Tag Archives: cyber warfare

A walk down memory lane in London.

I was in London only a month ago – but, since if you’re tired of London, you’re tired of life‘, I was back in the UK capital just the other day!…

And – just as I prefer it – we arrived with plenty of time to spare before our business program was set to start, so, naturally – first things first – walkies time!…

Handily, our hotel was in the center of the city – a stone’s throw from the River Thames and not far from Buckingham Palace – so off we set for some London side-street strolling. But before we’d hardly gotten started, suddenly…

…Hold on… I think I recognize that building. Yes, it’s the Queen Elizabeth II Centre, where – precisely (!) 10 years ago (November 2011) – I took part in the London Cyberspace Conference, after having been personally invited by the then-foreign secretary, William Hague!

Read on…

Which hacker group is attacking my corporate network? Don’t guess – check!

Around four years ago cybersecurity became a pawn used in geopolitical games of chess. Politicians of all stripes and nationalities wag fingers at and blame each other for hostile cyber-espionage operations, while at the same time – with the irony seemingly lost on them – bigging-up their own countries’ cyber weapons tools that are also used in offensive operations. And caught in the crossfire of geopolitical shenanigans are independent cybersecurity companies, who have the ability and gall guts to uncover all this very dangerous tomfoolery.

But, why? It’s all very simple…

First, ‘cyber’ is still really quite the cool/romantic/sci-fi/Hollywood/glamorous term it appears to have always been since its inception. It also sells – including newspapers online newspaper subscriptions. It’s popular – including to politicians: it’s a handy distraction – given its coolness and popularity – when distraction is something that’s needed, which is often.

Second, ‘cyber’ is really techy – most folks don’t understand it. As a result, the media, when covering anything to do with it, and always seeking more clicks on their stories, are able to print all manner of things that aren’t quite true (or completely false), but few readers notice. So what you get are a lot of stories in the press stating that this or that country’s hacker group is responsible for this or that embarrassing/costly/damaging/outrageous cyberattack. But can any of it be believed?

We stick to the technical attribution – it’s our duty and what we do as a business

Generally, it’s hard to know if it can be believed or not. Given this, is it actually possible to accurately attribute a cyberattack to this or that nation state or even organization?

There are two aspects to the answer…

From the technical standpoint, cyberattacks possess an array of particular characteristics, but impartial system analysis thereof can only go so far in determining how much an attack looks like it’s the work of this or that hacker group. However, whether this or that hacker group might belong to… Military Intelligence Sub-Unit 233, the National Advanced Defense Research Projects Group, or the Joint Strategic Capabilities and Threat Reduction Taskforce (none of which exist, to save you Googling them:)… that is a political aspect, and here, the likelihood of manipulation of facts is near 100%. It turns from being technical, evidence-based, accurate conclusions to… palm or coffee grounds’ readings for fortune-telling. So we leave that to the press. We stay well away. Meanwhile, curiously, the percentage of political flies dousing themselves in the fact-based ointment of pure cybersecurity grows several-fold with the approach of key political events. Oh, just like the one that’s scheduled to take place in five months’ time!

For knowing the identity of one’s attacker makes fighting it much easier: an incident response can be rolled out smoothly and with minimal risk to the business

So yes, political attribution is something we avoid. We stick to the technical side; in fact – it’s our duty and what we do as a business. And we do it better than anyone, I might modestly add ). We keep a close watch on all large hacker groups and their operations (600+ of them), and pay zero attention to what their affiliation might be. A thief is a thief, and should be in jail. And now, finally, 30+ years since I started out in this game, after collecting non-stop so much data about digital wrongdoing, we feel we’re ready to start sharing what we’ve got – in the good sense ).

Just the other day we launched a new awesome service aimed squarely at cybersecurity experts. It’s called the Kaspersky Threat Attribution Engine (KTAE). What it does is analyze suspicious files and determine from which hacker group a given cyberattack comes from. For knowing the identity of one’s attacker makes fighting it much easier: informed countermeasure decisions can be made, a plan of action can be drawn up, priorities can be set out, and on the whole an incident response can be rolled out smoothly and with minimal risk to the business.

