7:03 am – Popular Security Software Came Under Relentless NSA and GCHQ Attacks (The Intercept)
7:12 am – US and British Spies Targeted Antivirus Companies (WIRED)
9:48 am – Spies are cracking into antivirus software, Snowden files reveal (The Hill)
12:18 pm – GCHQ has legal immunity to reverse-engineer Kaspersky antivirus, crypto (Ars Technica-UK)
12:57 pm* – US, UK Intel agencies worked to subvert antivirus tools to aid hacking [Updated] (Ars Technica)(*unclear if this is original post time or time update posted))
~3:00 pm – NSA Has Reverse-Engineered Popular Consumer Anti-Virus Software In Order To Track Users (TechCrunch)
(post time is approximate as site only indicates rounded time since posting)
The question I don’t think anyone can answer yet is whether the hack of Kaspersky Lab using Duqu 2.0 was part of the effort by NSA or GCHQ, versus another nation-state. I would not be surprised if the cover over this operation was as thin as letting the blame fall on another entity. We’ve seen this tissue paper-thin cover before with Stuxnet.
For the general public, it’s important to note two things:
— Which firms were not targeted (that we know of);
— Understand the use of viruses and other malware that already threaten and damage civilian computing systems only creates a bigger future threat to civilian systems.
Once a repurposed and re-engineered exploit has been discovered, the changes to it are quickly shared, whether to those with good intentions or criminal intent. Simply put, criminals are benefiting from our tax dollars used to help develop their future attacks against us.
There’s a gross insufficiency of words to describe the level of shallow thinking and foresight employed in protecting our interests.
And unfortunately, the private sector cannot move fast enough to get out in front of this massive snowball of shite rolling towards it and us.
EDIT — 5:55 pm EDT —
And yes, I heard about the Polish airline LOT getting hit with a DDoS, grounding their flights. If as the airline’s spokesman is correct and LOT has recent, state-of-the-art systems, this is only the first such attack.
But if I were to hear about electrical problems on airlines over the next 24-48 hours, I wouldn’t automatically attribute it to hacking. We’re experiencing effects of a large solar storm which may have caused/will cause problems over the last few hours for GPS, communications, electricals systems, especially in North America.
EDIT — 1:15 am EDT 23JUN2015 —
At 2:48 pm local time Christchurch, New Zealand’s radar system experienced a “fault” — whatever that means. The entire radar system for the country was down, grounding all commercial flights. The system was back up at 4:10 pm local time, but no explanation has yet been offered as to the cause of the outage. There were remarks in both social media and in news reports indicating this is not the first such outage; however, it’s not clear when the last fault was, or what the cause may have been at that time.
It’s worth pointing out the solar storm strengthened over the course of the last seven hours since the last edit to this post. Aurora had been seen before dawn in the southern hemisphere, and from northern Europe to the U.S. Tuesday evening into Wednesday morning. It’s possible the storm affected the radar system — but other causes like malware, hacking, equipment and human failure are also possibilities.
In news dump territory — 2:59 p.m. on a Friday afternoon following this last Memorial Day, to be exact — Reuters published an EXCLUSIVE story in which anonymous sources claimed the U.S. launched a cyber attack on North Korea using a modified version of Stuxnet.
This is hardly news. It’s rather a confirmation by an anonymous source, likely a government official, of the Stuxnet program’s wider aims. This was discussed here at emptywheel in 2013.
Far too much of North Korea’s nuclear energy development program looked like Iran’s for Stuxnet not to be a viable counter-proliferation tool if North Korea had succeeded with uranium enrichment.
And far too much information had been shared in tandem between North Korea, Iran, and Syria on nuclear energy and missile development (see image), for Stuxnet not to have a broader range of targets than Iran’s Natanz facility.
Let’s assume folks are savvy enough to know the Stuxnet program had more than Iran in its sights.
Why, dear “people familiar with the covert campaign,” was the confirmation to Reuters now — meaning, years after the likely attempt, and years after Stuxnet was discovered in the wild?
And how convenient this confession, five days before Kaspersky Lab revealed the existence of Duqu 2.0? Did someone “familiar with the covert campaign” believe the admission would be lost in Duqu-related news?
With the confession, though, begins a volley of exchanges:
It’s anybody’s guess what the next lob will look like, especially after NK’s foreign minister met with China for reasons believed connected to drought aid.
You can bet there will be some effort to exchange nuclear inspection access for trade and aid, as previously negotiated during Bill Clinton’s administration.
The use of stolen Foxconn digital certificates in Duqu 2.0 gnaws at me, but I can’t put my finger on what exactly disturbs me. As detailed as reporting has been, there’s not enough information about this malware’s creation. Nor is there enough detail about its targeting of Kaspersky Lab and the P5+1 talks with Iran.
Kaspersky Lab carefully managed release of Duqu 2.0 news — from information security firm’s initial post and an op-ed, through the first wave of media reports. There’s surely information withheld from the public, about which no other entities know besides Kaspersky Lab and the hackers.
Is it withheld information that nags, leaving vaporous voids in the story’s context? Possibly.
But there are other puzzle pieces floating around without a home, parts that fit into a multi-dimensional image. They may fit into this story if enough information emerges.
Putting aside how much Duqu 2.0 hurts trust in certificates, how did hackers steal any from Foxconn? Did the hackers break into Foxconn’s network? Did they intercept communications to/from Foxconn? Did they hack another certificate authority?
If they broke into Foxconn, did they use the same approach the NSA used to hack Syria — with success this time? You may recall the NSA try to hack Syria’s communications in 2012, by inserting an exploit into a router. But in doing so, the NSA bricked the router. Because the device was DOA, the NSA could not undo its work and left evidence of hacking behind. The router’s crash took out Syria’s internet. Rapid recovery of service preoccupied the Syrians so much that they didn’t investigate the cause of the crash.
The NSA was ready to deny the operation, though, should the Syrians discover the hack:
…Back at TAO’s operations center, the tension was broken with a joke that contained more than a little truth: “If we get caught, we can always point the finger at Israel.”
Did the NSA’s attempted hack of Syria in 2012 provide direction along with added incentive for Duqu 2.0? The failed Syria hack demonstrated evidence must disappear with loss of power should an attempt crash a device — but the malware must have adequate persistence in targeted network. NSA’s readiness to blame Israel for the failed Syria hack may also have encouraged a fuck-you approach to hacking the P5+1 Iran talks. Continue reading
Big Data. Industry players are relying on large sets of data collected across the field to make decisions. They’re not looking at daily price points alone in the market place, or at monthly and quarterly business performance. They’re evaluating comprehensive amounts of data over time, and some in real time as it is collected and distributed.
Which leads to an Aha! moment. The fastest entrant to market with the most complete and reliable data has a competitive advantage. But what if the fastest to market snatches others’ production data, faster than the data’s producer can use it when marketing their product?
One might ask who would hack fossil fuel companies’ data. The most obvious, logical answers are:
— anti-fossil fuel hackers cutting into production;
— retaliatory nation-state agents conducting cyber warfare;
— criminals looking for cash; and
— more benign scrip kiddies defacing property for fun.
But what if the hackers are none of the above? What if the hackers are other competitors (who by coincidence may be state-owned businesses) seeking information about the market ahead?
What would that look like? We’re talking really big money, impacting entire nation-state economies by breach-culled data. The kind of money that can buy governments’ silence and cooperation. Would it look as obvious as Nation A breaking the digital lock on Company B’s oil production? Or would it look far more subtle, far more deniable? Continue reading
Kaspersky Lab reported this morning a next-generation version of Duqu malware infected the information security company’s network.
WSJ reported this particular version may have been used to spy on the P5+1 talks with Iran on nuclear development. Dubbed ‘Duqu 2.0,’ the malware may have gathered audio, video, documents and communications from computers used by talk participants.
Ars Technica reported in depth on Kaspersky’s discovery of the malware and its attributes. What’s really remarkable in this iteration is its residence in memory. It only exists as a copy on a drive at the first point of infection in a network, and can be wiped remotely to destroy evidence of its occupation.
The infosec firm killed the malware in their networked devices by mimicking a power outage. They detached from their network suspect devices believed to contain an infecting copy.
Kaspersky’s Patient Zero was a non-technical employee in Asia. Duqu 2.0 wiped traces of its own insertion from the PC’s drive.
Neither WSJ or Ars Technica noted Kaspersky’s network must have been subject to a program like TREASUREMAP.
…Because the rest of the data remained intact on the PC and its security patches were fully up to date, researchers suspect the employee received a highly targeted spear phishing e-mail that led to a website containing a zero-day exploit. … (bold mine – source: Ars Technica)
How was a single non-technical point of contact in Asia identified as a target for an infected email? Continue reading
Recently, computer security firm Symantec reported discovery of another intelligence-gathering malware, dubbing it “Regin.”
What’s particularly interesting about this malware is its targets:
Please do read Symantec’s blog post and its technical paper on Regin to understand how it works as well as its targets. Many news outlets either do not understand malware and cybersecurity, or they get facts wrong whenever major malware attacks are reported. Symantec’s revelation about Regin is no different in this respect.
Independent.ie offers a particularly exceptional example distorting Symantec’s report, claiming “Ireland is one of the countries worst hit globally by a dangerous new computer virus that spies on governments and companies, according to a leading technology firm.”
If by “worst hit,” they mean among the top four countries targeted by this malware? Sure. But only 9% of the infections affected Irish-based computers, versus 28% of infections aimed at Russian machines, and 24% affecting Saudi machines. The Independent.ie’s piece reads like clickbait hyperbole, or fearmongering, take your pick.
What wasn’t addressed by the Independent.ie and numerous other outlets, including those covering the tech sector are some fundamental questions:
The Guardian came closest to examining these issues, having interviewed researchers at computer security firm F-Secure to ask the origins of the malware. As of 24-NOV-2014, the firm’s Mikko Hypponen speculated that the US, UK, and/or Israel were behind Regin’s development and deployment.
As of the video embedded above, Hypponen firmly says the UK’s intelligence entity GCHQ is behind Regin, in particular the malware’s invasion of a Belgian telecom network (see video at 07:20). Continue reading
But as Jeremy Scahill tweeted last evening, read this piece by WaPo’s Barton Gellman on malicious code insertion. This news explains recent changes by Google to YouTube once it had been disclosed to the company that exploits could be embedded in video content as CitizenLab.org explains:
“… the appliance exploits YouTube users by injecting malicious HTML-FLASH into the video stream. …”
“… the user (watching a cute cat video) is represented by the laptop, and YouTube is represented by the server farm full of digital cats. You can observe our attacker using a network injection appliance and subverting the beloved pastime of watching cute animal videos on YouTube. …”
The questions this piece shake loose are Legion, but as just as numerous are the holes. Why holes? Because the answers are ugly and complex enough that one might struggle with them. Gellman’s done the best he can with nebulous material.
An interesting datapoint in the first graf of the story is timing — fall 2009.
You’ll recall that Google revealed the existence of a cyber attack code named Operation Aurora in January 2010, which Google said began in mid-December 2009.
You may also recall news of a large batch of cyber attacks in July of 2009 on South Korean targets.
The U.S. military had already experienced a massive uptick in cyber attacks in 1H2009, more than double the rate of the entire previous year.
And neatly sandwiched between these waves and events is a visit by a defense contractor CloudShield Technologies engineer from California, to Munich, Germany with British-owned Gamma Group. Continue reading
[Update at end of article.—Rayne 6:45 pm EST]
Between 1030 and 0400 UTC last night or early morning, most of Russia’s GLONASS satellites reported “illegal” or “failure” status. As of this post, they do not appear to be back online.
GLONASS is the equivalent of GPS, an alternative global navigation satellite system (GNSS) launched and operated by Russian Aerospace Defense Forces (RADF). Apart from GPS, it is the only other GNSS with global capability.
It’s possible that the outage is related to either a new M-class solar storm — the start of which was reported about 48 hours ago — or recent X-class solar flare on March 29 at approximately 1700 UTC. The latter event caused a short-term radio blackout about one hour after the flare erupted.
