Information Warfare: The Kaspersky Capers


October 22, 2012: Russia is more involved in the growing use of Cyber War than most realize. Moreover, the Russians appear to know more than most realize. For example, earlier this year American and Israeli officials finally confirmed that the industrial grade Cyber War weapons (Stuxnet, Duqu, and Flame) used against Iran in the last few years were indeed joint U.S.-Israel operations. No other details were released, although many more rumors are now circulating. The U.S. and Israel were long suspected of being responsible for these "weapons grade" computer worms. Both nations had the motive to use, means to build, and opportunity to unleash these powerful Cyber War weapons against Iran and others that support terrorism.

It was several Internet security companies that first detected Stuxnet and led the effort to dissect these intricate bits of software. One of the primary firms involved was a Russian one: Kaspersky Labs. While Kaspersky has long done excellent work producing commercial Internet security software, it also has close ties with the Russian government. Thus the Kaspersky work in dissecting Stuxnet/Duqu/Flame/etc provides the Russian government with a head start in turning this technology into something that could serve Russia, either with better Internet defenses or Cyber War weapons, or just insights into what the next generation of these weapons would be like. Kaspersky is rushing to develop commercial software that will better protect from these Cyber Weapons. The Russian government has no comment on this.

As Internet security companies dissected Stuxnet, Duqu, and Flame they found a seemingly endless supply of surprises. One of the more surprising finds was evidence that these programs, and several that are as yet undiscovered (there is simply evidence that "there are others"), have been in action for six years or more. These high-end cyber weapons were designed to keep their activities hidden, and they did that for several years. But some of these cyber weapons had errors that allowed them to spread farther than intended. That brought the cyber weapons to the attention of cyber security professionals, who began the arduous process of taking stuff like Stuxnet, Duqu, and Flame apart. This has left many Internet security experts wondering what other similar programs have been developed and turned loose since what they know about was put into action.

Flame (discovered this year) was designed to stay hidden and collect information from the computers it got into. It apparently did both, for up to six years (or more) in Iran, Lebanon, the Palestinian West Bank, and, to a lesser extent, other Moslem countries in the region. Like the earlier Stuxnet (2009) and Duqu (2011), Flame has all the signs of being designed and created by professional programmers and software engineers. Most malware (hacker software) is created by talented amateurs who often display a lack of discipline and organization. Professional programmers create more capable and reliable software. That describes Stuxnet, Duqu, and Flame. The U.S. and Israel spent big bucks to craft these Cyber War weapons and get them to their targets. Both nations have access to the best programming talent on the planet and already have organizations that can recruit and supervise highly secret software development.

It appeared that Stuxnet and Duqu were but two of five or more Cyber War weapons developed (up to five years ago) from the same platform. Flame was apparently not related to Stuxnet and Duqu and also appears to have several other variants that have not yet been seen. The basic Flame platform appears to have been built to accept numerous additional software modules, giving each variant different capabilities. Some of the modules made use of specific computer features, like a microphone, wireless communication, or the camera. Flame appears to be a very different design from Stuxnet and Duqu but also spreads via a USB memory stick or the Internet.

Flame hides its presence very well and has a very effective self-destruct feature that erases all evidence of its presence. In the six years Flame has been around it has gotten into thousands of PCs and collected large quantities of data. In contrast, Duqu was being used to probe industrial computer systems and send information back about how these systems are built and operate. When Duqu was first discovered the server it was sending its data to was eventually found in India and disabled. Duqu appeared to shut down last December. No one knows if this is because Duqu had finished its work or was feeling cramped by all the attention. Flame is apparently still operating.

Weapons like Stuxnet and Duqu are nothing new, for nearly a decade Cyber War and criminal hackers have planted programs ("malware") in computer networks belonging to corporations or government agencies. These programs (called "Trojan horses" or "zombies") are under the control of the people who plant them and can later be used to steal, modify, destroy data, or shut down the computer systems the zombies are on. You infect new PCs and turn them into zombies by using freshly discovered and exploitable defects in software that runs on the Internet. These flaws enable a hacker to get into other people's networks. Called "Zero Day Exploits" (ZDEs), in the right hands these flaws can enable criminals to pull off a large online heist or simply maintain secret control over someone's computer. Flame was apparently using high-quality (and very expensive) ZDEs and possibly receiving new ones as well.

Despite all the secrecy, this stuff is very real and the pros are impressed by Stuxnet, Duqu, and Flame, even if the rest of us have not got much of a clue. The demonstrated capabilities of these Cyber War weapons usher in a new age in Internet based warfare. Amateur hour is over and the big dogs are in play. Actually, the Cyber War offensive by the U.S. and Israel appears to have been underway for nearly a decade, using their stealth to remain hidden. There are probably more than three of these stealthy Cyber War applications in use and most of us will never hear about it until, and if, other such programs are discovered and their presence made public.




Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   Contribute   Close