18 February 2015

BREAKING NEWS: WHO BENEFITS FROM THE LATEST HACKING REVELATION — ALLEGEDLY TIED TO NSA?

February 16, 2015

Dan Goodin, writing on the February 16, 2015 website, ArsTechnica.com, has a lengthy article posted, with the title above. Mr. Goodin writes that the Moscow-based cyber security lab/firm, Kaspersky Lab, has identified a hacking group they have dubbed — The Equation Group — who Kaspersky claims is responsible for at least 500 documented [digital] infections in 42 countries around the world over the past decade — with Iran, Pakistan, Afghanistan, India, Syria, and Mali, topping the list. Because of the self-destruct mechanism built into the malware the group used to promulgate the digital infections, Kaspersky researchers suspect that the 500 documented infections is but a tiny percentage of the total number of actual victims — which Kaspersky Lab says could reach into the tens of thousands.” Kaspersky Lab dubbed the hacking group — The Equation Group — because of the members’ strong affinity for encryption algorithms, advanced obfuscation methods, and sophisticated techniques,” Mr. Goodin writes.

“In an exhaustive report published today at the Kaspersky Security Analyst Summit in Cancun, Mexico, Mr. Goodin writes, “researchers stopped short of concluding the Equation Group was the handiwork of the National Security Agency (NSA); but, Kaspersky provided ‘detailed evidence’ they claim ‘strongly implicates NSA,” as the likely entity that is responsible for the Equation Group’s hacking campaign.

Mr. Goodin writes that Kaspersky provided “a long list of superhuman technical feats that illustrate the Equation Group’s extraordinary skill, painstaking work, and unlimited resources.” Mr. Goodin writes they include:

— The use of virtual file systems, a feature also found in the highly sophisticated Regin malware. Leaked Snowden documents purport to indicate the NSA used Regin to infect the partly, state-owned Belgian firm Belgacom;

— The stashing of malicious files in multiple branches of an infected computers registry. By encrypting all malicious files; and, storing them in multiple branches of a computer’s Windows registry, the infection was impossible to detect using antivirussoftware;

— Redirects that sent iPhone users to unique, exploit Web pages. In addition, infected machines reporting to the Equation Group command servers identified themselves as Macs, an indication that the group successfully compromised both iOS, and OS X devices;

— The use of more than 300 Internet domains and 100 servers to host a sprawling command and control infrastructure;

— USB stick-based reconnaissance malware to map air-gapped networks, which are so sensitive networks, which are so sensitive that they aren’t connected to the Internet. Both Stuxnet and the related Flame malware platform also had the ability to bridge air-gaps;

— An unusual, if not truly novel way of bypassing code-signing restrictions in modern versions of Windows, which require third-party software interfacing with the operating system kernel be digitally signed by a recognized certificate authority. To circumvent the restriction, Equation Group malware exploited a known vulnerability in an area already signed driver for CloneCD to achieve kernel-level code execution.”

“Taken together, these accomplishments led Kasopersky Lab researchers to conclude that the Equation Group is probably the most sophisticated computer attack group in the world, with the technical skill and resources that rival the groups that developed Stuxnet and the Flame espionage malware,” Mr. Goodin wrote.

The article then goes into more exhaustive detail on the techniques, methods, and sources that the Equation Group purportedly used to do their unique and elegant hacking operations. To read the entire article, I refer you to either ArsTechnica.com, and/or, Digg.com, which both have the full article on their websites.

What Mr Goodin/ArsTechnica.com, and Kaspersky Lab Researchers Failed To Ask Is — Who Benefits From Revealing This Information To The World?

Whether or not the Ksapersky Lab’s assessment is accurate or not, is really not as important right now, as who benefits from this analysis; and, who is likely harmed. If Kaspersky Lab is correct — and, I take no position whether they are, or not — I do not know, and that point is mostly irrelevant. But, for the sake of argument, if Kaspersky Lab is correct in their assessment that NSA was/is responsible, then who are the biggest beneficiaries of this research?

Russia, China, Iran, North Korea, al Qaeda, the Islamic State, cyber criminal entities, cyber ‘patriots’/cyber militias, and cyber lone wolves who would love nothing more than to cripple America’s critical infrastructure are the biggest winners, or benefactors of this ‘ work’. Revealing these techniques, tactics, procedures, methods, and sources, will mostly aid those who wish the United States and the West great harm. This intellectual cyber capital, will allow Russia, China, Iran, North Korea, al Qaeda, the Islamic State, and so on — to play digital leapfrog, as they learn from these revelations; and, apply these techniques to both their own defensive, and offensive cyber operations and strategies. This will allow the darker, cyber angels of our nature, to move to the front of the digital line — much more quickly than they otherwise would have. In essence, this analysis provides a digital shortcut, allowing those nation-states, and others to move from being a cyber nuisance, and a potential growing cyber threat, to a first-order cyber threat in a compressed, and much shorter time-frame.

It has already been well documented that al Qaeda, the Islamic State, criminal entities, and others, changed, and substantially enhanced their encryption software in the months after Edward Snowden’s initial leaks. Additionally, these same groups and others, changed and enhanced their communications techniques, tactics, and procedures, in the aftermath of Mr. Snowden’s leaks — making it more difficult for the United States, Britain, and others, to ferret out and discover potential terrorist plots — and, stop them before they occur.

This reminds me of the infamous statement reportedly made by a Major in the U.S. Army to a CNN reporter (Peter Arnett), on February 7, 1968, in the Vietnam Provincial Capital, Ben Tre, in the early years of the Vietnam War, when the ‘Strategic Hamlet’ program was part of U.S. military strategy — “It became necessary to destroy the town in order to save it.” It would seem that there are those who believe this same philosophy should apply the cyber/digital equivalent “Strategic Hamlet’ philosophy of ‘destroying the village in order to save it,’ — to the NSA and U.S. Intelligence collection capabilities.

But, one should appreciate and understand that the Islamic State and al Qaeda would love nothing more than to somehow smuggle in, or build some type of tactical nuclear device; and/or, some other weapon of mass destruction into the U.S. homeland — in order to inflict terrible carnage on American soil. Barring that option, these same darker angels of our nature may see a cyber/digital ‘nuclear’ device — something that could inflict tremendous damage to our critical infrastructure — as a more realistically, and doable, less risky, and less challenging endeavor to undertake than attempting something in the nuclear realm. This latest cyber research, is likely to be very beneficial to those who favor this option, and significantly enhance their understanding of how to evade digital discovery; as well as increase their level of knowledge of how they might carry out — a digital Pearl Harbor — and inflict terrible damage to our critical national infrastructure. V/R, RCP

No comments: