Skip to Content

Malware Traffic Spikes Preceded Russian and Israeli Conflicts

Government hackers apparently went to work as Israel and Russia ramped up military action this year.
August 8, 2014

A study of malware operating on corporate and government networks suggests that the communication patterns of these programs could warn of major conflicts.

Security briefing: Attendees watch a presentation at the Black Hat 2014 conference.

Researchers at the security company FireEye monitored millions of malware messages sent over the past 18 months, and they found spikes in the traffic to and from Russia and Ukraine as tensions rose between the two countries earlier this year. A similar pattern was seen in malware traffic to Israel as it entered its recent hostilities with Hamas.

The FireEye study drew on data collected from more than 5,000 corporate and government clients around the world. FireEye’s software captures “callback” messages sent by malware inside a network—either reporting its status to its operators or picking up new commands. Those messages were used to determine the location of the computer controlling the malware.

The patterns were most likely caused by government agencies ramping up efforts to gather intelligence or attack their adversaries, says Kenneth Geers, who worked on the project. “In the run-up to the Crimea crisis, you saw a rise of malware callbacks in both Russia and Ukraine,” he said at the Black Hat computer security conference Thursday.

It’s also possible that the activity came from hackers sympathetic to but not supported by the countries involved. But many countries now routinely use computer attacks for intelligence and military purposes.

Geers said that patterns in malware communications could be used to predict when countries are preparing for conflict: “If the U.S., or Korea, or Japan was about to go to war, you would see a bump in callbacks—it’s just part and parcel of today’s national security undertakings.” Geers, who recently left FireEye to work as an independent consultant, previously worked on international computer security at the National Security Agency and NATO.

Malware operators sometimes hide their location by having callback messages hop between computers in different countries, and the FireEye study could log only the first hop.  However, malware authors don’t always bother to install a system of relays, said Geers. And so, he said, with a large enough data set, accurate geographical patterns emerge.

Much of the traffic to Israel as it moved to strike against Hamas in the Gaza Strip came from malware installed on computers in Canada and the U.S. “You have an indication that maybe Israeli national security organizations are leveraging infrastructure in Canada and the U.S.,” Geers said.

Matching malware traffic to real-world events might also provide a way to uncover tools being used by nation-states. Some of the traffic coming out of Canada, for example, appeared to come from malware that had never been seen before, which FireEye is now investigating.

FireEye plans to continue the research. “We can see the digital equivalent of troops on the border,” Kevin Thompson, a threat analyst for the company, told MIT Technology Review. “But we’d like to look back at a whole year of data and try to correlate with all the world events in the same period.”

Government use of malware is becoming more common, according to Mikko Hyppönen, chief research officer at F-Secure, who studies malware made and used by nation-states. Countries of all sizes use malware because it is relatively cheap and gets results, he said during a talk at Black Hat on Wednesday. “There are parallels here to the nuclear arms race,” he said. “[But] the power of nuclear weapons was in deterrence, and we don’t have that with cyberweapons.”

And, as Geers noted, there is a conflict between governments’ enthusiasm for those new weapons and their obligation to ensure Internet security. “The worldwide malware problem is very difficult to solve, but do governments want to solve it?” he said. “Governments benefit quite a lot from protecting sovereignty and projecting power through network attacks.”

Keep Reading

Most Popular

light and shadow on floor
light and shadow on floor

How Facebook and Google fund global misinformation

The tech giants are paying millions of dollars to the operators of clickbait pages, bankrolling the deterioration of information ecosystems around the world.

protein structures
protein structures

DeepMind says it will release the structure of every protein known to science

The company has already used its protein-folding AI, AlphaFold, to generate structures for the human proteome, as well as yeast, fruit flies, mice, and more.

ASML machine
ASML machine

Inside the machine that saved Moore’s Law

The Dutch firm ASML spent $9 billion and 17 years developing a way to keep making denser computer chips.

brain map
brain map

This is what happens when you see the face of someone you love

The moment we recognize someone, a lot happens all at once. We aren’t aware of any of it.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.