Danny Yadron
June 11, 2015
How Online Spying Is Like Online Dating
Digital espionage is a lot like online dating: You can pretend to be someone you’re not, though your true self usually comes through.
Take Israel’s apparent efforts to spy on diplomatic talks over Iran’s nuclear program at three European hotels. According to a report Kaspersky Lab released Wednesday, some of the innards of the spyware used are nearly identical to a famous hacking tool called Duqu. Inside U.S. intelligence agencies, Duqu is viewed as an Israeli spy tool.
But on a surface level, the authors of this latest state-backed spyware, which Kaspersky calls Duqu 2.0, tried to show themselves in a different light. Think of it as fibbing about your favorite book (not the Hunger Games) or your height (Yep, six-foot even).
One line of code contains the phrase “ugly.gorilla,” the alleged hacker name of Wang Dong, a Chinese national the U.S. has indicted for infiltrating U.S. companies. Another reference: “romanian.antihacker.” It also used some rare compression algorithms associated with Russian-speaking hackers.
But “such false flags are relatively easy to spot, especially when the attacker is extremely careful not to make any other mistakes,” Kaspersky writes in its report.
These days, security companies and law enforcement have gotten pretty good at looking for easy ways to figure out where a computer virus was made. They look for languages used, regional slang and native time zones in which the spyware was made.
But each of these breadcrumbs can be faked. Last year, Blue Coat Networks released a report on a hacking gang that littered its code with Hindi and phrases like “God_Save_The_Queen.” But they also used a hacking tool widely associated with China’s People’s Liberation Army and set their computers to show they worked on Moscow time. That’s quite the mutt, though. For what it’s worth, other researchers, including some at Kaspersky, saw genuine Russian links.
In the past, researchers say, even the most elite spies were less careful.
The original form of Duqu, for instance, contained evidence showing its authors worked little on Fridays, appeared to honor the Sabbath and worked in Tel Aviv’s time zone.
Israel declined to comment on any links to the hacking tool.
No comments:
Post a Comment