But there is conjecture that GLONASS’ outage is human in origin and possibly deliberate. The absence of any reported outage news regarding GPS and other active satellite systems suggests this is quite possible, given the unlikelihood that technology used in GLONASS differs dramatically from that used in other satellite systems.
At least one observer mentioned that a monitoring system tripped at 21:00 UTC — 00:00 GLONASS system time. The odds of a natural event like a solar storm tripping at exactly top of the hour are ridiculously slim, especially since radiation ejected from the new M-class storm may not reach its peak effect on earth for another 24-48 hours.
It’s not clear whether the new GLONASS-M satellite launched March 24th may factor into this situation. There are no English language reports indicating the new satellite was anything but successful upon its release, making it unlikely its integration into the GLONASS network caused today’s outage.
If the outage is based in human activity, the problem may have been caused by:
— an accidental disabling here on earth, though RADF most likely has redundancies to prevent such a large outage;
— deliberate tampering here on earth, though with RADF as operator this seems quite unlikely; or
— deliberate tampering in space, either through scripts sent from earth, or technology installed with inherent flaws.
The last is most likely, and of either scripts sent from earth or the flawed technology scenarios, the former is more likely to cause a widespread outage.
However, if many or all the core operating systems on board the GLONASS satellites had been updated within the last four years – after the discovery of Stuxnet in the wild – it’s not impossible that both hardware and software were compromised with an infection. Nor is it impossible that the same infection was triggered into aggressive action from earth.
Which begs the question: are we in the middle of a cyberwar in space?
UPDATE — 6:45 PM EST—
Sources report the GLONASS satellite network was back online noon-ish Russian time (UTC+4); the outage lasted approximately 11 hours. Unnamed source(s) said the outage was due to the upload of bad ephemeris data, the information used by the satellites to locate other satellites in space. An alleged system-wide update with bad data suggests RADF has serious problems with change management, though.
There is speculation the M-class solar storm, summarized at 1452 UTC as an “X-ray Event exceeded M5,” may have impacted GLONASS. However early feedback about radiation ejected by an M-class storm indicated the effects would not reach earth for 24-48 hours after the storm’s eruption.
Playwright August Strindberg wrote, “…There are poisons that blind you, and poisons that open your eyes.”
We’ve been blinded for decades by complacency and stupidity, as well as our trust. Most Americans still naively believe that our government acts responsibly and effectively as a whole (though not necessarily its individual parts).
By effectively, I mean Americans believed their government would not deliberately launch a military attack that could affect civilians — including Americans — as collateral damage. Such a toll would be minimized substantively. Yesterday’s celebration related to the P5+1 interim agreement regarding Iran’s nuclear development program will lull most Americans into deeper complacency. The existing system worked, right?
But U.S. cyber warfare to date proves otherwise. The government has chosen to deliberately poison the digital waters so that all are contaminated, far beyond the intended initial target.
There’s very little chance of escaping the poison, either. The ubiquity of U.S. standards in hardware and software technology has ensured this. The entire framework — the stack of computing and communications from network to user applications — has been affected.
• Network: Communications pathways have been tapped, either to obtain specific content, or obtain a mirror copy of all content traveling through it. It matters not whether telecom network, or internal enterprise networks.
• Security Layer: Gatekeeping encryption has been undermined by backdoors and weakened standards, as well as security certificates offering handshake validation
• Operating Systems: Backdoors have been obtained, knowingly or unknowingly on the part of OS developers, using vulnerabilities and design flaws. Not even Linux can be trusted at this point (Linux progenitor Linus Torvalds has not been smart enough to offer a dead man’s switch notification.)
• User Applications: Malware has embedded itself in applications, knowingly or unknowingly on the part of app developers.
End-to-end, top-to-bottom and back again, everything digital has been touched in one layer of the framework or another, under the guise of defending us against terrorism and cyber warfare.
