“We’re not creative enough when we imagine cyber warfare,” F-Secure Security Advisor Sean Sullivan recently told me. “It’s not kinetic explosions. It could be a guy whose crimeware business has dried up and is looking for new business.”
Over the last week, F-Secure Labs has taken a look at attacks from the “Energetic Bear” hacking group, Havex, which targets the energy sector, and now CosmicDuke, which is aimed at targets in Ukraine, Poland, Turkey, and Russia.
The goal of these attacks seems to be espionage or gathering information up for a buyer, which could be a government. But the methods don’t match the precision and massive investment of manhours that went into an attack like Stuxnet, which was designed to take down Iran’s nuclear capabilities.
“They rely on plausible deniability and using resources that don’t seem to be created specifically for the task,” Sean said. “It matches the modular methodology of what we conventionally think of as crimeware.”
“You look at one element and it looks like crimeware,” said F-Secure Senior Researcher Timo Hirvonen, who wrote the CosmicDuke analysis. “You look at it from a different angle and you say, ‘I’ve never seen it aimed like that before.'”
“The conventional wisdom is that anything related to cyber warfare will be shiny and new,” Sean said. These attacks instead suggest “semi-professionalism”.
Here are three questions Sean is pondering in the wake these attacks:
What do we mean when we say state-sponsored?
“Cyber warfare models real life,” Sean said. “Some countries have a massive cyber intelligence infrastructure that works from the top down. Others seem to have a more grassroots origin, co-opting existing technologies that seem to be built on existing crimeware.”
He wonders if state-focused campaigns are using malware that isn’t necessarily state-sponsored. “Countries who use troops with black masks and no insignias standing on a peninsula may have the same kind of thing going online.”
Opportunistic and pragmatic governments may be paying people to co-opting technology that exist for international espionage purposes.
He suggests the goals of such attacks may fit into Sun Tzu’s advice from The Art of War: know your enemy.
Armed with information, countries can use soft power to turn allies against each other and dissuade retribution like economic sanctions.
What do we mean by APT — advanced persistent threat?
These attacks are not complex in the way Stuxnet was. And they don’t need to be.
CosmicDuke — a variant of a malware family that has existed since 2001– infects by tricking targets into opening either a PDF file which contains an exploit or a Windows executable whose filename makes it look like a document or image file.
Once the target opens the malicious file, CosmicDuke gains access starts collecting information with a keylogger, clipboard stealer, screenshotter, and password stealers for a variety of popular chat, e-mail and web browsing programs. CosmicDuke also collects information about the files on the system, and has the capability to export cryptographic certificates and their private keys. Once the information has been collected, it is sent out to remote servers via FTP. In addition to stealing information from the system, CosmicDuke allows the attacker to download and execute other malware on the system. Pretty standard stuff.
Is the war against crimeware driving criminals to cyber espionage? Or: Could be fighting cybercrime be counterproductive?
“Some of these guys may be working for the government and themselves,” Sean said.
A wave of successes in the international war on cybercrime may be driving criminals to new buyers.
“The talent developed on its own,” he said. “And now there’s a government taking advantage of talent in their borders. Law enforcement has been going after crimeware. But it doesn’t go away. It’s fungible. The talent’s still there it needs to make a buck.”
Sean believes there’s a message in these attacks for everyone.
“It’s not just the NSA that hunts system admins. If you have any sort of credentialed access to important systems, you are a target. Keep calm and secure your stuff.”
He hopes that businesses will recognize that prevention is always the best remedy.
“For IT managers: ask for the security budget you need – and fight for it. There is more evidence than ever that letting cost dictate security is bad management.”
If governments are willing to work with increasingly opportunistic malware authors, risks could grow exponentially.
“Is today’s crimeware botnet, tomorrow’s national security nightmare?” Sean asks. “What happens when these guys get out of jail? I’m sure they won’t let the talent go fallow.”
