Skip to Content

Malware Traffic Spikes Preceded Russian and Israeli Conflicts

Government hackers apparently went to work as Israel and Russia ramped up military action this year.
August 8, 2014

A study of malware operating on corporate and government networks suggests that the communication patterns of these programs could warn of major conflicts.

Security briefing: Attendees watch a presentation at the Black Hat 2014 conference.

Researchers at the security company FireEye monitored millions of malware messages sent over the past 18 months, and they found spikes in the traffic to and from Russia and Ukraine as tensions rose between the two countries earlier this year. A similar pattern was seen in malware traffic to Israel as it entered its recent hostilities with Hamas.

The FireEye study drew on data collected from more than 5,000 corporate and government clients around the world. FireEye’s software captures “callback” messages sent by malware inside a network—either reporting its status to its operators or picking up new commands. Those messages were used to determine the location of the computer controlling the malware.

The patterns were most likely caused by government agencies ramping up efforts to gather intelligence or attack their adversaries, says Kenneth Geers, who worked on the project. “In the run-up to the Crimea crisis, you saw a rise of malware callbacks in both Russia and Ukraine,” he said at the Black Hat computer security conference Thursday.

It’s also possible that the activity came from hackers sympathetic to but not supported by the countries involved. But many countries now routinely use computer attacks for intelligence and military purposes.

Geers said that patterns in malware communications could be used to predict when countries are preparing for conflict: “If the U.S., or Korea, or Japan was about to go to war, you would see a bump in callbacks—it’s just part and parcel of today’s national security undertakings.” Geers, who recently left FireEye to work as an independent consultant, previously worked on international computer security at the National Security Agency and NATO.

Malware operators sometimes hide their location by having callback messages hop between computers in different countries, and the FireEye study could log only the first hop.  However, malware authors don’t always bother to install a system of relays, said Geers. And so, he said, with a large enough data set, accurate geographical patterns emerge.

Much of the traffic to Israel as it moved to strike against Hamas in the Gaza Strip came from malware installed on computers in Canada and the U.S. “You have an indication that maybe Israeli national security organizations are leveraging infrastructure in Canada and the U.S.,” Geers said.

Matching malware traffic to real-world events might also provide a way to uncover tools being used by nation-states. Some of the traffic coming out of Canada, for example, appeared to come from malware that had never been seen before, which FireEye is now investigating.

FireEye plans to continue the research. “We can see the digital equivalent of troops on the border,” Kevin Thompson, a threat analyst for the company, told MIT Technology Review. “But we’d like to look back at a whole year of data and try to correlate with all the world events in the same period.”

Government use of malware is becoming more common, according to Mikko Hyppönen, chief research officer at F-Secure, who studies malware made and used by nation-states. Countries of all sizes use malware because it is relatively cheap and gets results, he said during a talk at Black Hat on Wednesday. “There are parallels here to the nuclear arms race,” he said. “[But] the power of nuclear weapons was in deterrence, and we don’t have that with cyberweapons.”

And, as Geers noted, there is a conflict between governments’ enthusiasm for those new weapons and their obligation to ensure Internet security. “The worldwide malware problem is very difficult to solve, but do governments want to solve it?” he said. “Governments benefit quite a lot from protecting sovereignty and projecting power through network attacks.”

Keep Reading

Most Popular

Geoffrey Hinton tells us why he’s now scared of the tech he helped build

“I have suddenly switched my views on whether these things are going to be more intelligent than us.”

ChatGPT is going to change education, not destroy it

The narrative around cheating students doesn’t tell the whole story. Meet the teachers who think generative AI could actually make learning better.

Meet the people who use Notion to plan their whole lives

The workplace tool’s appeal extends far beyond organizing work projects. Many users find it’s just as useful for managing their free time.

Learning to code isn’t enough

Historically, learn-to-code efforts have provided opportunities for the few, but new efforts are aiming to be inclusive.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.