3 December 2014

Information Warfare: Royals


December 1, 2014: Another high grade Cyber War weapon has been found. This one is called Regin and it joins illustrious predecessors like Stuxnet, Duqu, Flame and several others that have been discovered since 2009. Regin, like its predecessors, is extensive, apparently built by skilled and well organized professionals and designed to stay hidden. This it apparently did for over six years. Malware like this is royalty of hacker software, built with care and abundant resources by top talent.

Regin has numerous modules and the ability to do a lot of spying on its own without much, if any, human intervention. Security researchers are now trying to find where Regin has been, which is difficult because Regin was designed to erase all traces of itself after getting what it was sent in for. Regin apparently was not designed for long term visits, which made it more vulnerable to detection and analysis. Now that researchers know more about Regin they can examine likely systems that might have been attacked to look for clues that Regin was there once, or more, in the past. Unlike earlier software of this type, Regin was designed to intrude in a wider variety of places and look for a much longer list of items. Regin was also designed to recover deleted files and even take over the operation of an infected PC for some operations.

Meanwhile Internet security companies continue to study older major league Cyber War weapons like Stuxnet and keep finding new angles to these powerful weapons. It was that kind of research that led to the discovery of Regin and similar high end hacking tools. Stuxnet was different in that it was developed specifically to damage Iran’s uranium enrichment equipment. All high-end cyber weapons like Stuxnet are designed to keep their activities hidden, and they tend to do that for up to a decade, or more. It now appears that a beta version of Stuxnet was at work as early as 2005. It also appears that Stuxnet got into the Iranian enrichment facilities at least twice.

After the 2005 beta version, there were several more improved versions released. Iran believes that a more recent version of Stuxnet is still trying to gain access to the enrichment equipment. The more prudent (or paranoid) Iranian software experts believe that this new (3.0?) version of Stuxnet is already inside the enrichment control systems, waiting for the right time to do more major damage.

It was first believed that Stuxnet was released in late 2009, and thousands of computers were infected as the worm sought out its Iranian target. Initial dissection of Stuxnet indicated that it was designed to interrupt the operation of the control software used in various types of industrial and utility (power, water and sanitation) plants. Eventually, further analysis revealed that Stuxnet was programmed to subtly disrupt the operation of gas centrifuges used to turn uranium ore into nuclear plant fuel or, after more refining, into nuclear weapons grade material. It is now believed that the first attack was made before 2009, and another attack after that.

The Stuxnet "malware" was designed to hide itself in the control software of an industrial plant, making it very difficult to be sure you have cleaned all the malware out. This is the scariest aspect of Stuxnet and is still making Iranian officials nervous about other Stuxnet-type attacks. Although Iran eventually admitted that Stuxnet did damage, they would not reveal details of when Stuxnet got to the centrifuges or how long the malware was doing its thing before it was discovered and removed. But all this accounts for the unexplained slowdown with Iran getting new centrifuges working. Whoever created Stuxnet probably knows the extent of the damage because Stuxnet also had a "call home" capability even though it was designed to operate in systems without Internet access (by travelling via memory sticks or DVDs).

In 2012 American and Israeli officials admitted that the industrial grade Cyber War weapons (like Stuxnet and several others) used against Iran in the last few years were indeed joint U.S.-Israel operations. Few other details were released, although many more rumors have since circulated. The U.S. and Israel were long suspected of being responsible for these "weapons grade" computer worms. Both nations had the motive to use, means to build, and opportunity to unleash these powerful Cyber War weapons against Iran and others that support terrorism. Regin is suspected of being another such Israeli-American creation. East European programmers are suspected of being capable of this sort of thing and Russia appears to have commissioned some “royal” software.

The U.S. and Israel have been successful with "software attacks" in the past. This stuff doesn't get reported much in the general media, partly because it's so geeky and because there are no visuals. It is computer code and arcane tech skills that gets it to its target. The earlier attacks, especially Stuxnet, spread in a very controlled fashion, sometimes via agents who got an infected USB memory stick into an enemy facility. Even if some copies of these programs get out onto Internet connected PCs, they do not spread far. Worms and viruses designed to spread can go worldwide and infest millions of PCs within hours.

Despite all the secrecy, this stuff is very real and the pros are impressed by Stuxnet-type systems, even if the rest of us have not got much of a clue. The demonstrated capabilities of these Cyber War weapons usher in a new age in Internet based warfare. Amateur hour is over and the big dogs are in play. The Cyber War offensive by the U.S. and Israel appears to have been underway for years, using their stealth to remain hidden. There are probably more than three of these stealthy Cyber War applications in use and most of us will never hear about it until, and if, other such programs are discovered and their presence made public.

No comments: