Information Warfare: Scary Monsters You Cannot Detect

Archives

August 24, 2016: Yet another high-end spyware system was recently discovered. This one has been called Sauron and it is very difficult to detect because it is designed that way. So far Sauron has been found in over 30 government networks in China, Rwanda, Russia, Iran and Belgium. Sauron spends most of its time monitoring the system it is in for specific types of information (like passwords, decryption keys and similar useful stuff.) Sauron can deliver its information via the Internet or by hiding in USB drives that are available. Internet security experts are hard at work trying to find out how to more easily detect that a system has been infected by Sauron and who created it and controls it.

High-end malware like this began showing up (or was first discovered) in 2009. In 2012 American and Israeli officials admitted that the industrial grade Cyber War weapons (like Stuxnet and several others) used against Iran recently were indeed joint U.S.-Israel operation. Few other details were released, although many more rumors have since circulated. Initially it was thought high-end malware might be created and used by existing Internet criminal gangs. East European programmers are suspected of being capable of this sort of thing and Russia appears to have commissioned some “royal” software using East European mercenaries. But as time goes on, and more is known about how this very complex and efficient malware is designed and built it becomes obvious that a government operation is the most likely source.

Even before 2001 the U.S. and Israel were suspected of being responsible for these "weapons grade" computer worms. Both nations had the motive to use, means to build, and opportunity to unleash these powerful Cyber War weapons against Iran and others that support terrorism. This joint effort is believed to be a highly classified after-effect of the September 11, 2001 attacks. Subsequent efforts like Regin were also believed to be more Israeli-American collaborations.

The U.S. and Israel have been successful with "software attacks" in the past. This stuff doesn't get reported much in the general media, partly because it's so geeky and because there are no visuals. It is computer code and arcane tech skills that gets it to its target. The earlier attacks, especially Stuxnet, spread in a very controlled fashion, sometimes via agents who got an infected USB memory stick into an enemy facility. Even if some copies of these programs get out onto Internet connected PCs, they do not spread far. Worms and viruses designed to spread can go worldwide and infest millions of PCs within hours.

Despite all the secrecy, this stuff is very real and the pros are impressed by Stuxnet-type systems, even if the rest of us have not got much of a clue. The demonstrated capabilities of these Cyber War weapons usher in a new age in Internet based warfare. Amateur hour is over and the big dogs are in play. The Cyber War offensive by the U.S. and Israel appears to have been underway for years, using their stealth to remain hidden. There are probably more than three of these stealthy Cyber War applications in use and most of us will never hear about it until, and if, other such programs are discovered and their presence made public.

In mid-2015 another new spyware software system was found in three hotels used by delegates to negotiations with Iran over sanctions and the Iranian nuclear weapons program. The spyware was described as a much improved version of Duqu and that Israel was probably behind this. Israel denied any involvement but this is actually an old story. In 2012 Internet security researchers accused Israel of a similar stunt when new spyware was found throughout the Middle East. Similar to Stuxnet and Duqu (both created by a joint U.S.-Israeli effort), the new spyware was called Gauss, and it was used to monitor Hezbollah (an Iran backed Lebanese terrorist group) financial activity. Gauss was apparently unleashed in 2011, and had already done its job by the time it was discovered.

The 2015 version is called Duqu 2.0 and it is much improved over the 2011 original. Duqu 2.0 uses a new communications system making it very difficult (and often impossible) to determine where it is sending data and getting orders from. Duqu 2.0 also hides itself much more efficiently, making it more difficult to detect and remove. Duqu 2.0 uses more powerful encryption, making it more difficult to even examine portions of it that are captured. Duqu 2.0 uses all of this, especially the stealth, to compromise entire networks, including routers and “smart” devices (like printers) attached to the network. This makes it much more difficult to remove because parts of Duqu 2.0 are all over an infected network and well hidden. Clean out one server and surviving Duqu 2.0 components will note this and quietly re-infect the “cleaned” computer or server.

Duqu 2.0 is one of a growing number of powerful malware systems showing up. In late 2014 another high grade Cyber War weapon has been found. This one is called Regin and it joined illustrious predecessors like Stuxnet, Duqu, Flame and several others that have been discovered since 2009. Regin, like its predecessors, was extensive, apparently built by skilled and well organized professionals and designed to stay hidden. This it apparently did for over six years. Malware like this is royalty of hacker software, built with care and abundant resources by top talent.

Regin has numerous modules and the ability to do a lot of spying on its own without much, if any, human intervention. Security researchers are now trying to find where Regin has been, which is difficult because Regin was designed to erase all traces of itself after getting what it was sent in for. Regin apparently was not designed for long term visits, which made it more vulnerable to detection and analysis. Once researchers knew more about Regin they were able to quickly search likely systems that might have been attacked to look for clues that Regin was there once, or more, in the past. Unlike earlier software of this type, Regin was designed to intrude in a wider variety of places and look for a much longer list of items. Regin was also designed to recover deleted files and even take over the operation of an infected PC for some operations.

The major revelation with Sauron is that this high-grade malware is still being created and there is probably a lot of it out there that is still known only to its authors.