Every week new intrusive exploits by hackers are found across the Internet. Some unsuspecting new institutional victim is revealed to have been penetrated. Lately most have involved major commercial corporations which had personal data stolen, like the recent assault on health insurance provider Anthem.
Three exploits that were announced last week took hacking to a new level. Each is breathtaking in scope, immensely sophisticated, and have apparently been around for quite a while before they were discovered. Each one by itself would merit alarm and concern by all thoughtful users, but taken together they signal scary times ahead for the Internet.
One was an attack on the banking industry. Found by Moscow-based Kaspersky Labs, this is said to be the biggest and most sophisticated bank heist ever; over $1 billion dollars were taken from over 100 banks in 30 countries. The banks were scattered from Russia to the US, Germany, China, and Ukraine. And the means of attack varied from creating money out of thin air to reprogramming ATMs to spew forth cash – one doing so in Kiev before a gang-employed mule could pick it up was what apparently brought the heist to the attention of the authorities.
The hackers apparently wormed their way in through a phishing attack that lured bank executives to booby-trapped webpages where they were infected. Once the hackers were inside the system, they watched the banks’ activities carefully, and mimicked them to remain undetected.
As of this writing, the banks and for that matter, the criminals haven’t been identified. The attack has been named “Carbanak” after the backdoor malware. Though the perpetrators are likely Russian, Kaspersky says there isn’t enough information yet to identify them for sure. But one of the other exploits definitely came about courtesy of the US NSA and it’s British counterpart, GCHQ, and the other bears all their hallmarks also.
The first of these was also revealed by Kaspersky, this time at a cybersecurity conference in Mexico. Their initial analysis can be found here in PDF form.
It involves a suite of sophisticated tools related both to the Stuxnet virus and the highly-sophisticated Regin spying platform. Dubbed the “Equation Group” due to its use of advanced algorithms and encryption schemes, the suite may have been in use since 2001. And it has evolved over that time, each version more elaborate than the last. Infection methods are clever, too – at least one was introduced by a doctored CD of a conference.
The Equation Group’s infections are extremely persistent. In fact, they can uniquely reprogram hard drives’ firmware to reinfect them after a wipe, using secret codes somehow acquired from the manufacturers. In this way, the Equation Group can secretly siphon data for years, defying any wipes or attempts to eliminate in. It is said that the only way to remove it is to physical destroy the hard drive. But even that may not be enough.
Five hundred infections have been found in at least 42 countries around the world, mainly in the Middle East. But the Equation Group is extremely selective in its victims. Chief victims seem to be high tech companies and government and military institutions in Russia, Iran, and Pakistan but include banks and Islamic activists also. The true extent is completely unknown and it has been going on for at least 14 years.
Though some information on the Equation Group derives from Edward Snowden’s leaks of NSA secrets, the final exploit was found in a GCHQ document there too. Gemalto, the world’s largest manufacturer company of SIM user identity chips for smartphones and also chips for next-generation bank cards. The spooks stole the encryption keys, which allows them to intercept communications without involving telecoms including Verizon, T-Mobile, Sprint and AT&T – or, for that matter, any government authorities.
Needless to say, the Dutch company was taken aback, and has promised a full investigation. But the most disturbing thing about all this is not what is known but what is not known. After all, the NSA and GCHQ are not operating in a vacuum: the Chinese, Russians, Israel, Iran, North Korea, and who knows who else are all doing the same things, quite possibly with the same high level of sophistication.
With intelligence agencies and international criminals all operating above the law, it’s only a matter of time before this cyber-Cold War in the shadows becomes hot. Stuxnet showed that cyberweapons can destroy physical objects, and the Carbanak hackers could likely have taken down the financial systems of entire countries had they so desired.
In such an environment, no matter that the NSA may be responsible for opening Pandora’s box. The box is now wide open and cannot be closed. It will take all their cunning to keep us from getting bit.