A new variant of the BlackPOS malware reportedly used to infect Home Depot cash tills is connected to a Russian group that left evidence of its strong anti-American world view buried inside the code, security blogger Brian Krebs has discovered.
Normally, this sort of revelation would be an incidental to the larger and more serious story of malware yet again hitting US retailers, but direct political statements are unusual in this class of malware. Smoke, mirrors and quirkiness, yes. Ideology, no.
But there it is, in some detail. According to Krebs, text strings inside the malware are links to articles railing against the influence of the US in Libya, The Ukraine, Syria and Egypt. One particular image shows four Molotov cocktails with the flags of these countries on them beside an unlit match and decorated with the US flag.
Krebs connects this forensically to a Russian nicknamed ‘Rescator’ known to run a forum used to sell card data stolen from other US retailers, including Target, which was famously hit by a previous version of the same BlackPOS malware. He might or might not be the individual pictured here.
On one site, Rescator also published “frankly chilling anti-American propaganda,” which Krebs had translated.
“We were deprived of a common homeland, but not deprived of unity, have found our borders, and are even closer to each other. We saw the obvious principles of capitalism, where man to a man is a wolf,” it rants in the style of modish Russian nationalism.
“Together, we can do a lot to bring back all the things that we have been deprived of because of America! We will be heard!”
Beyond an individual using ideology to morally justify crimes (a standard tactic for many types of criminal), this is fascinating stuff. Rescator and his ilk aren’t motivated simply by profit but by a hacktivism that equates opposition to the US with attacking people who happen to live there.
It is also logical to assume that whoever created the new variant of BlackPOS was connected to the older version used against Target, which puts the extraordinary assault on numerous retailers into a new light. This doesn't mean Rescator built BlackPOS but is probably connected to the person or persons that did - the first BlackPOS version was pinned on a named Russian teen earlier this year.
The increasingly political nature of some Russian malware – including the probability that it is more than tolerated by the authorities there – is a story that has been around for some time. Now the evidence is growing beyond mere speculation. If this is correct, the US retail sector is now on the receiving end of a devolved form of proxy cyberwarfare. It's another uneeded twist.