4 December 2014

How to trace a cyber-weapon



THE internet has changed all sorts of industries, from book delivery to newspaper publishing to pornography. And spying is no exception. On November 23rd Symantec, an American anti-virus firm, announced the discovery of Regin, a complicated piece of malicious software that has been lurking on computer networks in Russia and Saudi Arabia (among other places), stealing whatever secrets have come its way. Only a couple of weeks before, Kaspersky Labs, another anti-virus firm, revealed the existence of DarkHotel, another piece of espionage-ware that targeted corporate bosses and other bigwigs staying at hotels in Asia. Both pieces of software are slick, sophisticated and complicated. For that reason, the anti-virus firms think they are the work of nation states. DarkHotel has been tentatively pinned on South Korea. Regin is thought to be the work of the British, possibly with help from the Americans. But how do anti-virus researchers know where viruses come from?

The answer is that they don't, or at least, not for certain. Indeed, one of the attractions of computerised spying (for the spooks at least) is that it is much more difficult to figure out who is behind any given campaign. Unlike human spies, computer code does not speak with an accent; nor does it have a cover story that can be investigated. So anti-virus researchers must rely on inference, guesswork and what small clues they can scrape together. One of the most famous bits of nation-state malware, Stuxnet, was used to sabotage centrifuges used by Iran's nuclear programme. Suspicion naturally fell on Israel, which is the region's most technologically advanced nation, and which has long feared that Iran is working on a nuclear bomb (there have been rumours that Israel has mulled air strikes against Iranian factories). America, as Israel's chief ally and one of Iran's chief opponents, fell under suspicion as well. Neither country has ever admitted to working on Stuxnet. But American officials have never denied it, either.

Sometimes the code itself can contain clues. DarkHotel's targets, for instance, were mostly in Asia (the largest number of targets were from India, Japan and China). The computer code contained Korean characters, as well as the online alias of a South Korean programmer. One of Regin's modules is called "LEGSPIN", a cricketing term, which might narrow the field of suspects. And the researchers who analysed it have pointed out that Regin seems to very similar (or perhaps even identical) to the software used in an attack on Belgacom, a big Belgian telecommunications firm whose clients include the main institutions of the European Union. Leaks from Edward Snowden, a former American spy, have linked that attack to the British.

But all this is tentative. The spies presumably know that their opponents (as well as civilian security researchers) will try to reverse-engineer any computerised bugs they stumble across. So either the clues that do remain were included accidentally, or they are deliberately designed to deceive. Mikko Hypponen, the boss of F-secure, a Finnish anti-virus firm, points out that early Russian attempts at computerised espionage were deliberately designed to look like they came from China. As always with cases of spying and espionage, nothing is ever certain.

Experts Attempt to Map the Battlefields of Cyber Warfare

When attempting to make sense of a physical warzone, there are many clues to help you identify the combatants. These include uniforms, accents, flags, battle strategies, types of weaponry, etc. For example, most people with an elementary understanding of World War II could identify a German regiment from an American one simply by looking at their helmets.

The present and future of cyberwarfare offers little in comparison. As explained by The Economist, anti-virus firms and other computer experts often have to rely on educated guesses and conjecture to track the origin of malicious software designed to spy on other nation-states. 

"One of the most famous bits of nation-state malware, Stuxnet, was used to sabotage centrifuges used by Iran's nuclear programme. Suspicion naturally fell on Israel, which is the region's most technologically advanced nation, and which has long feared that Iran is working on a nuclear bomb (there have been rumours that Israel has mulled air strikes against Iranian factories). America, as Israel's chief ally and one of Iran's chief opponents, fell under suspicion as well. Neither country has ever admitted to working on Stuxnet. But American officials have never denied it, either."

More recent pieces of malware include Regin, which has been found in computers in Saudi Arabia and Russia, and DarkHotel, which targets corporate executives staying in Asian hotels. Due to their advanced nature and espionage-like purpose, experts believe these malicious pieces of software can be traced to nation-states. Regin has been linked to the British. DarkHotel to South Korea. The reason for these assertions is two-fold. First, the code within each piece of malware includes lexiconical clues: Korean characters in DarkHotel, cricket terminology in Regin. Also, the target of an attack can usually clue observers in on who is likely to have initiated it.

Of course, nothing is certain:

"But all this is tentative. The spies presumably know that their opponents (as well as civilian security researchers) will try to reverse-engineer any computerised bugs they stumble across. So either the clues that do remain were included accidentally, or they are deliberately designed to deceive."

If the future of warfare is to include fewer arms and more malware, it's to be expected that nations will boost their efforts in deciphering code and tracing the trail of smoke from the virtual gun barrel. 

Read more at The Economist

http://bigthink.com/ideafeed/experts-try-to-map-the-battlefields-of-cyber-warfare

No comments: