Kaspersky Lab Reveals Inconvenient Truth About Cyber Arms Race


Originally published by Russia Direct on 27 February 2015

Director of U.S. National Intelligence James Clapper’s recent statement that Russia poses a cyber- threat to the U.S. and can undermine its facilities will malware programs indicates that cyber arms race between countries seems to be coming to fruition. This is a warning sign, especially, amidst the  mid-February exposure by Kaspersky Lab, the Moscow-based security software manufacturer, of the U.S. based Equation Group cyber-espionage activities vastly discussed by the tech-community.

Surprisingly, it has received surprisingly so far low-key attention from the governments and other parties across the world. In fact, the discovery is so ground-breaking in many ways for non-technical community that it takes the debates launched by the revelations of National Security Agency’s former agent Edward Snowden to a whole new level. The full range of potential implications seems hard to grasp at this stage but there are a few immediate points worth making.

The Breakthrough 

According to Kaspersky Lab researchers, the Equation Groups malware capacities prove to be the most sophisticated ever revealed and the full scope of their outreach is still under assessment. This is essentially a cluster of spying programmes, which have been in operation for some 14 years, affecting over 500 victims’ personal computers in about 30 countries with most infections detected in Iran, Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. Various worms targeted government and military institutions, telecommunication companies, critical infrastructure objects including banks, energy companies, nuclear researchers, media, and Islamic activists. The companies, whose disk drives have been affected, reportedly include Western Digital Corp, Seagate Technology Plc, Toshiba Corp, IBM, Micron Technology Inc and Samsung Electronics Co Ltd. 

The researchers seem to be as impressed by the discovery as the rest of the world: it gave a highly professional live evidence of laboratory proven cases of the possibility to infect the hard drive’s firmware, the very heart of the computer, in such a way that after the intrusion the malware can’t be read back or removed. In fact, it resurrects itself repeatedly even after the reinstallation of firmware, physical destruction being the only way to beat it. The malware can wipe out the hard drive, or reformat it, or create a hidden space on the hard drive to store data necessary to capture the password and crack encryption – the capacities which are especially threatening to any critical infrastructure objects.

One of the programmes in the Group called ‘Fanny’ has been in action roughly since 2008 according to Kaspersky Lab’s Director of Global Research and Analysis Team (GReAT) Costin Raiu, and its aim has been to find out and infiltrate air-gapped networks and then infect them via USB-based command. One of the early manifestations of the infection appeared after a scientific conference in Houston where the CDs later distributed among the participants were infected with the malware. 

Researchers believe that some of the tested Fanny exploits were adopted later in 2010 for Stuxnet and Flame programme. Therefore, even though Kaspersky Lab doesn’t ‘have hard proof to attribute the Equation Group or speak of its origin’, saying it’s very hard to attribute a cyber-attack fully, it admits the technical signs of similarity with such malware as Stuxnet and Flame, widely recognised as the US and Israel devised programmes activated against Iran nuclear programme in 2010. This was also confirmed to Reuters by former-NSA officials. Besides, the Equation Group launch roughly coincides with the US Patriot Act adoption in the 9/11 attacks aftermath and related special services capacities expansion to fight terrorism.


The Masterplan 

The recent timeline of the cyber-related initiatives in the US offers some clues. On February 10 the White House announced the planned launch of a new cyber-security agency – the Cyber Threat Intelligence Integration Center (CTIIC was signed into existence on 25 February) – set up to deal with the challenges like the Northern Korean attack on Sony Pictures, performed as a ‘game changer’. Seen by some as a redundant structure, the agency is meant to fill in the cyber gaps where the rest of the special agencies lack expertise or capacities or interoperability, according to Lisa Monaco, President Obama's homeland security and counterterrorism adviser. It would take care of focused intelligence, analyse cyber-breaches by both state and non-state agents and feed them to other relevant agencies.   

Three days later at the ‘cyber summit’ with industry and government leaders at Stanford University in California (snubbed by Google, Yahoo and Facebook leaders) President Obama called on the tech- industry and community to consider privacy vs security trade-offs and collaborate more actively with the government over encryption sharing data on existing cyber-vulnerabilities. 

