4 years ago by efnx
So this was deployed in 2014 and weāre just connecting all the dots now? It really makes you wonder whatās being deployed at the moment.
The fact that they can determine all this from some binary is amazing. Security researchers really are techno-archaeologists.
4 years ago by mc32
I recall how when we had North Korean hacking activities and official attributions people would say, but how do we know it was them and how do we know the government isnāt making things up?
But when someone accuses the US we never add any salt. Not that I donāt think itās false, itās just that the lack of consistent skepticism is interesting.
4 years ago by willcipriano
If I had to wager I'd always bet on the CIA lying, I don't see how anyone could come to another conclusion given their history.
4 years ago by scoofy
>If I had to wager I'd always bet on national security agency of any powerful country lying, I don't see how anyone could come to another conclusion given their history.
Let's not pretend the FSB and MSS don't also lie constantly. That you're more familiar with the CIA lying is a testament to the free press of the US, not the other way around.
The point of the previous post is that it could easily be another security agency.
4 years ago by godelski
Sure, but isn't that true for any intelligence organization? CIA, NSA, FSB, MI5, Mossad, BND, etc?
4 years ago by Koshkin
I've come to a conclusion that, from the evolutionary standpoint, lying (and stealing) is one of the most important forms of the intelligent behavior. We see it in the animal world, so this unavoidably should be seen as such in the world of humans...
4 years ago by specialist
> If I had to wager I'd always bet on the CIA lying...
If an idea is reasonably feasible, I just assume someone, somewhere is already doing it.
The practical benefit is lowering my cognitive overhead, transaction costs.
Instead of guarding against every possible attack vector, I take basic precautionary measures, and then decide if any action is worth the risk, knowing full well it'll likely go terribly wrong.
So I always wear a mask, use a password wallet, drive just under the speed limit. Etc. It's habit, routine. Then when I step outside my personal safety bubble, it's an affirmative choice.
4 years ago by wait_a_minute
Because the entire goal is to promote skepticism about the USA while remaining as mum as possible on Russia and China. In the case of Russia, itās not a secret that they try to disrupt and divide the states via internal conflicts so they can take over if we decline because of it. Here is just one example:
https://www.wsj.com/articles/russian-backed-facebook-account...
We also know that hundreds of thousands of foreign-sponsored accounts on Twitter, Reddit, Facebook, etc, have been banned over the years. (Please fact check by googling!)
4 years ago by freeflight
> Here is just one example:
Here's an example that in major parts contributed to a civil war going on to this day: The existence of a US military operation that manipulates social media trough sock-puppet accounts [0] was revealed around the same time Syrians were riled up to regime change trough.. social media [1].
Said social media presence kept announcing "Days of Rage" protests in Syria which initially no Syrian even showed up to.
These operations predate anything noteworthy Russia did on the same front, as most of that only started in the wake of the Ukraine revolution, which also saw plenty of blatant US interference [2]. Back then Russia was diplomatically very vocal about how unprecedented the foreign interference in Ukraine was.
What followed was St. Petersburg troll farms heavily targeting the US.
> We also know that hundreds of thousands of foreign-sponsored accounts on Twitter, Reddit, Facebook, etc, have been banned over the years. (Please fact check by googling!)
How many domestic sponsored accounts have been banned? Zero, which means that on US based social media these kind of outfits are fighting with a heavy home game advantage [3], yet in most of these places that never comes up, it's always "Look out for the Russian/Chinese propagandist!", just like you are doing here. Which usually ends up targeting skeptical people not wholeheartedly endorsing the "Good vs Evil" narrative and not any actual propagandists.
[0] http://www.theguardian.com/technology/2011/mar/17/us-spy-ope...
[1] https://www.france24.com/en/20110203-syria-democracy-protest...
[2] https://www.theguardian.com/world/2013/dec/15/john-mccain-uk...
[3] https://www.reddit.com/r/Blackout2015/comments/4ylml3/reddit...
4 years ago by Lammy
Meanwhile all you people stoking nationalist fervor keep the global population of generally-well-meaning humans divided and hating each other instead of uniting into a whole that demands a better life for everyone. Please stop.
4 years ago by ClumsyPilot
Eh, we are at a apoint where every self respecting political party has thousands of fake twitter accounts.
