Security experts and researchers generally are unfazed by cyberattacks using malware designed to collect intelligence data because it’s a practice that’s been done for years, but most agree the real threat is attacks aimed at causing destruction. In the hands of the wrong people -- extremists out to cause chaos to make a statement regardless of the fallout -- cyberweapons are too difficult to control, they say.
The Flame malware toolkit, which emerged recently, has sparked a renewed discussion of cyberwarfare threats. Researchers conducting analysis of the malware are trying to shed light on how and why it was used. All signs point to nation-state sponsored cyber-intelligence gathering, a practice that has been going on for decades, according to security experts, and it’s likely there is no end in sight.
Flame is now also linked to the Stuxnet worm, which returned to the public eye recently after new details emerged connecting the attack -- designed to disrupt Iran’s nuclear program -- to a joint American-Israeli operation dubbed “Olympic Games,” according to a New York Times article quoting anonymous participants in the program. The possible fallout of a more clear connection between the U.S. and the Stuxnet attacks is still being considered, but some experts say that in the hands of nations, cyberweapons can be a deterrence used only in limited military strikes.
“Would you launch an air attack against the U.S.? Would you launch a missile attack? Probably not, because you’re afraid of our response, and the same will be true with cyber,” says Jim Lewis, director and senior fellow at the Center for Strategic and International Studies. “One thing to watch is the increasing capability available to non-state actors -- private groups. They are harder to control and they’re going to make mistakes. I worry about miscalculation.”
As many as 35 countries are developing cyberweapon capabilities, says Lewis, who calls Flame unremarkable. A cybersecurity researcher and former White House advisor, Lewis has been documenting publicly identified cyberespionage activities targeting government agencies and defense contractors. Nearly 100 publicly known incidents linked to nation-state sponsored attacks have taken place since 2006, according to Lewis.
There is a consistent pattern of technology falling in the hands of financially motivated cybercriminals making once sophisticated attacks more mainstream, Lewis says. The real threat to businesses and the continuity of the Internet would be if advanced technologies and techniques used in nation-state cyberespionage and cyberattacks become available to financially motivated cybercriminals and in turn to anonymous hacktivist and extremist groups hell bent on sending a message.
“It’s interesting to see how skillful many people are around the world,” Lewis says. “I tell American officials that we are not the sole superpower when it comes to cyber. We have peers and there are peers that aren’t even connected to nation-states.”
The Flame malware, which was detected on systems in Iran and several other countries in the Middle East and North Africa, contained a collection of tools designed to steal data, listen in on conversations and take snapshots of individuals using the system’s internal camera. “I don’t know that there was anything really groundbreaking in it,” says Joe Stewart, director of malware research for Dell SecureWorks' Counter Threat Unit. “More impressive is the scope of the project.”
Stewart says it’s clear that someone is trying to design a highly flexible platform that contains a lot of capabilities. Hackers who plan to conduct long-term intelligence gathering campaigns need to maintain long-term persistence on networks and conduct advanced reconnaissance work, Stewart says. While Flame used some advanced techniques -- a hash collision attack was designed to break the crypto associated with Microsoft Windows Update mechanism in Windows Vista and Windows 7 systems -- it is no longer very useful since Microsoft has corrected the issue and antivirus vendors can detect the malware.
“We like to try to stay one step ahead of [cybercriminals], but anyone who is motivated and has the financial means can very well design and execute a successful attack on a private enterprise, a government agency or a single individual,” Stewart says. “That’s why we’re busy documenting the methods that we know about and looking for new ones every day.”
News about Stuxnet being state-sponsored is not a big revelation, but taking that together with the Flame toolkit and Duqu malware presents a learning opportunity for businesses, says Stephen Cobb, a security evangelist at antivirus vendor ESET. The industrialization of malware as part of a very organized, criminal enterprise should motivate enterprises to ensure security best practices are in place.
“You can go out and buy a zero-day; you can buy all the bits you need to conduct your criminal enterprises in cyberspace and I think it does take time for the average business to get its head around that,” Cobb says. “It’s a clear example of the need to be diligent about security.”
About the author:
Robert Westervelt is news director of SearchSecurity.com. Send comments on this article to firstname.lastname@example.org