5 (Probably) American Cyberweapons
CREDIT: gualtiero boffi/Shutterstock.com/Public domain
American politicians, business leaders and media outlets have been repeating the same message for months: The U.S. is under constant cyberattack from Chinese spies, Iranian Revolutionary Guards and Russian cybercriminals.
Yet there's only one country that has tested, deployed and used cyberweapons, and it's the good old U.S.A.
From the deployment of the Flame spyware package in 2007 or 2008, through the successful 2010 sabotage of Iran's nuclear program by the Stuxnet worm, to the bank-information grabber Gauss found just last summer, coders working at the behest of the U.S. government have certainly kept busy.
There's no ironclad proof America is behind any of these pieces of malware. But leading American newspapers have strongly linked the U.S. government (and that of Israel) to both Stuxnet and Flame.
The official U.S. reaction has been not denial, but the launching of investigations to see who talked to the newspapers.
Meanwhile, the Chinese insist that despite the constant attacks by their hackers upon American establishments, Chinese government organizations and companies are attacked just as frequently.
The Russians, despite having a large domestic population of sophisticated cybercriminals, don't seem to have developed the offensive capabilities of their American and Chinese counterparts.
Instead, the Kremlin repeatedly calls for an international treaty to ban cyberweapons, a goal shared by Moscow-based Kaspersky Lab, discoverer of many possibly American cyberweapons.
The age of offensive computer-based spying, sabotage and, eventually, destructive warfare among nation-states has only just begun. We'll see many more cyberweapons in the near future.
In the meantime, here are five cyberweapons the U.S. government likely had a hand in.
The discovery of malicious code attacking Iranian nuclear facilities in the summer of 2010 alerted both information-security experts and Beltway armchair warriors that we'd entered a brave new world.
Stuxnet used not one, but four incredibly valuable "zero-day" exploits — methods of attack through previously unknown software vulnerabilities — to penetrate Windows PCs in Iran's Natanz uranium-enrichment facility.
That fact alone showed that the malware was the creation of a nation-state with money to burn, rather than of a cybercrime group that would have milked each zero-day, one by one, for all each exploit was worth.
Even more specifically, Stuxnet was designed to attack the Natanz facility.
Natanz was not connected to the Internet, so Stuxnet was designed to lie dormant on USB sticks until plugged into the Natanz network. Natanz's centrifuges were operated by Siemens industrial machines, so Stuxnet had special code that attacked them as well.
Most deviously of all, Stuxnet was programmed to hijack Natanz's monitoring systems. It spit out bogus data that told Natanz's human operators that everything was going well, even while the malware silently made the uranium-refinement centrifuges spin out of control.
From a strategic perspective, Stuxnet was a smashing success for the American government. The Iranian nuclear program was set back months, possibly years, without a drop of blood being spilled.
Six months later, in January 2011, the New York Times published a long investigative piece that laid out evidence that American and Israeli intelligence agencies had worked to develop Stuxnet.
In June 2012, the Times presented more evidence that said Stuxnet was part of a bigger computer-based offensive operation called "Olympic Games."
The operation had originated in 2006 in the Bush White House, the Times said; when President Obama entered office in 2009, he ordered it accelerated.
Just before the second Times investigative piece on Stuxnet was published in June 2012, another piece of state-sponsored malware was discovered attacking computers in the Middle East.
Dubbed Skywiper, Flame or Flamer by the anti-virus companies that analyzed the code, the new malware was both very large — more than 20 megabytes in size, enormous for a piece of malware — and very complex.
Flame had more than 20 different modules that could be swapped in and out to give the core program additional capabilities, such as using an infected computer's camera and microphones to spy on occupants of a room; mapping out the entire network a machine sat on; taking screenshots; turning on Bluetooth to spy on nearby cellphones; reading email and monitoring Web traffic on infected machines; and sending everything gathered to command-and-control servers around the world.
It also seemed to have been around for quite a while. Some of the code seemed to have been created in 2007.
Most interestingly, Flame spread from one Windows machine to another by pretending to be a Microsoft Windows software update, using a forged Microsoft digital certificate.
