News
Comment from Webroot: Kaspersky links US to spread of PC spyware across 30 countries
February 2015 by Grayson Milbourne, Security Intelligence Director at Webroot
Following the recent claims from Kaspersky and links to the NSA please find the below comment from Grayson Milbourne, Security Intelligence Director at Webroot.
“It’s not a leap to connect the NSA to this attack. Kaspersky is drawing correlations between the tactics used in Stuxnet – which was revealed to be a collaborative effort between the U.S. and Israel – and other malware that shows enormous programmatical similarities to Stuxnet. Deep dive analysis has revealed that the techniques employed were very, very advanced – and not something one would see even from an exceptionally organized malware syndicate.
For example, the worm in question was designed to breach an air gapped network, or a network that’s fully isolated. It used three Zero Day exploits that enabled the malware to infect via USB drives, even when auto-run is disabled. Two of the three exploits used were the exact same as what Stuxnet used. What’s notable is that Zero Day exploits are incredibly expensive to develop and not something we typically see being utilized by non-nation state actors. Finally, it’s also important to look at the complexity of the code. The worm deployed a USB root kit, which is a file hiding mechanism that is extremely difficult to engineer.
All in all, this evidence would strongly indicate Kaspersky’s claims are on point. So let’s explore the possibility that other nation-states, such as China and Russia, are behind the attack. In cases where
these countries have a hand in cyberattacks, it’s not uncommon to see misdirection attempts or diversionary tactics. In this case, there was none of that. Additionally, analysis of the code strongly indicates it was written by native English speakers – as compared to say, the Red October campaign, which was written by Russian speakers. Simply put, it’s not quite as easy as dropping code words from a document.
Here’s a real world example to give readers an idea of how this would play out: A government entity (let’s say the U.S. CIA) hijacks packages that contain USB drives and are destined for say, Iran. They
then infect the drives with a worm before shipping them back out. The Iranian IT team receives the USBs and distributes them to employees, who then use them to go about their work. By plugging them into a device, they infect that device – which then becomes
a reconnaissance node for data-collecting.”
