lolloj - Fotolia
Cyber weapons are perfect weapons - they are invisible and, unlike the nuclear arms race, countries can keep them under wraps as there is no visible sign of research and development, according to Mikko Hypponen, chief research officer at security firm F-Secure.
“Governments are very interested in them because they are effective, deniable and relatively cheap,” he told delegates at the Infosecurity Europe 2016 conference in London.
“In the nuclear arms race it was all about deterrents. It was clear which nations had a nuclear capability and which countries you should not mess with, but in the cyber arms race, that is no longer clear,” he said.
There is a lot of “fog” surrounding cyber weapons and cyber war, said Hypponen, because there is no way of knowing the true capability of any country.
“The leaders are undoubtedly the US, followed by Israel, Russia and China, but after that the fog just gets thicker – there really is no way of knowing the cyber offensive capability of countries like Brazil, Vietnam and Australia,” he said.
Another factor contributing to the “fog” is the fact that acts of cyber war are not always as clear cut as the Russia-based cyber attacks that cut the power supply to around 200,000 people in Ukraine in December 2015.
While that is clearly an act of cyber war, said Hypponen, a recent series of heists and attempted heists at four banks is not, but indications are that it could very well be.
Links to Sony hack
The world is changing, he said, evidenced by the fact that a link has been discovered between the recent cyber attacks on banks and the attack on Sony Pictures in November 2014.
According to Hypponen, communication malware used in the cyber attacks on the banks used a distinctive encryption key that has been seen only once before - in malware used in the attack on Sony Pictures.
Although careful not to pin the attacks on the banks onto North Korea, he noted that the US linked the attack on Sony Pictures to North Korea, having hacked into the country’s computer networks.
Hypponen also noted that in the case of the Bangladesh central bank, the attackers tried to transfer nearly $1bn into accounts controlled by them.
“I am not saying North Korea hacked into the banks’ systems, but considering the total annual budget of the country is only $4bn, it is possible the attacks were aimed at fixing the country’s budget deficit,” he said.
Therefore, it is possible that the attacks on the banks are the first instance of a nation state attack that was aimed at stealing money rather than sabotage or espionage, he said.
Ransomware is not new
Hypponen also reflected on the evolution of malware, noting that some supposedly new attacks, like ransomware, are actually fairly old. As curator for the malware museum recently established by the international Internet Archive, he revealed the first instance of ransomware dates as far back at 1989.
The AIDS Information Trojan claimed to be a legitimate piece of software to assess an individual’s likelihood of being infected with HIV. However, if anyone installed the software but failed to pay the licence fee, the software was designed to overwrite the host machine’s Master Boot Record, encrypt all the file indices and demand ransom of $189 payable to a PO Box in Panama.
The functionality of this malware is almost exactly the same as the Petya ransomware discovered 27 years later in May 2016, he said, and the only real difference is that the ransom is payable in bitcoins.
“Ransomware is the top problem in malware at present and is being driven by competition between different ransomware gangs, of which there are around 110, each with their own family of ransomware,” said Hypponen.
“These gangs are run like a business. They are all looking for the best return on investment and compete to make their ransomware as effective as possible by offering localised versions, for example."
The gangs also protect their reputation by ensuring they are able to offer support to enable victims to pay, and to ensure they can restore encrypted data to encourage future victims to pay.
“But this competition is also driving cyber criminals to look for new markets, so we are now seeing the emergence of things like the first ransomware for Macs because there is less competition,” said Hypponen.
“Keranger is the only Mac ransomware, but is also fairly unusual in that it is designed to look for and encrypt file backups to ensure that there is no way to recover by simply restoring backup files, which is commonly termed a ‘dick move’,” he said.
Another example of “old” malware becoming “new” again is macro malware that virtually disappeared after the introduction of Office 97, which disabled macros by default in Microsoft Office applications.
However, macro malware has reappeared, said Hypponen, and is being spread through tricking victims into clicking the "enable content" button.
“These attacks are very effective because they send victims emails from known and trusted contents with attached documents that require the recipients to click the ‘enable content’ button to view them, but if you take nothing else from Infosec 2016, please remember to never click that button,” he said.
Read more about ransomware
Businesses still get caught by ransomware even though straightforward avoidance methods exist.
Criminals used devices compromised for click fraud as the first step in a chain of infections leading to ransomware attacks, said security firm Damballa.
The first half of 2014 saw an increase in online attacks that lock up user data and hold it to ransom.
The CryptoLocker ransomware caught many enterprises off guard, but there is a defence strategy that works.