Further, the government watchdogs entrusted to prevent or repair damage have become part and parcel of the problem, in such a way that they cannot effectively be seen to defend the public’s interests, whether those of individual citizens or corporations. The National Institute of Standards and Technology has overseen the establishment and implementation of weak encryption standards for example; it has also taken testimony [PDF] from computing and communications framework hardware and software providers, in essence hearing where the continued weak spots will be for future compromise.
The fox is watching the hen house, in other words, asking for testimony pointing out the weakest patches installed on the hen house door.
The dispersion of cyber poison was restricted only in the most cursory fashion.
• Stuxnet’s key target appears to have been Iran’s Natanz nuclear facility, aiming at its SCADA equipment, but it spread far beyond and into the private sector as disclosed by Chevron. The only protection against it is the specificity of its end target, rendering the rest of the malware injected but inert. It’s still out there.
• Duqu, a “sibling” cyber weapon, was intended for widespread distribution, its aims two-fold. It delivered attack payload capability, but it also delivered espionage capability.
• Ditto for Flame, yet another “sibling” cyber weapon, likewise intended for widespread distribution, with attack payload and espionage capability.
There could be more than these, waiting yet to be discovered.
In the case of both Duqu and Flame, there is a command-and-control network of servers still in operation, still communicating with instances of these two malware cyber weapons. The servers’ locations are global — yet another indicator of the planners’/developers’ intention that these weapons be dispersed widely.
Poison everything, everywhere.
But our eyes are open now. We can see the poisoners fingerprints on the work they’ve done, and the work they intend to do. Continue reading
Over the last handful of days breathless reports may have crossed your media streams about Stuxnet infecting the International Space Station.
The reports were conflations or misinterpretations of cybersecurity expert Eugene Kaspersky’s recent comments before the Australian Press Club in Canberra. Here’s an excerpt from his remarks, which you can enjoy in full in the video embedded above:
[26:03] “…[government] departments which are responsible for the national security for national defense, they’re scared to death. They don’t know what to do. They do understand the scenarios. They do understand it is possible to shut down power plants, power grids, space stations. They don’t know what to do. Uh, departments which are responsible for offense, they see it as an opportunity. They don’t understand that in cyberspace, everything you do is [a] boomerang. It will get back to you.
[26:39] Stuxnet, which was, I don’t know, if you believe American media, it was written, it was developed by American and Israel secret services, Stuxnet, against Iran to damage Iranian nuclear program. How many computers, how many enterprises were hit by Stuxnet in the United States, do you know? I don’t know, but many.
Last year for example, Chevron, they agreed that they were badly infected by Stuxnet. A friend of mine, work in Russian nuclear power plant, once during this Stuxnet time, sent a message that their nuclear plant network, which is disconnected from the internet, in Russia there’s all that this [cutting gestures, garbled], so the man sent the message that their internal network is badly infected with Stuxnet.
[27:50] Unfortunately these people who are responsible for offensive technologies, they recognize cyber weapons as an opportunity. And a third category of the politicians of the government, they don’t care. So there are three types of people: scared to death, opportunity, don’t care.”
He didn’t actually say the ISS was infected with Stuxnet; he only suggested it’s possible Stuxnet could infect devices on board. Malware infection has happened before when a Russian astronaut brought an infected device used on WinXP machines with her to the station.
But the Chevron example is accurate, and we’ll have to take the anecdote about a Russian nuclear power plant as fact. We don’t know how many facilities here in the U.S. or abroad have been infected and negatively impacted as only Chevron to date has openly admitted exposure. It’s not a stretch to assume Stuxnet could exist in every manner of facility using SCADA equipment combined with Windows PCs; even the air-gapped Russian nuclear plant, cut off from the internet as Kaspersky indicates, was infected.
The only thing that may have kept Stuxnet from inflicting damage upon infection is the specificity of the encrypted payload contained in the versions released in order to take out Iran’s Natanz nuclear facility. Were the payload(s) injected with modified code to adapt to their host environs, there surely would have been more obvious enterprise disruptions.
In other words, Stuxnet remains a ticking time bomb threatening energy and manufacturing production at a minimum, and other systems like those of the ISS at worst case. Continue reading