So how do we do it?

Read on…

i-Closed-architecture and the illusion of unhackability.

The end of August brought us quite a few news headlines around the world on the cybersecurity of mobile operating systems; rather – a lack of cybersecurity of mobile operating systems.

First up there was the news that iPhones have been getting attacked for a full two years (!) via a full 14 vulnerabilities (!) in iOS-based software. To be attacked, all a user had to do was visit one of several hacked websites – nothing more – and they’d never know anything about it.

But before all you Android heads start with the ‘nah nana nah nahs’ aimed at the Apple brethren, the very same week the iScandal broke, it was reported that Android devices had been targeted by (possibly) some of the same hackers who had been attacking iPhones.

It would seem that this news is just the next in a very long line of confirmations that no matter what the OS, there may always be vulnerabilities that can be found in it that can be exploited by certain folks – be they individuals, groups of individuals, or even countries (via their secret services). But there’s more to this news: it brings about a return to the discussion of the pros and cons of closed-architecture operating systems like iOS.

Let me quote a tweet first that ideally describes the status of cybersecurity in the iEcosystem:

In this case Apple was real lucky: the attack was discovered by white-hat hackers at Google, who privately gave the iDevelopers all the details, who in turn bunged up the holes in their software, and half a year later (when most of their users had already updated their iOS) told the world about what had happened.

Question #1: How quickly would the company have been able to solve the problem if the information had gone public before the release of the patch?

Question #2: How many months – or years – earlier would these holes have been found by independent cybersecurity experts if they had been allowed access to the diagnostics of the operating system?

To be frank, what we’ve got here is a monopoly on research into iOS. Both the search for vulnerabilities and analysis of apps are made much more difficult by the excessive closed nature of the system. The result is almost complete silence on the security front in iOS. But that silence does not actually mean everything’s fine; it just means that no one actually knows what’s really going on in there – inside those very expensive shiny slabs of aluminum and glass. Even Apple itself…

This state of affairs allows Apple to continue to claim it has the most secure OS; of course it can – as no one knows what’s inside the box. Meanwhile, as time passes – yet no independent experts can meaningfully analyze what is inside the box – hundreds of millions of users are just lying in wait helpless until the next wave of attacks hits iOS. Or, put another way – in pictures…:

Now, Apple, to its credit, does put a lot of time and money into increasing security and confidentiality with regard to its products and ecosystems on the whole. Thing is, there isn’t a single company – no matter how large and powerful – can do what the whole world community of cybersecurity experts can combined. Moreover, the most bandied-about argument for iOS being closed to third-party security solutions is that any access of independent developers to the system would represent a potential vector of attack. But that it just nonsense!

Discovering vulnerabilities and flagging bad apps is possible with read-only diagnostic technologies, which can expose malicious anomalies upon analysis of system events. However, such apps are being firmly expelled from the App Store! I can’t see any good reason for this beside fear of losing the ‘iOS research monopoly’… oh, and of course the ability to continue pushing the message that iOS is the most secure mobile platform. And this is why, when iUsers ask me how they’re supposed to actually protect their iDevices, I have just one simple stock answer: all they can do is pray and hope – because the whole global cybersecurity community just ain’t around to help ).

Enter your email address to subscribe to this blog
(Required)

Cyber-news from the dark side – ver. SAS-2019.

Hi folks!

Herewith, the next in my series of occasional iNews, aka cyber-news from the dark side updates – this one based on some of the presentations I saw at our annual Security Analyst Summit in Singapore last month.

One of the main features of every SAS is the presentations given by experts. Unlike other geopolitically-correct conferences, here the analysts up on stage share what they’ve discovered regarding any cyberthreat, no matter where it may come from, and they do this based on principle. After all, malware is malware and users need to be protected from all of it, regardless of the declared virtue of the intentions of those behind it. Just remember the boomerang effect.