4 years ago by modo_mario
Russia has been pretty damn effective at this. (I took note of this when moderating r/europe on reddit when things started churning in ukraine)
China on the other hand not so much. I might go trough the effort of finding them again but someone here shared some American studies that showed china initially didn't really have such a presence of bots and the like on twitter, fb, etc like Russia at that point (i think around 2016 or 2017) but there were notable networks of bots targeting chinese people with anti china stuff.
A second study showed that i think 3 years later China had also gotten into this but that it was comparatively small scale and notably incompetent.
4 years ago by boomboomsubban
>But when someone accuses the US we never add any salt. Not that I donāt think itās false, itās just that the lack of consistent skepticism is interesting.
This thread also isn't full of calls for sanctions against the US or talk of overthrowing the government.
I don't actually doubt many of the reports claiming North Korea or whoever were behind some attack, I know they are likely engaging in such activities. I just don't think the evidence is convincing enough to use as a casus belli or similar reason to take our own malicious actions. I would take a similar stance with this CIA malware, but nobody here is calling for punishment based on it.
4 years ago by cyberlurker
Yea, I cautiously share this viewpoint. I donāt want a cyber "Remember the Maine! To hell with Spain!" event.
4 years ago by tsimionescu
There's a difference between Microsoft or Google or Symantec coming out and saying 'this was NK malware' and the CIA or NSA or FBI saying 'this was NK malware' - people would be more inclined to believe the former rather then the later, even though we would still have to imagine that it's possible they are saying this because of CIA/FBI/NSA influence.
Likewise, Kaspersky is more believable than if the FSB came out with this story, even if we must be cautious that it could be an FSB story.
4 years ago by dilyevsky
Iād say itās likely they were instructed to sit on it until the time is right
4 years ago by pfundstein
What's more likely:
* CIA malware is discovered by a (Russian) Security company and they release a report about it.
* CIA malware discovered a year or more ago by a (Russian) security company and they tell the CIA about it and the CIA asks them to wait 1y+ to release the report, and they obliged.
4 years ago by hoppyhoppy2
I think they're suggesting that a Russian security service (FSB?) might have asked Kaspersky to sit on it until the time was right. I don't think they were referring to the CIA, since yeah, that wouldn't make much sense.
4 years ago by sturza
Did you take occamās razor into account? Why is this likely?
4 years ago by smolder
Occam's razor hardly ever applies to stuff like this (news in the intelligence space) because deception is the whole game. A tendency to believe simpler explanations is something they exploit.
I think Occam's razor is often misapplied in this way. It's for explaining natural phenomena, not for surmising the intent of an intelligent entity with an incentive to deceive.
4 years ago by dilyevsky
The timing is very sus given recent and ongoing spy mania in eastern europe (if youāve been following)
4 years ago by Dolores12
Now compare it to how fast US intelligence analysts are. They may conclude who is behind attack in a matter of days. (For example, recent solarwinds attack)
4 years ago by nzmsv
Conclusion prefetching is awesome, isn't it?
4 years ago by auiya
Correct, different campaign signatures can make attribution happen quickly, or slowly. Just depends what data the analyst has to work with.
4 years ago by craig131
Using inductive reasoning, they're probably still deploying first-stage malware en mass that activates under certain network conditions. Truly scary stuff.
4 years ago by squarefoot
We're lucky that we can still catch some of them now. The current status of closed CPUs running proprietary firmware talking with closed chipsets running proprietary firmware blobs would make trivially easy to move the malware injection to the iron level for agencies funded by governments. Once they accomplish it, detecting their spyware using software, at any privilege level, will become impossible. I fear the scenario in which magic packets with a signature that turns off detection in network hardware (proprietary firmware) and interfaces (again, proprietary firmware) can directly instruct a system (proprietary firmware) unbeknownst to the user; it seems impossible today, however all it takes is having enough closed software and firmware so that a covert channel can be created from the CPU to the external world. Governments have enough funds and motivation to tell most network iron manufacturers to produce hardware according to some additional specifications.
4 years ago by kossTKR
Why is this impossible today?
Isn't this exactly what Intel's "Management Engine" and AMD's "Platform Security" is?
Bonus question, does apples new MX chips have an equivalent backdoor?
4 years ago by tg180
The equivalent of ME and PS in Appleās ARM processors is the āSecure Enclave Processorā.
4 years ago by tolbish
4 years ago by not_really
Curious, about your last question, seems like no one knows.
4 years ago by 2OEH8eoCRo0
It's not impossible but it's complicated and the more complicated the harder to it is to keep secret. It's easier to just amass exploits for use when needed.
