A study of malware operating on corporate and government networks suggests that the communication patterns of these programs could warn of major conflicts.
Researchers at the security company FireEye monitored millions of malware messages sent over the past 18 months, and they found spikes in the traffic to and from Russia and Ukraine as tensions rose between the two countries earlier this year. A similar pattern was seen in malware traffic to Israel as it entered its recent hostilities with Hamas.
The FireEye study drew on data collected from more than 5,000 corporate and government clients around the world. FireEye’s software captures “callback” messages sent by malware inside a network—either reporting its status to its operators or picking up new commands. Those messages were used to determine the location of the computer controlling the malware.
The patterns were most likely caused by government agencies ramping up efforts to gather intelligence or attack their adversaries, says Kenneth Geers, who worked on the project. “In the run-up to the Crimea crisis, you saw a rise of malware callbacks in both Russia and Ukraine,” he said at the Black Hat computer security conference Thursday.
It’s also possible that the activity came from hackers sympathetic to but not supported by the countries involved. But many countries now routinely use computer attacks for intelligence and military purposes.
Geers said that patterns in malware communications could be used to predict when countries are preparing for conflict: “If the U.S., or Korea, or Japan was about to go to war, you would see a bump in callbacks—it’s just part and parcel of today’s national security undertakings.” Geers, who recently left FireEye to work as an independent consultant, previously worked on international computer security at the National Security Agency and NATO.
Malware operators sometimes hide their location by having callback messages hop between computers in different countries, and the FireEye study could log only the first hop. However, malware authors don’t always bother to install a system of relays, said Geers. And so, he said, with a large enough data set, accurate geographical patterns emerge.
Much of the traffic to Israel as it moved to strike against Hamas in the Gaza Strip came from malware installed on computers in Canada and the U.S. “You have an indication that maybe Israeli national security organizations are leveraging infrastructure in Canada and the U.S.,” Geers said.
Matching malware traffic to real-world events might also provide a way to uncover tools being used by nation-states. Some of the traffic coming out of Canada, for example, appeared to come from malware that had never been seen before, which FireEye is now investigating.
FireEye plans to continue the research. “We can see the digital equivalent of troops on the border,” Kevin Thompson, a threat analyst for the company, told MIT Technology Review. “But we’d like to look back at a whole year of data and try to correlate with all the world events in the same period.”
Government use of malware is becoming more common, according to Mikko Hyppönen, chief research officer at F-Secure, who studies malware made and used by nation-states. Countries of all sizes use malware because it is relatively cheap and gets results, he said during a talk at Black Hat on Wednesday. “There are parallels here to the nuclear arms race,” he said. “[But] the power of nuclear weapons was in deterrence, and we don’t have that with cyberweapons.”
And, as Geers noted, there is a conflict between governments’ enthusiasm for those new weapons and their obligation to ensure Internet security. “The worldwide malware problem is very difficult to solve, but do governments want to solve it?” he said. “Governments benefit quite a lot from protecting sovereignty and projecting power through network attacks.”