And if certain media outlets blatantly lie about us in response to this principled position, so be it. And it’s not just our principles they attack – for we practice what we preach: we’re way ahead of the competition when it comes to the numbers of solved cyberespionage operations. And we’re not planning on changing our position in any way to the detriment of our users.

So here are a few synopses of the coolest investigations talked about at SAS by the experts behind them. The most interesting, most shocking, most scary, most OMG…

1. TajMahal

Last year, we uncovered an attack on a diplomatic organization from Central Asia. Of course, that an organization like that is interesting to cybercriminals should come as no surprise. The information systems of embassies, consulates and diplomatic missions have always been of interest to other states and their spy agencies or generally any bad guys with sufficient technical ability and financial wherewithal. Yes, we’ve all read spy novels. But here was something new: here a true ‘TajMahal’ was built for the attacks – an APT platform with a vast number of plugins used (we’ve never seen so many used on one APT platform – by far) for all sorts of attack scenarios using various tools.

The platform consists of two parts: Tokyo and Yokohama. The former is the main backdoor, which also fulfils the function of delivery of the latter malicious program. The latter has very broad functionality: stealing cookies, intercepting documents from the printer queue, recording VoIP calls (including WhatsApp and FaceTime), taking screenshots, and much more. The TajMahal operation has been active now for at least five years. And its complexity would suggest that it’s been built with more than one target in mind; the rest remain for us to find…

Details of this APT-behemoth you can find here.

Read on…

Cyber-paleontology: Sounds impressive; its results – more so.

Hi folks!

Let me kick off by paraphrasing a rather famous philosophical postulate: ‘Does a profession determine man’s social being, or does his social being determine his profession?’ Apparently this question (actually, the original) has been hotly debated for more than 150 years. And since the invention and spread of the Internet, this holy war only looks set to be extended for another 150, at least. Now, I personally don’t claim to support one side or the other; however, I do want to argue (based on personal experience) in favor of the dualism of a profession and being, since they mutually affect each other – in many ways and continually.

Toward the end of the 1980s, computer virology came about as a response to the growing proliferation of malicious programs. Fast-forward 30 years, and virology has evolved (rather, merged – in ecstasy – with adjacent fields) into the cybersecurity industry, which now often dictates the development of being IT: given inevitable competition, only the technology with the best protection survives.

In the 30 years since the end of the 1980s, we (AV companies) have been called quite a few different colorful and/or unsavory names. But the most accurate in recent years, IMHO, is the meme cyber-paleontologists.

Indeed, the industry has learned how to fight mass epidemics: either proactively (like we protected users from the largest epidemics of recent years – Wannacry and ExPetr), or reactively (using cloud-based threat-data analysis and prompt updates) – it doesn’t matter. But when it comes to targeted cyberattacks, there’s still a long way to go for the industry on the whole: only a few companies have sufficient technical maturity and resources to be able to cope with them, but if you add an unwavering commitment to expose any and all cyber-baddies no matter where they may come from or what their motives might be – you’re left with just one company: KL! (Which reminds me of something Napoleon Hill once said: ‘The ladder of success is never crowded at the top’.) Well it’s no wonder we’re in a lonely position (at the top of the ladder): maintaining that unwavering commitment to expose literally anyone is waaaaay more expensive than not maintaining it. And it’s waaaay more troublesome given the ongoing geopolitical upheavals of late, but our experience shows it’s the right thing to do – and users confirm this with their wallets.

A cyber-espionage operation is a very long, expensive, complex, hi-tech project. Of course, the authors of such operations get very upset and annoyed when they get caught, and many think that they try to get rid of ‘undesirable’ developers by using different methods via manipulation of the media. There are other, similar theories too:

But I digress…

Now, these cyber-espionage operations can remain under the radar for years. The authors take good care of their investments kit: they attack just a few specially selected targets (no mass attacks, which are more easily detected), they test it on all the popular cybersecurity products out there, they quickly change tactics if the need arises, and so on. It’s no stretch of the imagination to state that the many targeted attacks that have been detected are just the tip of the iceberg. And the only really effective means of uncovering such attacks is with cyber-paleontology; that is, long-term, meticulous collection of data for building the ‘big picture’; cooperation with experts from other companies; detection and analysis of anomalies; and subsequent development of protection technologies.

