When governments get in the business of writing malware, bad things happen. It's no longer stuff of science-fiction or conspiracy theories, but reality, a security expert said at the Black Hat conference in Las Vegas.
Government-created malware is a relative newcomer to the threat landscape. The most famous one, of course, is Stuxnet, which damaged centrifuges in Iran's Natanz nuclear facility and set back the country's nuclear ambitions by a few years.
"Not long ago, the idea that democratic western governments would be actively involved in this would have sounded ridiculous," Mikko Hypponen, the chief research officer of Finnish-antivirus firm F-Secure, said during a presentation at the Black Hat conference on Wednesday. "The idea of a democratic western government backdooring systems to spy on another democratic government? But that is where we are."
There are five reasons for governments to consider creating custom malware, Hypponen said. They were: law enforcement, spying on other companies, surveillance of its own citizenry, sabotage, and cyber-warfare. Forexample, it is now legal in Finland for police to infect people suspected of serious crimes with malware, he said. What crime is bad enough? And how is this determined? he asked. Of course, law enfocement should also take responsibility if it turns out the suspect is innoncent.
"I'd like them to say they're sorry," he added. "That would be fair."
Hypponen also described an incident where an Iranian colleagues emailed him about a malware infection. “There was also some music playing randomly on several of the workstations during the middle of the night with the volume maxed out,” Hypponen said. The band was playing Thunderstruck by AC/DC, he said. The attackers gained root access to the machine they entered and wiped all the logs. The incident was likely a taunting move by the attackers behind Stuxnet, Hypponen speculated.
He discussed other advanced malware infections that had been discovered since Stuxnet, including Gauss, FinFisher, Flame, and Careto.
Hypponen has been very concerned about the growing role of government-sponsored malware over the past few years. He was the first speaker to pull his presentation from the RSA Conference earlier this year after allegations emerged that RSA Security deliberately weakened the encryption algorithm used in its authentication platform at the request of the National Security Agency.
Hypponen also provided a security refresher. Dutch firm Diginotar was breached in 2011 and an attacker generated valid digital certificates for major domains such as Google, Mozilla, Twitter, and Microsoft. Because the certificates were issued by a legitimate certificate authority, browsers could be tricked into loading fake sites and treating them as if they were real. It turned out the Iranian government was behind the incident to monitor and track dissidents within the country, Hypponen reminded Black Hat attendees. An attack like this is possible if the government controls all the country's networking infrastructure, as was the case in Iran, he said.
Diginotar ws unusual, as businesses don't generally shut down after being hacked. There are some exceptions, such as the massive distributed denial-of-service attack which forced Codespaces to shut its doors a few months ago. But the typical hacked enterprise has more in common with Sony, which is still in business after a large-scale attack on the Playstation Network compromised several million user accounts a few years ago. “It's a common misconception that if a company is hacked badly enough, they'll go bankrupt. But it's not so,” he said.
“Diginotar didn't fold because they were hacked; they folded because they didn't tell anyone. When it came out, they lost trust, and as a certificate vendor trust is what they were selling."