Dutch mathematicians found that the forged Microsoft certificate was created using a previously unknown method to generate crytographic collisions between large numbers — a mathematical feat of genius.
While there wasn't much code overlap between Flame and Stuxnet, Kaspersky researchers soon found that some code found only in early versions of Stuxnet was replicated in Flame. That indicated that even if different groups created each piece of malware, the two groups knew of each other.
Three weeks after Flame's discovery, the Washington Post published an article in which multiple anonymous sources told it that Flame was also part of the White House's Olympic Games operation.
In fact, sources told the Post, Flame was the spyware that mapped out Natanz for U.S. intelligence, enabling American coders to fine-tune Stuxnet to attack that facility.
Most tantalizing of all was a quotation from an unnamed former U.S. intelligence official, who said Flame was ancient history: "Cyber-collection against the Iranian program is way further down the road than this."
In the fall of 2011, a strange new Trojan appeared that shared a lot of code with Stuxnet, yet seemed to have an entirely different purpose.
Dubbed "Duqu" after repeated uses of the filename "DQ," it gathered "intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party," Symantec researchers wrote at the time.
Researchers at the rival McAfee security firm countered that Duqu was highly sophisticated spyware designed to steal digital certificates, the encrypted "keys" that websites and software alike use to verify their identities.
"My best guess is that the attackers are gathering information for the next attack," F-Secure chief security researcher Mikko Hypponen told TechNewsDaily at the time.
A month later, the Hungarian academic security firm CrySyS, which later discovered Flame, found that Duqu contained a Windows zero-day exploit of a vulnerability in the Windows kernel, the very heart of the operating system. That ruled out a cybercriminal origin.
In March 2012, Kaspersky Lab researchers cracked a mystery piece of code within Duqu and showed that it had been written using an old but respected programming language called Objective C, leading them to believe that Duqu was the work of "a rather professional team of developers."
Kaspersky Lab in the summer of 2012 announced another state-sponsored malware scoop: a piece of malware spying on Lebanese banks that the researchers dubbed "Gauss."
"After looking at Stuxnet, Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same 'factory' or 'factories,'" the Kaspersky researchers said.
The Lebanese banking system would be a natural target for American intelligence. Iran has close ties to Lebanon, and uses Lebanese banks to move money under the radar of the international banking system now that heavy sanctions have been put in place against Iranian financial activity.
The Gauss name came from a component of the malware code, apparently named in honor of 19th-century German mathematician Carl Friedrich Gauss.
Other components seemed to have been named after Austrian mathematician Kurt Gödel and French mathematician and astronomer Joseph-Louis Lagrange.
More intriguingly, the Gödel module's purpose is still unknown. Its encrypted payload has yet to be deciphered.
Of all the pieces of malware on this list, Gauss has perhaps the most tenuous connection to American intelligence agencies. Some information-security experts argue it could be the work of cybercriminals, even though it seems to steal information rather than money.
But, Kaspersky Lab analyst Roel Schouwenberg told TechNewsDaily via Twitter, "Gauss was created on the Flame(r) platform."
"If Gauss isn't done by a nation-state," Schouwenberg said, "it'd mean [the] Flame source code [was] stolen/leaked."
In October 2012, Kaspersky Lab researchers found a small piece of malware that appeared to be a Flame module, yet had the ability to operate on its own. The researchers called it "miniFlame."
"If Flame and Gauss were massive spy operations, infecting thousands of users, miniFlame/SPE is a high-precision, surgical attack tool," wrote a Kaspersky researcher.
As with Gauss, the largest number of infected machines was found in Lebanon. Like Flame, miniFlame hijacked computers to take screenshots, record audio and video, map networks and copy emails and instant messages — but with greater precision, looking only for certain files.
Kaspersky researchers also found that miniFlame worked well with Gauss, an indication that both were created by the same software-development team.
Best of all were the command names found in the miniFlame code, some of which belonged to popular singers: Barbara, Drake, Elvis and Tiffany.