In the field of cyber-paleontology there are two main sub-fields: ad hoc investigations (after detecting something by chance and pursuing it), and systemic operational investigations (the process of planned analysis of the corporate IT landscape).

The obvious advantages of operational cyber-paleontology are highly valued by large organizations (be they state or commercial ones), which are always the primary target in targeted attacks. However, not all organizations have the opportunity or ability to undertake operational cyber-paleontology themselves: true specialists (for hire) in this niche line of work are few and far between – and they’re expensive too. We should know – we’ve plenty of them all around the world (with outstanding experience and world-renowned names). Thus, recently, given our strength in this field and the great need for it on the part of our corporate customers – true to the market principles of supply and demand – we decided to come up with a new service for the market – Kaspersky Managed Protection (KMP).

Read on…

Cyber-tales from the dark – and light – sides.

Hi folks!

Today I’ve got some fresh, surprising cybersecurity news items for you. The first few are worrying stories about threats stemming from a certain ubiquitous small device, which many folks simply can’t be without just for one minute – including in bed and in the bathroom. The last few are positive, encouraging stories – about women on the up in IT. Ok, let’s dive in with those worrying ones first…

Don’t join the Asacub victim club

These days, folks tend to entrust their (trusty?) smartphones with all sorts of stuff – banking, important work and personal documents, messaging (often with very personal details strictly for a few eyes only), and more. But, hey, you’ll know all this perfectly well already, and may be one of these folks to this or that extent yourself; and if you are – you really do need to read this one carefully…

At the end of August a sharp increase was detected in the proliferation of the Android Trojan Asacub, which exploits that peculiarly human weakness called curiosity. The Trojan sends a text message with words like: ‘Hey John: You should be ashamed of yourself! [link]’, or ‘John – you’ve been sent an MMS from Pete: [link]’. So John scratches his head, becomes as curious as a cat, wonders what’s in the photo, clicks on the link, and (willingly!) downloads an application… which then proceeds to stealthily access his full contact list and start sending out similar messages to all his peers.

But this crafty malware doesn’t stop there. It can also, for example, read incoming texts and send their contents to the hackers running the malware, or send messages with a given text to a given number. And the ability to intercept and send texts gives the authors of the Trojan the ability to, among other things, transfer to themselves funds from the bank card of the victim if the card is digitally connected to the phone number. And as if that weren’t bad enough – there’s a bonus for the victim: a huge bill from his mobile provider for sending all those messages to everybody.

So how can you protect yourself from such fearsome mobile malware? Here’s how:

  • Don’t click on suspicious links;
  • Carefully check which rights are being requested by the downloaded application (e.g., microphone, camera, location…);
  • And last and most: the simplest step – install reliable protection on your Android smartphone.

Android? Hmmm. I can hear all the sighs of relief just now: ‘Aaaaahhhh, thank goodness I’ve got an iPhone!’!

Hold your horses all you Apple lovers; here’s a couple of links for you too (don’t worry: you can click these – honest!):

Read on…

Here’s to aggressive detection of maliciousness!

In recent years there’s been all sorts written about us in the U.S. press, and the article last Thursday in the Wall Street Journal at first seemed to be just more of the same: the latest in a long line of conspiratorial smear-articles. Here’s why it seemed so: according to anonymous sources, a few years ago Russian government-backed hackers, allegedly, with the help of a hack into the product of Your Humble Servant, stole from the home computer of an NSA employee secret documentation. Btw: our formal response to this story is here.

However, if you strip the article of the content regarding alleged Kremlin-backed hackers, there emerges an outline to a very different – believable – possible scenario, one in which, as the article itself points out, we are ‘aggressive in [our] methods of fighting malware’.

