It’s hard to believe that cyberwarfare and cyberweapons were once a theoretical discussion for security insiders and nobody else. As recently as 2009 it was assumed that the only people who wrote programs for nefarious purposes were criminals and those were about making money rather than stealing the secrets of other countries.
That assumption reflected the priority of security firms focused on threats to consumers, small businesses and, to a lesser extent, enterprises. Government could look after themselves, everyone assumed. Then during 2010 and 2011 news of the scale of Chinese APT hacking was revealed by a raft of most small new security firms in the US out to make a name for themselves and reveal what had really been going on.
By now US Presidents were expected to have an opinion on the topic of nation-state malware which it was realised stretched back to systems first built as far back as 2001.
Today, the understanding of these tools has expanded greatly while even more sinister ones have come to light with destructive rather than surveillance payloads. Everyone takes it for granted that most countries have such software. Larger security firms, especially Kaspersky Lab and Symantec, invest heavily in detecting these programs because it projects their expertise at spotting complex threats.
Will this information war and sleight of hand ever turn nastier? There are some indications that it might by which point we will all come face to face with the true potency of these programs.
*Dates denote year of discovery not operation.
This is where the current age of cyberweapons started, at least as their public disclosure is concerned. Aurora was a shock: apparently Chinese hackers had been systematically attacking large number of US organisations, including Google which went public on its concerns. Hitherto, malware attacks were seen as something that happened to little people; Aurora suggested otherwise. Not a complex attack but a brazen one, US Secretary of State Hillary Clinton issued a public rebuke to China, the first time one nation had publically blamed another for such an attack. Blamed on: China
Still the most famous cyberweapon in history because it was the first to be thoroughly documented, Stuxnet was a shock to the security industry when discovered in 2010. Immediately, researchers knew this was different. It targeted industrial SCADA systems, made use of four different zero days and its design included odd elements such as the wormlike ability to spread on USB drives. Then people noticed that most infection appeared to be in Iran and the rest is history. Nobody thought the US did this stuff, or would be caught doing it at least. Blamed on: The US and Israel.
Publicised by several security firms, Flame (aka Skywiper) was confirmation that Stuxnet was no fluke. Again, Flame appeared to be targeting Iran and Middle-Eastern countries and consisted of multiple modules with specialised functions, clearly the work of a well-resourced state. As well as being huge by malware standards, Flame was not simply sophisticated but downright sneaky, right down to its spoofing of a Microsoft certificate and rootkit functions. Blamed on: the US, Israel.
Image: Kaspersky Lab
Red October (2012)
Part of what looked like a long-running campaign targeting Russian Federation states and Eastern Europe, Red October underlined that state-backed malware might not all be about what the US was up to. Not as extensive as Flame, Red October had still been hard at work carrying out surveillance on diplomats and scientists. Again highly targeted, Red October was first reported by security firm Kaspersky Lab, which some assumed meant that it couldn’t have been made by the Russians. Blamed on: Russia, Israel.
Image: Kaspersky Lab
Thus far, the cyberweapons that researchers knew about were shady programs that kept a low profile. This was not the case with Shamoon (also known as ‘Disttrack’) that was used to conduct an incredibly destructive attack on the Saudi oil industry in August 2012, damaging a reported 30,000 PCs belonging to Saudi oil firm Aramco. A group calling itself the ‘Cutting Sword of Justice’ claimed responsibility. This was probably the first publicised solely destructive cyberweapon. Blamed on: Iran
Also known as ‘Uroburos’ or ‘Snake’, Turla was another long-running campaign that nobody had noticed until they started to look more carefully. All of the targets for this surveillance tool appeared to be in the West, Turla appeared to a platform made up of multiple fairly sophisticated components and included enough unusual techniques to mark it out as the work of a well-resourced state. Caused controversy after Russian security outfit Kaspersky Lab revealed what it knew months after Britain’s BAE Systems and Germany’s G Data went public. Blamed on: Russia
Image: BAE Systems
This one was a bit different. Darkhotel appeared to be able to ‘follow’ named company executives as they moved from hotel to hotel around the globe, hence its name. Used keylogging and zero days to steal data from executives in various countries but with a special interest in those from Japan, Taiwan, China, Russia, Korea and Hong Kong. Later connected to a major criminal on banks attack called Carbanak, although not certain to be the work of a nation state, seemed to have gone undetected since as far back as 2006, which raised suspicions. Blamed on: China, everyone
Unusual in that it appeared to date back to the early 2000s, Regin was apparently a potent cyber-platform that had been known about as far back as 2011 to some extent although it was not made public in any detail until three years later. Regin is seen as highly complex with multiple modules and highly targeted in its MO. The fact that it has been connected to an attack on Belgacom, previously disclosed by Snowden documents as being carried out by Britain’s GCHQ, meant it was blamed on you know who. Regin is still a significant insight into the current world of cybertools because it appears to have been built to subvert and spy on Britain and the US’s allies in Europe as much as their enemies. Blamed on: the UK, US
Image: Kaspersky Lab
Equation Group (2014)
The most recent discovery and in some ways the biggest of them all, Equation Group underlines how the understanding of cybertools has expanded beyond individual bits and pieces to seeing them as entire platforms that are here to stay. Nobody is surprised by this kind of sophistication anymore. Equation Group had several interesting abilities, including the apparent ability to infect the firmware of hard drives using a mechanisms that is not well understood. If nation states can beat all current security and hide on hard drive chips, what hope is there? Blamed on: the US
Image: Kaspersky Lab
Sony Pictures attack (2014)
Nobody knows whether this counts as a state cyber-attack but the US Government has publically blamed North Korea so it deserves to be in the running. If it was North Korea, and circumstantial evidence suggests it might have been, it will go down in history as the first time a nation state has turned its fire exclusively on one company with the aim not of spying on it but causing it massive commercial damage. Ostensibly connected to a controversial movie mocking North Korea’s leader Kim Join-un, some took it as more of a warning to the US as a whole – we can damage you commercially. Blamed on: North Korea, everybody