4 years ago by DyslexicAtheist
right, that's why there is no need for all the elaborate schemes proposed by the shameful Bloomberg "Big Hack" conspiracy. Doing so would be a) stupid and b) cost a bomb.
for plausible deniability and to be able to reuse the same attack vector over and over, it's cheaper to just intercept shipments and install/modify what they need:
https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa...
impossible to reproduce unless you have the exact same equipment.
4 years ago by qlk1123
If this is the case, then you only need to set a packet monitor between the computer and the ISP router to observe such magic packet.
Or will you claim that all machines that are capable of such tasks are already compromised?
4 years ago by squarefoot
Sorry for being a bit late for the reply, however just suppose that enough resources are used to "convince" hardware manufacturers to add a small code change to their firmware such as "if a packet contains this exact magic word, don't count it and pass it on along with the payload, and possibly send a copy to this other address, again without counting it" where "counting" means also not signaling it is going through the hardware: no management interface would see it, and LEDs on network hardware panels wouldnt even blink. In other words, to actually see that packet one would have to be on the other side.
Admittedly it's absurdly complicated to do that at global level, but let's say someone in the right place manages to do that, the next level would be doing the same at iron level on computers, so that each subsystem can talk with others and the external world without administration tools noticing, because it's all done through a covert channel set up by closed software. That would be the perfect weapon to build pervasive surveillance that no security software at any privilege level, not even debuggers, would detect.
The only way to find something fishy is going on would be to sniff inter-chip communications locally and set digital analyzers on network cables with appropriate software. Network analyzers could fail if they use the same network chipsets, as would do a normal packet monitor.
4 years ago by f430
not convinced. since its the CIA, I trust them they are doing it for a good cause.
4 years ago by trampi
you forgot /s
4 years ago by f430
not needed. if this was FSB or PSB then...
4 years ago by fouric
Two weeks ago, the NSA accused the Russian SVR (intelligence agency) of exploiting vulnerabilities in US networks and suggesting that they were behind the SolarWinds compromise[1].
Now, Kaspersky (which is suspected to be affiliated with Russian intelligence - possibly unwillingly) claims to have found CIA malware (effectively "burning" it, if it's real).
The timing does not seem to be a coincidence. Tit-for-tat?
[1] https://www.nsa.gov/News-Features/Feature-Stories/Article-Vi...
4 years ago by whimsicalism
> which is suspected to be affiliated with Russian intelligence - possibly unwillingly
I have yet to see actually compelling evidence that this is the case.
4 years ago by enkid
4 years ago by whimsicalism
The Bloomberg articles are definitely the closest I've seen coming to substantive evidence, that is for sure.
I do, however, think that there is a big difference between being "affiliated with Russian intelligence" and providing an anti-DDOS service to the FSB, which is what this article is discussing, and really all it gives evidence for. Kapersky also provided services to the US intelligence services, I don't think it would be described as "affiliated with American intelligence."
4 years ago by vatican_banker
There are several examples. This is one: https://www.theguardian.com/technology/2017/oct/26/kaspersky...
4 years ago by whimsicalism
This is not compelling evidence - the contractor had the "upload suspicious files" flag on and it uploaded flagged malware - this is consistent with pretty much every AV I've ever heard of and not evidence of a "Russian plot."
4 years ago by ruskimir
Lol, after your CIA comment I thought you would try to hide your Russki loyalty. You go all in.
4 years ago by yeetman21
ur account is literally a cia simping one, hows Langley this time of year? make up any new lies about WMD yet?
4 years ago by stunt
But CIA developing malware isn't news to anyone. How is this a tit-for-tat then?
4 years ago by marcosdumay
Well, at least for once the general public wins. Let's hope they fight more this exact way, and less on every other way.
4 years ago by fallingknife
The tit-for-tat goes the other way:
1. expose malware the CIA doesn't want exposed
2. get accused by the CIA of being in bed with the Russians
"working for the Russians" is the go to baseless political smear these days
4 years ago by sophacles
I would like to point out that a russian security company almost certainly has ties with the russian government. Particularly a very large, well respected one. It would be like accusing oracle or amazon of having ties with the US government.
4 years ago by fallingknife
Interesting. But if you had cited "my ass" as a source it would be more reliable, because the NSA is probably better at lying.
4 years ago by ARandomerDude
The parent commenter was sourcing "the NSA accused..." with the accusation, not making a claim as to whether the accusation was true.