Ok, let’s go over the article again…

In 2015 a certain NSA employee – a developer working on the U.S. cyber-espionage program – decided to work from home for a bit and so copied some secret documentation onto his (her?) home computer, probably via a USB stick. Now, on that home computer he’d – quite rightly and understandably – installed the best antivirus in the world, and – also quite rightly – had our cloud-based KSN activated. Thus the scene was set, and he continued his daily travails on state-backed malware in the comfort of his own home.

Let’s go over that just once more…

So, a spy-software developer was working at home on same spy-software, having all the instrumentation and documentation he needed for such a task, and protecting himself from the world’s computer maliciousness with our cloud-connected product.

Now, what could have happened next? This is what:

Malware could have been detected as suspicious by the AV and sent to the cloud for analysis. For this is the standard process for processing any newly-found malware – and by ‘standard’ I mean standard across the industry; all our competitors use a similar logic in this or that form. And experience shows it’s a very effective method for fighting cyberthreats (that’s why everyone uses it).

So what happens with the data that gets sent to the cloud? In ~99.99% of cases, analysis of the suspicious objects is done by our machine learning technologies, and if they’re malware, they’re added to our malware detection database (and also to our archive), and the rest goes in the bin. The other ~0.1% of data is sent for manual processing by our virus analysts, who analyze it and make their verdicts as to whether it’s malware or not.

Ok – I hope that part’s all clear.

Next: What about the possibility of hack into our products by Russian-government-backed hackers?

Theoretically such a hack is possible (program code is written by humans, and humans will make mistakes), but I put the probability of an actual hack at zero. Here’s one example as to why:

In the same year as what the WSJ describes occurred, we discovered on our own network an attack by an unknown seemingly state-sponsored actor – Duqu2. Consequently we conducted a painstakingly detailed audit of our source code, updates and other technologies, and found… – no signs whatsoever of any third-party breach of any of it. So as you can see, we take any reports about possible vulnerabilities in our products very seriously. And this new report about possible vulnerabilities is no exception, which is why we’ll be conducting another deep audit very soon.

The takeaway:

If the story about our product’s uncovering of government-grade malware on an NSA employee’s home computer is real, then that, ladies and gents, is something to be proud of. Proactively detecting previously unknown highly-sophisticated malware is a real achievement. And it’s the best proof there is of the excellence of our technologies, plus confirmation of our mission: to protect against any cyberthreat no matter where it may come from or its objective.

So, like I say… here’s to aggressive detection of malware. Cheers!

Keeping Cybersecurity Separate from Geopolitics.

Last week, Kaspersky Lab was in the spotlight again in another ‘sensational’ news stream.

I say ‘again’ as this isn’t the first time we’ve been faced with allegations, ungrounded speculation and all sorts of other made-up things since the change of the geopolitical situation a few years ago. With the U.S. and Russia at odds, somehow, my company, its innovative and proven products as well as our amazing employees are repeatedly being defamed, given that I started the company in Russia 20 years ago. While this wasn’t really a problem before, I get it– it’s definitely not popular to be Russian right now in some countries.

For some reason the assumption continues to resonate that since we’re Russian, we must also be tied to the Russian government. But really, as a global company, does anyone seriously think we could survive this long if we were a pawn of ANY government? Our whole business is based on one thing – besides expertise – and that’s trust. Would we really risk our whole business by undermining our trustworthiness?

Especially given that the best non-Kaspersky Lab security researchers (hackers) are constantly scouring our code/products to find and report vulnerabilities. In fact, we even have a public bug bounty program, where we pay researchers to examine our products and search for any issues or possible security concerns. If there was anything suspicious or nefarious to find, they would have publicly shouted it to the roof tops by now.

Read on: Five destructive repercussions of a technology sanctions game…

Cyber-Forecast: 2017.

Such is the way Homo Sapiens are: we’re constantly – even recklessly – looking to the future to try and work out what it might hold for us. Many say we should all live in the present – after all, the future never comes – but, well, that doesn’t work for everyone, and most of us do need to make at least some plans for our futures.

