We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Intelligent Machines

Malware Traffic Spikes Preceded Russian and Israeli Conflicts

Government hackers apparently went to work as Israel and Russia ramped up military action this year.

Malicious software undermines the security of the Internet, putting vast quantities of personal information and money at risk.

A study of malware operating on corporate and government networks suggests that the communication patterns of these programs could warn of major conflicts.

Security briefing: Attendees watch a presentation at the Black Hat 2014 conference.

Researchers at the security company FireEye monitored millions of malware messages sent over the past 18 months, and they found spikes in the traffic to and from Russia and Ukraine as tensions rose between the two countries earlier this year. A similar pattern was seen in malware traffic to Israel as it entered its recent hostilities with Hamas.

The FireEye study drew on data collected from more than 5,000 corporate and government clients around the world. FireEye’s software captures “callback” messages sent by malware inside a network—either reporting its status to its operators or picking up new commands. Those messages were used to determine the location of the computer controlling the malware.

The patterns were most likely caused by government agencies ramping up efforts to gather intelligence or attack their adversaries, says Kenneth Geers, who worked on the project. “In the run-up to the Crimea crisis, you saw a rise of malware callbacks in both Russia and Ukraine,” he said at the Black Hat computer security conference Thursday.

It’s also possible that the activity came from hackers sympathetic to but not supported by the countries involved. But many countries now routinely use computer attacks for intelligence and military purposes.

Geers said that patterns in malware communications could be used to predict when countries are preparing for conflict: “If the U.S., or Korea, or Japan was about to go to war, you would see a bump in callbacks—it’s just part and parcel of today’s national security undertakings.” Geers, who recently left FireEye to work as an independent consultant, previously worked on international computer security at the National Security Agency and NATO.

Malware operators sometimes hide their location by having callback messages hop between computers in different countries, and the FireEye study could log only the first hop.  However, malware authors don’t always bother to install a system of relays, said Geers. And so, he said, with a large enough data set, accurate geographical patterns emerge.

Much of the traffic to Israel as it moved to strike against Hamas in the Gaza Strip came from malware installed on computers in Canada and the U.S. “You have an indication that maybe Israeli national security organizations are leveraging infrastructure in Canada and the U.S.,” Geers said.

Matching malware traffic to real-world events might also provide a way to uncover tools being used by nation-states. Some of the traffic coming out of Canada, for example, appeared to come from malware that had never been seen before, which FireEye is now investigating.

FireEye plans to continue the research. “We can see the digital equivalent of troops on the border,” Kevin Thompson, a threat analyst for the company, told MIT Technology Review. “But we’d like to look back at a whole year of data and try to correlate with all the world events in the same period.”

Government use of malware is becoming more common, according to Mikko Hyppönen, chief research officer at F-Secure, who studies malware made and used by nation-states. Countries of all sizes use malware because it is relatively cheap and gets results, he said during a talk at Black Hat on Wednesday. “There are parallels here to the nuclear arms race,” he said. “[But] the power of nuclear weapons was in deterrence, and we don’t have that with cyberweapons.”

And, as Geers noted, there is a conflict between governments’ enthusiasm for those new weapons and their obligation to ensure Internet security. “The worldwide malware problem is very difficult to solve, but do governments want to solve it?” he said. “Governments benefit quite a lot from protecting sovereignty and projecting power through network attacks.”

Want to go ad free? No ad blockers needed.

Become an Insider
Already an Insider? Log in.
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.