See that floppy disc? That's how F-Secure Labs used to get malware to analyze. Nowadays, of course, it's much different, Andy Patel from the Labs explained in a recent post, "What's The Deal with Scanning Engines?" In just a few hundred words, Andy lays out what makes modern protection so different from the anti-virus that you remember from the 80s, 90s or even the early 00s. And it's not just that floppy disks the Labs once analyzed have been replaced by almost any sort of digital input, down to a piece of memory or a network stream. The whole post is worth checking out if you're interested in how relentless modern internet security must be to keep up with the panoply of online threats we face. But here's a quick look at five of the key components of endpoint protection that work in tandem to stop attacks in their tracks, as described by Andy: Scanning engines. Today’s detections are really just complex computer programs, designed to perform intricate sample analysis directly on the client. Modern detections are designed to catch thousands, or even hundreds of thousands of samples. URL blocking. Preventing a user from being exposed to a site hosting an exploit kit or other malicious content negates the need for any further protection measures. We do this largely via URL and IP reputation cloud queries. Spam blocking and email filtering also happen here. Exploit detection. If a user does manage to visit a site hosting an exploit kit, and that user is running vulnerable software, any attempt to exploit that vulnerable software will be blocked by our behavioral monitoring engine. Network and on-access scanning. If a user receives a malicious file via email or download, it will be scanned on the network or when it is written to disk. If the file is found to be malicious, it will be removed from the user’s system. Behavioral blocking. Assuming no file-based detection existed for the object, the user may then go on to open or execute the document, script, or program. At this point, malicious behavior will be blocked by our behavioral engine and again, the file will be removed. The fact is, a majority of malware delivery mechanisms are easily blocked behaviorally. In most cases, when we find new threats, we also discover that we had, in the distant past, already added logic addressing the mechanisms it uses.If you're interested in knowing more about behavioral engines, check out this post in which Andy makes then easy to understand by comparing the technology to securing an office building. So you must be wondering, does this all work? Is it enough? Well, our experts and our computers are always learning. But in all the tests this year run by independent analysts AV-Comparatives, we’ve blocked 100% of the real-world threats thrown at us. Cheers, Jason
In 1853 a strange new invention appeared in the English cityscape, and caused a small wave of moral outrage among Victorians. This perceived threat to social order was not a new drug, political movement or saucy romance novel, but the seemingly harmless letter box. One reason was the shocking development of women now being able to post letters without consent from their husbands or fathers, and the other one was that sending anonymous letters would now be even easier. Maybe Victorians weren’t very thick-skinned, and were worried about unsigned letters calling people zounderkites and rantallions skyrocketing. Who knows? History now tells us that these attempts to control this early form of long-distance communication were ridiculous. And yet, a modern version of this debate is happening even today: there are those who want to make encrypted, anonymous communication available for everyone, and those who wish to restrict it. No new technology comes without drawbacks, and encryption is no exception. However, just as with the Victorian letter box, the pros greatly outweigh the cons. But why do people want to be anonymous online? Those who oppose encryption and other methods which advance online anonymity often throw around the tired argument “If you don’t have anything to hide, you have no need to be anonymous”. Not only does this statement show an astounding lack of perspective, it is also blatantly false. According to CBS there is a rising increase in desire for online anonymity, and there are many perfectly valid and legitimate reason to cover your tracks online. A lot of us just don’t feel comfortable with their Internet Service Provider, employer or even government having access to their surfing information. We all have a right to privacy, but technology is increasing the size of our digital footprint to the point when we can never know who is monitoring what we do online. Legislation, like the aptly nicknamed Snoopers Charter have the potential to give governments and ISP’s blanket rights to monitor web traffic of normal users in the name of security. This means the responsibility to protect our individual privacy rests increasingly in our own hands, and VPN services like our own Freedome go a long way in making that happen. For many people, it’s about control. We share aspects of our lives and personality on social media and other websites, but the choice of what we share should be ours to make. This control is taken away by advertisers and tracking companies, who collect information about us from different websites and piece them together to form elaborate dossiers which contain way more information about us than most would be comfortable sharing, like your medical information or what kind of porn you watch. For many, part of being anonymous online is blocking this kind of intrusive tracking, and it’s hard to find fault in that. The most serious group of people wanting anonymity are those for whom it is not so much a matter of principle but a matter of life and death. We are talking about activists, journalists and opposition supporters who operate under oppressive regimes or in places where criminals seek out and silence those who speak against them. It’s easy for those who support intrusive privacy legislation to forget that the governments who enact them will invariably have ulterior motives to “catching terrorists” or “protecting national security”: they give governments the power to control what we say. Open and free communication is the greatest tool the masses have to keep those in power accountable for their actions, and there is nothing open or free about the kind of mass surveillance which is happening more and more, legally and otherwise. What are your reasons to be anonymous online? This is not a black & white subject, and we’d be glad to hear your thoughts via the Freedome twitter channel @FreedomeVPN.
The Internet is pretty cool. You can use it to learn about things happening all over the world. You can start your own blog or social media account to share your views and speak up about the things you care about. You can stay in touch with people that live far away. It’s really all about connecting people, and it’s changed how people live their lives. The odd thing about all this connecting is that it's surprisingly easy to become disconnected from actual people. Spending time in front of a computer screen, especially when working in roles that involve lots of engineering or programming, can put people out of the picture. All too often, things get reduced to bits and pieces of information. People are what’s important to companies. Not just employees, but all the people involved with a business. And many companies say that the customer is #1, but they’ll have employees who never interact with the people they’re serving. So in this era of hyper connectivity, it’s easy for companies and employees to lose touch with the people that are actually paying their salaries. So Donal Crotty, F-Secure’s Director of Customer Advocacy, started a new tradition in 2015 to celebrate how we feel about customers, give them an opportunity to candidly share their views on the company with the Fellows that work here, and learn more about the company and the people that help make it a success. It’s called Customer Day. “Not everyone at F-Secure has the pleasure of actually meeting the people they’re trying to help,” says Donal. “It’s just the nature of some jobs. But it’s a real shame, because all the metrics and analytical tools companies use to gauge how happy or unhappy customers actually are simply aren’t enough. Numbers and data are no replacement for people, and that’s what Customer Day is for.” So today is the 2nd annual Customer Day at F-Secure (#fscustomerday16 on Twitter). And here at our Helsinki headquarters, as well as several of our regional offices around the world, Fellows and customers are coming together to connect with each other and learn more about the people and products. And have a bit of fun too. “IT companies will often say that they’re about people and not technology. But I’m not sure how many of them actually make the effort to put the people that build products and provide behind the scenes services in front of customers” says Donal. “We, as in people in companies, talk about customer experience, but it takes something more than just talking about it to make it meaningful. I like to think of it as a type of feeling. Our technology enables, but the feeling we give to customers is what we want them to live with.” Images provided by Bret Pulkka-Stone.