But there are different approaches to looking ahead.

There’s belief in fate, pure guessing, flipping a coin, and so on. There’s also not thinking about the future at all. But there’s a far superior, science-based approach too. This is doing the eastern spirituality thing a bit – not quite being in the present but carefully analyzing the present instead – to be able to predict the future as accurately as possible. And this is exactly what is done to predict the cyber-future; in particular – the security of the cyber-future. And that’s what we do – little by little every day, but also broadly and deeply and especially – and merrily – every year, when we bring together the world’s cybersecurity elite for a week-long pow-wow in a tropical seaside resort, which pow-wow we call the Security Analyst Summit (SAS):

Oops – wrong vid. Here u go…:

Dough! Nope. This one:

I don’t know quite how it’s done but every single year SAS just gets better. I mean, it’s always been GReAT, but the GReATness just keeps going up and up: more experts, better quality content, better and more original ideas, slicker, cooler, and more and more world scoops and exclusive material.

And it’s exclusive material that I’ll be writing about in this here post. Specifically, my Top-5 favorite presentations from SAS-2017. I’m not saying the others were no good or just so-so, it’s just I wasn’t physically able to see them all as they were running simultaneously in different halls. Also – everyone has their own taste; well here’s a guide to mine!…

Off we go!…

Read on: A Maze for a Penguin Under the Moonlight…

StoneDrill: We’ve Found New Powerful ‘Shamoon-ish’ Wiper Malware – and It’s Serious.

If you’re a regular reader of this here blog of mine, you’ll know about our GReAT (Global Research and Analysis Team) – 40+ top-notch cybersecurity experts dotted all around the globe specializing in protecting our customers from the most sophisticated cyberthreats out there. GReATers like to compare their work to paleontology: exploring the deep web for the ‘bones’ of ‘cyber monsters’. Some may consider this an old-fashioned approach: what’s so special about analyzing the ‘bones’ of ‘creatures’ from the distant past when it’s protecting your networks from monsters that are alive now that’s key? Well, here’s a fresh story that proves that sometimes you won’t find today’s living monsters without looking at old ones…

Some of you will be aware of so-called wipers – a type of malware which, once installed on an attacked PC, completely wipes all data from it – leaving the owner of the computer with a completely clean, hardly operating piece of hardware. The most famous (and infamous) wiper is Shamoon – malware which in 2012 made a lot of noise in the Middle East by destroying data on 30,000+ endpoints at the world’s largest oil company – Saudi Aramco, and also hitting another energy  giant – Rasgas. Just imagine: 30,000+ pieces of inoperable hardware in the world’s largest  oil company…

Shamoon, Shamoon 2.0, StoneDrill, Newsbeef. The wipers are spreading across the globe

Curiously, since it’s devastating campaign against the Saudi company in 2012, little has been heard of Shamoon, until it returned in 2016 as Shamoon 2.0, with several new waves of attacks – again in the Middle East.

Since the new waves of Shamoon attacks began, we’ve been tuning our sensors to search for as many versions of this malware as possible (because, let’s face it, we don’t want ANY of our customers to EVER be struck by malware like Shamoon). And we managed to find several versions – hurray! But together with our haul of Shamooners, our nets unexpectedly caught a completely new type of wiper malware, which we’ve named StoneDrill.

The code base of StoneDrill is different to that of Shamoon, and that’s why we think it’s a completely new malware family; it also utilizes some advanced detection avoidance techniques, which Shamoon doesn’t. So it’s a new player, for sure. And one of the most unusual – and worrying – things we’ve learned about this malware is that, unlike Shamoon, StoneDrill doesn’t limit the scope of its targets to Saudi Arabia or other neighboring countries. We’ve found only two targets of this malware so far, and one of them is based in Europe.

Why is this worrying? Because this finding indicates that certain malicious actors armed with devastating cyber-tools are testing the water in regions in which previously actors of this type were rarely interested.

Read on: more wipers!…