Five cyberattacks with the greatest potential to change how we think about the relationship between national security and cybersecurity.
In 2013 Kaspersky Lab (pictured) revealed a cyberespionage network, dubbed "Red October", that launched a series of attacks targeting the computer networks of international diplomatic service agencies. Photo: Kommersant
Over the past year, there has been a rapid increase in the proliferation of new cyberweapons that are being used as part of coordinated cyberattacks on computer networks around the world. In some cases, these cyberattacks are part of sustained, multi-year operations that target governments, corporations and research institutions.
At the very beginning of 2013, Kaspersky Lab published a comprehensive report that included the results of a study of the global cyberespionage operation known as “Red October.” The targets of this attack were various government bodies, diplomatic organizations and companies located in a number of different countries. The attackers were active over the last five years. In order to monitor and control the systems they had infected, they created more than 60 domain names and several servers located in hosting services in various countries. The infrastructure of the management servers was a chain of proxy servers.
In addition, cybercriminals focused on Russia, the former Soviet Union, Eastern Europe and some Central Asian countries stole confidential data to gain access to computer systems, personal mobile devices and corporate networks, and geopolitical data.
Kaspersky Lab’s team of experts initiated an investigation in October 2012, following a series of attacks that targeted the computer networks of international diplomatic service agencies. Eventually, a large-scale cyberespionage network was revealed during the investigation. According to Kaspersky Lab’s analysis report, operation Red October has been a sustained campaign dating back as far as 2007.
“We initiated the investigation once we received files from a partner of ours who wanted to remain anonymous. We soon understood that we were dealing with one of the most widespread cyberespionage campaigns that we had ever encountered,” Kaspersky’s chief malware expert, Vitaly Kamlyuk, told CNews in January 2013.
In February FireEye published an analysis of a new malware program that had penetrated Adobe Reader. FireEye had researched these incidents in conjunction with the Hungarian company CrySys Lab.
The attackers had sent out malicious PDF documents containing information about a human rights seminar (ASEM), details of Ukraine’s foreign policy and also NATO member countries’ plans. The victims of MiniDuke included government entities in Ukraine, Belgium, Portugal, Romania, the Czech Republic and Ireland; a research foundation in Hungary; and also a research institute, two research centers and a medical institution in the USA. Kaspersky Lab managed to identify a total of 59 victims in 23 countries.
“This is a very unusual cyberattack,” said Eugene Kaspersky, Founder and CEO of Kaspersky Lab. “I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyberworld. These elite, “old school” malware writers were extremely effective in the past at creating highly complex viruses, and are now combining these skills with the newly advanced sandbox-evading exploits to target government entities or research institutions in several countries.”
“MiniDuke’s highly customized backdoor was written in Assembler and is very small in size, being only 20kb,” added Kaspersky. “The combination of experienced old school malware writers using newly discovered exploits and clever social engineering to compromise high profile targets is extremely dangerous.”
Red October, MiniDuke, TeamSpy, APT1 and Stuxnet are among the most dangerous cyberthreats of 2013. Photo: Kaspersky Lab
In February 2013 U.S. information security company Mandiant published a comprehensive report on attacks by a group of Chinese hackers known as APT1 (Advanced Persistent Threat). At the beginning of the report, Mandiant states that APT1 is believed to be a unit of the Chinese Army.
Mandiant even cites the possible postal address of this unit and builds an estimate of its numbers and the infrastructure it uses. Mandiant suspects that the APT1 group has been operating since 2006 and that, over the past six years has managed to steal terabytes of data from at least 141 organizations. Most of the targeted companies are in English-speaking countries.
The only question is the specific nature of the link between APT1 and the Chinese government. As Mandiant points out, “APT1 is likely government-sponsored and one of the most persistent of China's cyberthreat actors.”
“APT1 is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398,” the Mandiant report reads. “APT1 maintains an extensive infrastructure of computer systems around the world. … The size of APT1’s infrastructure implies a large organization with at least dozens, but potentially hundreds, of human operators.
In March 2013, the Laboratory of Cryptography and System Security (Crysys) at the Budapest University of Technology and Economics, together with the Hungarian National Security Authority (NBF), released information about another complex attack targeting top-level politicians and human rights advocates in the CIS countries and Eastern Europe.
The operation was dubbed TeamSpy, because the attackers used the TeamViewer program, which is designed for remote administration, to control their victims’ computers. The main aim of the attackers was to collect information on the user’s computer, starting by taking screenshots and ending by copying files with a .PGP extension, including passwords and encryption keys.
What makes the Stuxnet program unique is that it was the first time in the history of cyberattacks that a virus physically destroyed part of another nation’s infrastructure. It is believed that Stuxnet is a specialized cyberweapon developed by the Israeli and U.S. special services that is targeted against Iran’s nuclear projects. The American journalist David Sanger claims in his book Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power that Stuxnet was part of the American government’s anti-Iran Operation Olympic Games.
The Stuxnet virus has been studied by many anti-virus companies, but there are still several modules that have been little studied or not researched at all. Stuxnet has several versions, the earliest of which appeared in 2009. Experts have more than once expressed their belief that earlier versions of the worm existed (or still exist).
At the end of February 2013, Symantec published a study of a new “old” version of the worm known as Stuxnet 0.5. This version proved to be the earliest of the known modifications of Stuxnet: it was active between 2007 and 2009.