State-Sponsored Spying May Be Teaching Cyber-Criminals New Tricks
In the past two days researchers have unmasked two sophisticated cyber-espionage tools created by nation sates. And some experts now say there’s evidence criminals are adopting techniques learned from such tools.
On Wednesday, computer security company Rapid7 researcher Claudio Guarnieri shared new details of the workings of FinFisher, a piece of malware sold by UK contractor Gamma Group to government agencies.
FinFisher can turn on webcams, record keystrokes, intercept Skype calls and take over a computer. Gamma Group have said that it is sold only to governments but little was known about its use. Guarnieri reverse engineered FinFisher’s remote control system to reveal that it is used in a wide range of countries, raising fears that it may be in use by governments with less-than-perfect human rights records, and maybe by private parties, too. He found FinFisher servers at work in Australia, Czech Republic, United Arab Emirates, Ethiopia, Estonia, Indonesia, Latvia, Mongolia, Qatar, and the United States.
Guarnieri’s post describes it as “frankly embarrassing” that he could so easily break the command and control system used to operate FinFisher. Although what he found didn’t constitute firm evidence the tool has leaked outside government hands, his post concludes:
[O]nce any malware is used in the wild, it’s typically only a matter of time before it gets used for nefarious purposes […] As we’ve seen countless times before, and will certainly see again, it’s impossible to keep this kind of thing under control in the long term.
On Thursday, researchers at antivirus company Kaspersky announced their own discovery:
Gauss is a complex, nation-state sponsored cyber-espionage toolkit designed to steal sensitive data, with a specific focus on browser passwords, online banking account credentials, cookies, and specific configurations of infected machines.
They found Gauss thanks to its similarity with Flame, a piece of government-backed spyware discovered in May this year and described as “the most complex malware ever found.” Flame was a kind of multi-purpose data thief, able to send all kinds of data back to its operator. Its newly-described cousin Gauss is more specialized, and concerned with stealing online banking credentials. The tool is most capable at targeting Lebanese banks, but can also grab credentials for Citibank and PayPal accounts. Kaspersky estimate that Gauss has infected some 2,500 computers, mostly in Lebanon, compared to just 700 for Flame. They estimate that Gauss has been operating since September 2011, and became “dormant”, waiting for new orders, last month after Kaspersky found it.
Speaking to the New York Times, a security expert from RSA questions Kaspersky’s claim that a state must have created Gauss:
“State-sponsored actors do not go after bank accounts. That’s not to say they couldn’t, but it’s incongruent with traditional nation-state behavior. It’s possible the code was made available underground and repurposed or reused by cybercriminals.”
That raises more worrying prospect for those Web users not part of the intelligence community – that sophisticated tools such as Stuxnet and Flame are teaching criminals new tricks. Kaspersky and other antivirus software has now been updated to detect Flame and Gauss, but modified versions could get around that. In the offline world, secret military technology usually stays secret. But things are different today. As one expert put it to me last month (see “The Antivirus Era is Over”):
“Never have so many billions of dollars of defense technology flowed into the public domain.”
Geoffrey Hinton tells us why he’s now scared of the tech he helped build
“I have suddenly switched my views on whether these things are going to be more intelligent than us.”
ChatGPT is going to change education, not destroy it
The narrative around cheating students doesn’t tell the whole story. Meet the teachers who think generative AI could actually make learning better.
Meet the people who use Notion to plan their whole lives
The workplace tool’s appeal extends far beyond organizing work projects. Many users find it’s just as useful for managing their free time.
Learning to code isn’t enough
Historically, learn-to-code efforts have provided opportunities for the few, but new efforts are aiming to be inclusive.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.