Locks and Security News: your weekly locks and security industry newsletter
23rd October 2019 Issue no. 480
Your industry news - first
We strongly recommend viewing Locks and Security News full size in your web browser. Click our masthead above to visit our website version.
Investigation reveals cyber espionage technique used for government intelligence gathering
A joint investigation by the Guardian Newspaper and the Cyber Security Research Institute has revealed that nation states are now routinely deploying cyber espionage software across the internet.
In the wake of the furore surrounding the discovery of the 'Flame software,' the investigation has been told of four other similar programmes that have already been identified on the internet.
Computer security experts are admitting off the record that the number is actually much higher and that the systems have been under development since at least 1996 and the dawn of the internet.
"There are a lot of countries that now have these systems. Every Middle Eastern country and all the states now known as the 'Stans' [Pakistan and the former satellite states of the Soviet Union] have them", said another expert with close links to the UK intelligence agencies, who is actively engaged in combating the software.
"Every nation now has an armoury, whether well stocked or not depends on their resources. They have a suite of weapons and another for intelligence gathering. Most of them are big players and their suite of tools all have different functions. Some are crude and blunt, some are very stealthy.
"Some have the ability to attack and they are built for that purpose," said the man, a former military officer based in London, who is one of the most highly respected figures in what many people are describing as the 'new cyber war.'
Suspicions that the intelligence agencies have been developing such a capability for a long time were confirmed by a computer expert who has formerly worked with a Western intelligence agency.
"Work was done in 1996 on pixel call-back software," said the man considered one of the UK's top computer brains. "It was used to infect websites and then track where people were coming from and then infect their machines and pass information back about them. It was the basis of the work that we are seeing now," said the expert, adding that the mechanisms developed then found their way into the advertising industry. They were a sort of cookie before people had even thought of them," said the man, who had worked to develop the bugging programs to combat online criminals and potential terrorists.
According to the expert, many of the programs now used by the advertising industry have the capability to be reverse engineered to serve a similar function.
The news of the discovery of the Flame virus caused a furore among the technology community when it was found that the 20 Mb program, unusually large for a virus, had been specifically designed as a highly targeted an industrial espionage tool.
The Flame program, which was first found by Kaspersky Labs, was specifically targeted at the Middle East and had been deliberately built to work for a limited amount of time in a specific geographical area. The virus works by turning over control a computer to the system controlling it, and become both a remote listening device and information forwarding mechanism.
The Kaspersky researcher added that the Flame virus shared similar components and telltale programming to the Stuxnet virus which the Iranian Government has blamed for the damage caused to its nuclear enrichment facility at Nantanz. The virus caused the facility's centrifuges to behave erratically and effectively sabotaged the Iranian nuclear programme, according to some experts for between five and 10 years.
Computer security companies working on both viruses have suggested that Flame was possibly an earlier system designed to collect data for the Stuxnet attack which has been attributed to Israel and the US as part of a plan to disrupt the Iranian development of a nuclear bomb.
Using parts of the same software for both made sense as Flame would have already penetrated part of the target to have obtained the information needed and so the payload could be guaranteed a way through.
At the beginning of July, Indian official announced that the headquarters of the Indian Naval Command had been penetrated by Chinese hackers who had used infected USB keys to smuggle an espionage virus onto its computers at the same time as the Indian Navy's first nuclear submarine, INS Arihant, was undergoing trials at the facility.
The Stuxnet virus also deployed infected USB keys as part of the method used to penetrate the Nantanz facility and many similarities have been drawn between the attack on the Indian naval headquarters and Stuxnet.
"I am not surprised that we are seeing this," Professor Andrew Blyth, head of the University of Glamorgan's Information Security Research Group, one of the GCHQ accredited centres of excellence. It takes around a £1m to develop a good piece of malware like this. The days are now gone from we don't talk about that because it's so highly classified. I am surprised why post-Stuxnet people seem to be so shocked. We are in an information age and that has disrupted our world. There's an irony that it has taken 60 years for Iran to try to develop a bomb and two years for so many people to develop a cyber weapon."
One reason for this according to a former police officer now working in the computer forensics industry, is because the new espionage tools are being developed relatively easily out of innocent components, who like the anonymous expert who pointed out that internet advertising components provided convenient covers for espionage tools.
"We have seen three programs that are like the transformer film franchise. They look to all intents and purposes like a genuine computer program but will develop other functions the moment that they get to where they are meant to be.
"We have also seen another program which is a TCP/IP worm that breaks into a number of different pieces like the melting alloy robot in Terminator. It attaches itself to TCP/IP packets so that it can get through the security systems and then reassembles itself on the other side."
But according to Commodore Patrick Tyrrell, who wrote the first paper warning the UK Government of the threat of an information war in 1996, the rapid development of cyber weaponry was inevitable.
"There is now the ability for a lot of countries to do this. Once the genie was out of the bottle with Stuxnet then it was always going to be a case of we must have our own variant or we will get left behind.
"I think what people are missing is military theory, Sun Tzu the ancient Chinese military general said that 'to subdue the enemy without fighting is the essence of skill' and Clausewitz said 'war is the continuation of policy by other means,' and cyberspace is perfect for those ideas. It allows you to do something better with another tool," said Tyrrell, adding that the new developments meant that the weapons offer the opportunity for a different conflict over information assets.
A point underlined by Graham Wright, a former RAF Jaguar pilot, who until recently worked as the Deputy head of cyber at the Cabinet Office.
"I think that people are badly obscuring this debate by using the word war. There is a difference between warfare and war and I think people need to subject this to the test of does it look and feel like war? The only time you are at war is when you can see the intent of the individual.
"I think that we may be getting closer to the boundaries and the development of capability is something that we need to counter, but talking of war is exaggerated."
A distinction agreed with by many who point to the Cabinet Office sponsored report into intellectual property theft which claimed the UK is losing £27bn a year to foreign powers, a figure some observers say errs on the low side.
"A new industry has been generated in information theft that was not there a year ago. These are not tanks they are scouting systems and they are collecting information," said Mark Raeburn, CEO of Context, a company specialising in protecting against cyber espionage.
"It all depends on what use you put that information to."
19th September 2012