4 years ago by cyberlab
> the malware samples appear to have been compiled seven years ago, in 2014
So it was possible then to analyze the metadata of the files and determine when the malware was made/compiled? That seems like bad OPSEC. If I was CIA I would be rigorous in modifying and faking when certain files were last modified or created, and possibly stripping other damaging metadata (if it's incriminating enough). This is basic metadata hygiene employed by journalists, whistleblowers etc
4 years ago by londons_explore
Don't overestimate government coders skills...
Often it's a massive team with people of very varied programming skills. The core exploit might be some super high tech, hand coded in assembly rootkit, but then the remote control stuff might ends up being some badly written powershell script or multi-megabyte dot-net, java or python binary pulling in every library under the sun.
4 years ago by Godel_unicode
There's a fantastic example of this from fall of 2019. China was using an iPhone 0day which was extremely complicated to do internal surveillance, and the C2 for it was happening over http.
4 years ago by distribot
What is a C2?
4 years ago by joe_the_user
It seems like this is simply the approach of any coder who's just trying to get X done without worrying about maintaining stuff. Academic code is often "crap" and it's written by smart people but smart people only concerned about getting the algorithm implemented.
Which is say to say, no one yet come up with an approach that combines "fast to write, fast to run, and easy to maintain".
4 years ago by undefined
4 years ago by hugh-avherald
Maybe it's less suspicious to have benign metadata than no metadata.
4 years ago by cyberlab
Yeah, which is why I suggest faking metadata than simply stripping it. There are anti-forensic tools for doing that.
4 years ago by surye
Honest question, how do we know that this wasn't faked? What makes the 2014 date more problematic, and what would it be faked to be?
4 years ago by asimpletune
I think it was based more on when the samples were found
4 years ago by cyberlab
Yet the samples retain their original creation date?
4 years ago by techrat
The year was given. Suppose it was found as early as 2014 on a device that had since been retired. That's one way to ballpark its creation year.
4 years ago by phendrenad2
Is there a link to any actual posts or blog by Kaspersky on the matter? This seems to be missing from their official communications...
4 years ago by hoppyhoppy2
The link is included in the article ("Kasperskyās full description is below, from its <link>quarterly APT report</link> released today.")
The linked article's url is https://securelist.com/apt-trends-report-q1-2021/101967/ , which is from a site called "SECURELIST by Kaspersky".
4 years ago by nvr219
That link says nothing about the CIA
4 years ago by brummm
I always wonder. The CIA/NSA must essentially target the big Amazon, google and microsoft clouds to get blanket access to everything running and stored there. Seems like a no brainer from their standpoint.
4 years ago by oefrha
Iād say the likelihood of an American Big Tech without CIA covert operatives working there is essentially zero, even if thereās no direct cooperation. It doesnāt make sense to not utilize some of your most valuable assets.
4 years ago by xtracto
Back in the 70s to 90s the CIA had presidents of Mexico as operatives (see LITEMPO). So, I wouldn't be surprised that nowadays some high level people at Google, Microsoft, etc are CIA assets.
4 years ago by mhh__
Similarly, the KGB (as later exposed by VENONA) had their fingers in extremely sensitive pies during the early cold war period.
4 years ago by hulahoof
I find stuff like this very interesting and hadn't heard of LITEMPO before, thanks!
4 years ago by Pompidou
From another point of view, we can see American Big Tech and CIA (and some other agencies) as the two faces of a same coin : america leadership, as usa are raising their power from economical and cultural supremacy over other country. I may have a blurry foreigner (french) view on your country, but I really see this intrication as real and substential as it was in URSS. In a much robust way, of course, making your country so powerfull.
4 years ago by cyberlab
Yes. Although with Google and other tech giants, they have good security, but really bad privacy. So there is little chance of your Google searches being leaked onto some shady darkweb forum, but a better chance it is being leaked to NSA etc. Also haven't you heard about NSLs[0] & Prism[1]?
[0] https://en.wikipedia.org/wiki/National_security_letter
[1] https://en.wikipedia.org/wiki/PRISM_(surveillance_program)
4 years ago by joe_the_user
It should noted that they can also assign agents to work at these firms or recruit existing employees, so they have a broad pallet to deal with. And a given person working for the secret agencies might not have to do more than turn a blind eye to something once in a while.
However, these large firms have enterprise-wide security and too many people would notice the vacuuming of data for this to be done by single agents. So that would require secret court order and secret laws, as we know existed a few years ago.
So no doubt you have some level of secret agency access but exactly how much is difficult to say. Remember these are companies operating globally and it's in their interests to not be seen as mere extension of US intelligence and foreign policy but at the same time these agencies can very persuasive, etc. etc.
4 years ago by sascha_sl
Or they just ask, which is essentially how prism already worked for user data.
4 years ago by boston_clone
Didn't some PRISM documents show that Google's internal use of TLS 1.2 was blocking a more widespread collection of data?
I'll see if I can find the slide that articulated the issue.
4 years ago by caeril
That was part of it.
The other part was "Do what we tell you, or you'll be Joe Nacchioed"
In a 2013 interview, Marissa Meyer made it abundantly clear this is why Yahoo "voluntarily" joined PRISM. One can assume the rest were similarly influenced.
4 years ago by hu3
They just ask: https://www.bbc.com/news/technology-51207744
4 years ago by reedjosh
Yeah, I highly doubt there's any targeting there. The big tech Co.s are practically fronts for the US Gov.
4 years ago by noir_lord
> Yeah, I highly doubt there's any targeting there. The big tech Co.s are practically fronts for the US Gov.
https://en.wikipedia.org/wiki/War_Is_a_Racket (1935).
History doesn't repeat but it does rhyme.
It seems to be the natural state that centres of power co-operate with each other lest they lose their power.
Churches with Kings, Corporations with Government.
4 years ago by jmann99999
I may have missed it in the article, but as a sysadmin, iām trying to figure out what I should do. It appears the CIA has created malware. I assume, if they have exploited some hole, others will too.
While I appreciate the heads up, Can anyone offer suggestions on how to mitigate this malware? What do I do? Do I have to rely on Kaspersky?
4 years ago by barkingcat
Almost all government created malware uses 0days that they've kept back or held back from public disclosure, so there's nothing really you can do (aside from waiting for disclosure). That's the point of a CIA hack isn't it?
If there's something you can do, then they've failed at their job, and it's time for hiring the next batch of developers (yes these are developers with a paid day job - to make malware for the CIA).
In university, most computer science or computer engineering students had to make a choice whether to work for the country's security agencies and/or the military industries (via internships, being recruited, or just plain applying to government/pentagon/fbi/cia/nsa/csis jobs, etc), and that's their choice to make.
From the government's point of view, it's no different than recruiting soldiers for the Army/Navy/Marines. If they couldn't train you to their standards for basic fitness and basic shooting skills, they've failed and you'd probably wash out from infantry school.
The other thing you could do is to contribute to initiatives that do specific research into looking for vulnerabilities. It's no guarantee that you'll find the same vulnerabilities that the CIA is exploiting though, or you might find entirely other ones that they've been using for other exploits.
4 years ago by chelmzy
The only thing you can truly do is look for anomalies in network traffic, processes, files, etc. This malware is not immune to that unless it has features specifically to hide from monitoring tools.
Even then there will almost always be evidence if you log network traffic. But obviously this is very difficult.
4 years ago by MauranKilom
> Even then there will almost always be evidence if you log network traffic.
You'd need to know what to look for though. It was shown that the CIA can hide its communication in metadata of legitimate traffic which is then recovered at intermediate hops to the target. So, do you know precisely what an innocent DNS packet looks like to detect this anomaly?
4 years ago by FpUser
If you want to be protected from the US made malware you do not go to US antimalware vendor. If you want to be protected against Russian malware you do not get antimalware from Russia.
So pick your poison.
4 years ago by ronsor
Solution: Install US and Russian antiviruses simultaneously.
4 years ago by FpUser
Won't it led to an instant annihilation?
4 years ago by undefined
4 years ago by staticassertion
While I have no information to share on this specific malware, here is the NSA's TAO Chief on what makes their jobs harder:
4 years ago by wil421
> Kaspersky said that while it has not seen any of these samples in the wild, they believe Purple Lambert samples āwere likely deployed in 2014 and possibly as late as 2015.ā
You donāt do anything because you are not the target. Itās never been seen in the wild.
4 years ago by athrowaway3z
Any concrete info on the 'magic packet'?
4 years ago by j3th9n
You probably have to think of something like port knocking: https://en.wikipedia.org/wiki/Port_knocking
4 years ago by reedjosh
Yes, I would love to know what they were triggering on.
Daily digest email
Get a daily email with the the top stories from Hacker News. No spam, unsubscribe at any time.