role journalists play in using this right to help inform citizens about what’s going on with the world around them. This year’s main event is being held in Helsinki, Finland, and co-hosted by the Finnish government. There was lots happening at Finlandia Hall – the event’s “ground zero”. And because Finland is home to F-Secure’s headquarters, we were there in full force to express our support for the journalists who, according to Reporters without Borders, put their privacy, freedom, and even their lives on the line to keep us all informed. Mikko Hypponen, F-Secure’s Chief Research Officer, delivered a keynote address ahead of a discussion called “Protecting your rights: Surveillance Overreach, Data Protection, and Online Censorship”. “But right now, over the last couple of years, the biggest changes in this field have not been with online crime. They’ve been with governments entering the online, cyber attack business,” Hypponen told the audience. [youtube https://www.youtube.com/watch?v=l4InPx7xraI?start=754] After his speech, Mikko shared some additional thoughts on Apple vs. the FBI, and World Press Freedom Day. [youtube=https://www.youtube.com/watch?v=BBINozrQGlc&w=420&h=315] Sean Sullivan was also there, along with one of F-Secure Labs’ forensic analysts to help journalists check their devices, and provide security tips on how they can protect their data. “Without privacy, we can’t have free press. And without a free press, we cannot have democracy. And without democracy, we cannot have freedom,” Mikko told the audience. And that’s not just rhetoric – it’s something we’re backing up. Any journalist interested in using encryption to protect themselves against unwanted surveillance can get in touch with us before May 15 to get a free, 3-device, 12-month subscription for F-Secure's Freedome VPN, which lets users encrypt their communications, block tracking attempts and malicious websites, and change their virtual location. All journalists need to do is send a confirmation of their valid press credentials (for example, an image) by direct message to our Twitter feed (@FSecure) before May 15. Edited to add: We also caught a panel discussion about digital threats to journalists with F-Secure Cyber Security Advisor Erka Koivunen, Tanzanian journalist and newspaper editor Dennis Msacky, and University professor, writer and journalist Hanna Nikkanen. [youtube=https://www.youtube.com/watch?v=WYifFDj2UaI&w=420&h=315]
Collision is coming to a close today, and what a week it’s been. F-Secure’s Chief Research Officer Mikko Hyppönen was there earlier in the week, and gave a compelling talk on the evolution of cyber crime. He also gave a quick post-talk interview, so check out this Quickfire article to learn who Mikko thinks deserves a slap in the face. F-Secure also ran a basic Wi-Fi experiment at Collision*, similar to ones conducted in 2014 and 2015. While the experiment conducted at Collision had a smaller scope than our previous investigations, it does prove that people are still pretty promiscuous when it comes to connecting to public Wi-Fi hotspots without the proper protection, such as a VPN. In the first two days of Collision, we observed nearly one hundred people connecting to a phony Wi-Fi hotspot. And none of them were encrypting their traffic. Connecting to a phony Wi-Fi hotspot can open the door to all kinds of problems. Hackers have been known to use similar setups to help them “sniff” people’s Internet traffic, allowing them to do things like read personal messages, log the websites people visit, and even steal passwords and other sensitive information. So if you make a habit of using public Wi-Fi hotspots – whether you’re at a tech conference, an airport, a café, or a hotel – you should give Freedome a try to keep you and your private data safe and secure. [Image by Erin Pettigrew | Flickr]