On 15 February President Obama said in an interview to Re/Code that the summit was partly about ‘both making sure that we have mechanisms for government/private sector cooperation, increased consumer awareness of how they can reduce their vulnerabilities, how we can build better defenses, how we can respond better and more resiliently’. And then in the same breath he admits: ‘this is more like basketball than football, in the sense that there’s no clear line between offense and defense. Things are going back and forth all the time. <…> Because when you develop sufficient defenses, the same sophistication you need for defenses means that potentially you can engage in offense’. 

The point of this very thin difference between cyber-offense and cyber-defense is crucially important here, and not just because the US possesses state-of-the-art capacities in both fields. The difference has been neatly pointed out by The Wired:It’s a truism that the cyber battlefield is asymmetric—a defender has to get it right every time, while an attacker only has to succeed once’. In other words, the US (assuming that NSA stands behind the Equation Group) ‘ having invested in its cyber warfare for a long time and has by now achieved mind-blowing results hardly matched by any other country sited as a cyber-power at present. It has explicably caused admiration in the tech community, and Bruce Schneier has even suggested that ‘it's the sort of thing we want the NSA to do. It's targeted. It's exploiting existing vulnerabilities’. He continues though: ‘On the other hand, the NSA's definition of "targeted" can be pretty broad’. The Equation Group targeted spying capacity at firmware level is relatively modest for now and must have been run with extreme caution but complimented with the already known drag-net communications surveillance capacity draws a picture of an almighty system of information control and manipulation. 

In this sense, the Equation Groups crowns ‘the nuclear balance’ deal in cyber: all you need is an R&D breakthrough at such a level as to get into an unreachable bargaining position. While defense is costly and means constant catch-up game, offense in this context sets one far ahead of the potential rivals. This then, of course, allows to deliberate on the need ‘to find some international protocols that, in the same way we did with nuclear arms, set some clear limits and guidelines, understanding that everybody’s vulnerable and everybody’s better off if we abide by certain behaviors’,  set up institutions and engage the private sector to ‘have sufficient capability to defend ourselves’ as defense tools – useful but complimentary in essense.  Exercising collective restraints measures might not sound like a fair deal anymore in this context to other states. 

In other words, the gauntlet was thrown unnoticed 1.5 decades ago, and certainly, the countries of the world will have to try to give some response now, amend and upgrade their cyber-security strategies etc. However, there is little hope that it can be anywhere close to symmetrical at least at present. While eventually only a technical solution could possibly remedy a technical vulnerability, most probably, any short-term retaliation we can expect will be primarily politics- and diplomacy- rather than tech-policy driven in a truly meaningful way. And it remains an open question for many which path to choose – the defense or the offense one. 

Reportedly, Russian authorities are planning a review of the national information security doctrine in early March to meet the new geo-political and cyber-threats challenges. However, Snowden’s revelations, cited publicly among the motivations behind the move, are just the tip of the iceberg and miss the point at this stage.


What is next? 

It is hard to blame the policy makers for inaction as they are by definition lagging behind technologists. However, the problem, which has emerged with the revelations around the Equation Group, is an almost existential one for the cyberspace. The proven and widely publicised case of successful firmware infection with such functionality poses uncomfortable questions about the reliability of existing cyber-security models especially in the context of critical infrastructure objects. This trust vacuum has not yet been fully grasped by the tech-community, it seems, and it will take some time to see articulated policy response. 

But why would the Kaspersky Lab researchers, who have done a meticulous job filtering through hackers’ forums, analysing hundreds of samples, reveal their knowledge of the malware now? The easy way would be to identify the move as political. However, Costin Raiu admits that Kaspersky Lab haven’t seen new samples of the Equation Group infected firmware for about a year. This means that either the project has been shut down (which is highly improbable as the identified capacities too powerful to waste) or the creators have switched to a new – yet unknown - set of tools. Which is even worse news.






No comments