30 April 2017

A CLOSER LOOK AT CIA-LINKED MALWARE — AS CIA/FBI SEARCH FOR ROUGE INSIDER


The above is the title of an article on DarkReading.com’s website, (April 24, 2017) by Kelly Sheridan. Ms. Sheridan first reminds readers that the CIA and FBI are conducting a joint investigation to discover who leaked the highly sensitive, classified files which Wikileaks published last month — that revealed tools the CIA used for hacking into various Internet of Things (IoT) devices. Ms. Sheridan, citing “sources close to the investigation,” writes that investigators are focusing on a current CIA employee, or contractor,” who did, or would have had physical access to these documents/files. CBS News has reported that these files “were stored in a “highly secure” CIA division.” “The files, collectively named Vault 7, included information on zero-day vulnerabilities for Windows, Android, and iOS, as well as exploits against routers and smart TVs,” Ms. Sheridan wrote.

“Shortly after the Wikileaks dump,” Ms. Sheridan writes, “cyber security firms connected the Vault 7 documents with a cyber espionage group known for targeting governments and private companies with a variety of [hacking] tools. Each company has a different name for the group, which many believe to be the CIA.” The Russia-based, “Kasperky Labs, calls the group — the Lamberts — and, claims its tools target Windows and MAX OS devices;” while “Symantec calls it [the group] the Longhorn, and said that attacks are aimed exclusively at Windows targets. Symantec started looking into these tools three to four years ago,” said Vikram Thakur, Principal Researcher at Symantec Security Response.

Mr. Thakur, in an interview with Ms. Sheridan/Dark Reading, “shared some of the tools Symantec discovered in its research on Longhorn’s capabilities, how they are different, and their goals for targeting victims,” Ms. Sheridan wrote. “The hacking tools target specific organizations; and, also give the attacker full access to communicate with users,” he said. “These tools are primarily backdoors with different capabilities. They allow the attacker to ask any and all commands to the end user.” In other words, the user of these tools in essence is masquerading as someone who has access to the ‘keys to the kingdom’ so to speak — assuming that the breached network has the kind of valuable intelligence that the group was after.

“None of the tools discovered, were used for mass surveillance; but, for observing activity and gathering information from particular organizations. It’s difficult to know what the specific commands were for; but, Mr. Thakur said that they were not being used to activate microphones and listen to conversations. They were looking for information, documents, meeting notes, and intellectual property,” Ms. Sheridan wrote.

“Some people might write malware with the intention of collecting hoards of information. This was not that type [of operation],” Mr. Thakur said.

“At the start Symantec’s Longhorn research in 2014, Plexor was the first particular [malware] threat to appear,” Mr. Thakur said. “At the time, the Trojan had only been seen on several Windows machines — within one organization. Plexor contained information on the network architecture specific to the victim business, and would arrive via an embedded Word document — in a spearphishing email,” Ms. Sheridan noted.

“Thakur’s “team then he unearthed Longhorn 1, which shared code with Plexor but, had a “completely different tool-set,” Mr. Thakur said. “Each sample of the Longhorn malware had a different set of keywords, but verison numbers (3.5, 3.6, etc.) indicated it was part of an organized pattern.”:

“Longhorn 2, another tool associated with the group, was discovered when his team was hunting for additional samples of Longhorn 1 in the wild. It’s similar to the first version, but has different functionality and lesser capabilities,” Mr. Thakur said. “Both were built to communicate with a specific command and control server.. unique to the sample and victim.”

“Coventry is the next evolution in the Longhorn toolset,” Ms. Sheridan writes. “Like Longhorns 1, and 2, it’s backdoor designed to monitor activity and collect information; and, it shares similar code and techniques to the other two tools. While the organization using these tools was “extremely organized and driven by process,” there was overlap in the use of these malware tools.”

“We can see on a timeline that none of these tools were exclusively used at any point in time,” Mr. Thakur said. “This is a sign that multiple people were using the same code against a handful of organizations around the world at the same time. The tools were mostly used in countries that “we consider of national interest,” he continued; but, “he can’t speak to specific countries or businesses. There was one instance in which a country file infected a machine in the U.S.; but, it was quickly uninstalled, indicating it might have been launched by mistake.”

Having read all the above, I do not know that there is anything in this article that is either surprising, nor all that revealing. Government and nation-state spy agencies, as well as cyber criminals, cyber militias, and so on, continue to create new malicious malware that is designed to get into enterprise networks that they aren’t allowed to be in. Nothing new here. Now, with the ability to hack into stand-alone machines, the creation of industrial-grade stealth malware easily purchased on the Dark Net, malware and digital bugs that activate based on target activity, malware that hides or goes dormant when under surveillance, malware and bugs that deceives the host by masquerading as legitimate software, and worst of all — a cyber doomsday bomb that lies dormant on a network to be ‘detonated’ at a time and choosing of the perpetrator, make this digital minefield a maze with many dead-ends, and lots of potential traps.

The only two cents I have on the reported CIA/FBI investigation to find a mole within our midst is — I hope we are virtually certain that only a mole or a trusted insider was responsible for the leak. Russian intelligence for example, is extremely skillful at instigating or fostering a scenario whereby they make us think we have a mole, when in reality there is no such mole and the FSB has us conducting a sophisticated, and delicate mole hunt that ends up being a destructive wild goose chase. The leaks by Edward Snowden, the exposure of NSA’s hacking tools, as well as sources and methods/techniques, and China’s hack of OPM, has provided our adversaries with plenty of sensitive material to make such a wild goose chase for a mole — possible. Hopefully, we are certain that there is no other way this breach could have occurred — without a well-placed individual deciding, for whatever reason, to deliberately leak these previously highly sensitive intelligence collection tools. V/R, RCP

No comments: