28 February 2015

Kaspersky on Who’s Behind Recent Cyber Espionage Cases

February 26, 2015

The Most Sophisticated Cyber Espionage Campaign Ever — But Who’s Behind It?

Last week my company published its findings in several in-depth investigations that have caused quite a stir in the press around the world.

The first investigation was into what appears to be the biggest bank heist ever. It revealed a criminal group running malware we’ve dubbed ‘Carbanak’ to steal up to $1 billion from financial institutions around the world.

The second investigation was into a group of expert hackers we’ve named theEquation Group, probably linked to a government, which has been running the most complex and sophisticated cyber-espionage campaign we’ve ever seen. The media is saying the NSA is behind it, but we never did. And I wouldn’t recommend pointing any fingers at anyone.

The third investigation uncovered the first known Arab-speaking hacker group staging targeted espionage attacks, which we’ve dubbed the Desert Falcons.

I’m extremely pleased with the quality of these investigative reports, and they’ve been receiving a lot of praise too. However, we’ve also been criticized, and there have been some alarming inaccuracies in how the investigations have been reported too, so I’d like to clear a few things up.

First of all, we never said that the Equation Group was in any way linked to the NSA or to any other security service – American or otherwise. There does seem to be a technical link between the malware used and the code of Stuxnet, the computer worm revealed in 2010 that was believed to have been the first ever cyber-weapon and which was reportedly deployed against Iran’s nuclear enrichment program.

But attribution is awfully tricky in cyber-investigations, as we saw recently in the Sony Pictures hack: some experts remain unconvinced it was carried out by North Korea, despite the official announcements of both the FBI and Barack Obama. But it’s pretty much a given in cybersecurity: attribution is rarely possible, and made all the more difficult if the cybercriminals involved are smart, which, alas, is most often the case in the world of cyber-espionage. For example, cyber-spies can stage false-flag operations: the evidence we use to attempt to identify attackers includes timestamps, words in particular languages in the malware code, names or nicknames, and the geographical locations of the command-and-control servers used. But such evidence is always circumstantial and can easily be forged. What’s more, attackers recycling malware modules used in other advanced persistent threat (APT) campaigns is already quite common. Once released, sophisticated malware can be reverse engineered, explored and re-used, even potentially against the initial attacker. For example, Iran has been learning from the U.S. how to stage cyberwarfare, according to the Edward Snowden files.

Now to the second point I’d like to clarify. My colleagues and I get asked two questions in particular a lot more often than others. The questions are: ‘do you withhold findings in your investigations from the public or from officials?’, and ‘Could you have published your reports earlier?’ The answers are: ‘no, we don’t’, and ‘no, we couldn’t have’. There is obviously a time gap between the moment we find a suspicious object and the publication of a report, much like the time gaps in research fields like archeology or paleontology: the time between discovering a single dinosaur bone and the reconstruction of that dinosaur’s body is significant. We work as fast as we can, but reverse-engineering malware is a very time-consuming process; meantime, the bad guys aren’t helping at all as their methods become mind-bogglingly sophisticated: they add new layers of encryption and self-destruction systems, to name just a few.

And finally, the commentators who assumed that the Equation Group is linked to the U.S. government have been accusing us of taking sides in global geo-political battles and specifically going after Western spy agencies. But as I wrote above, we don’t know if the Equation Group is the work of Western spies.

All we do is what we do best: we investigate and fight any malware we find. If it infects thousands of computers across the planet, it will become public sooner or later. We are often the first to discover it simply because we have such a great team of security experts – probably the best in the world.

We’ve revealed many cyber-espionage tools, which incidentally included artifacts in various different languages. Here are just a few examples:

But, as I mentioned earlier, the use of these different languages doesn’t permit attribution to any specific country. Language traces cannot be considered reliable evidence because they can be fabricated and deliberately planted in malware code as red herrings for investigators. Sometimes of more use is identifying whether a native speaker seems to have entered the words in a given language in the code, or whether the words were clearly entered by someone with non-native-level language skills. All the same – that, too, could be a red herring planted specially to confuse investigators.

We research any malware no matter where it might come from, and we’ve never received any requests from any source to whitelist any malware. We respond to requests from our customers who ask us to investigate suspicious behavior on their networks. If we find something malicious, we analyze it further.

I believe that there’s too much espionage and cyber warfare activity going online, and that this is a very worrying trend. One reason in particular is that there’s always a threat of friendly fire. Stuxnet, for example, infected the computer networks of U.S. oil company Chevron, which can be presumed to have been not the primary target. Another principle reason is that these advanced malware technologies proliferate very fast – as exemplified by the fact that ordinary criminals used them in the Carbanak bank heist.

So what’s next? What if terrorists learn how to use them? That should worry, I hope, not just me.

No comments: