6 hours ago by efnx
So this was deployed in 2014 and weâre just connecting all the dots now? It really makes you wonder whatâs being deployed at the moment.
The fact that they can determine all this from some binary is amazing. Security researchers really are techno-archaeologists.
6 hours ago by mc32
I recall how when we had North Korean hacking activities and official attributions people would say, but how do we know it was them and how do we know the government isnât making things up?
But when someone accuses the US we never add any salt. Not that I donât think itâs false, itâs just that the lack of consistent skepticism is interesting.
5 hours ago by willcipriano
If I had to wager I'd always bet on the CIA lying, I don't see how anyone could come to another conclusion given their history.
5 hours ago by scoofy
>If I had to wager I'd always bet on national security agency of any powerful country lying, I don't see how anyone could come to another conclusion given their history.
Let's not pretend the FSB and MSS don't also lie constantly. That you're more familiar with the CIA lying is a testament to the free press of the US, not the other way around.
The point of the previous post is that it could easily be another security agency.
4 hours ago by godelski
Sure, but isn't that true for any intelligence organization? CIA, NSA, FSB, MI5, Mossad, BND, etc?
5 hours ago by Koshkin
I've come to a conclusion that, from the evolutionary standpoint, lying (and stealing) is one of the most important forms of the intelligent behavior. We see it in the animal world, so this unavoidably should be seen as such in the world of humans...
5 hours ago by chiefalchemist
Intelligence is as much about focusin and finding as it is about distraction and deception.
There's absolutely no morals or ethics at the means level. That's not a judgement. The fact is, the driver is the ends. Meet the objective by (nearly) any means necessary.
The CIA, NSA, etc. will - and have - say pretty much anything. That's their job. But why people liken them to some holy higher power is beyond me. Maybe it's a result of the IC's own disinformation? Ironic but fitting.
5 hours ago by wait_a_minute
Because the entire goal is to promote skepticism about the USA while remaining as mum as possible on Russia and China. In the case of Russia, itâs not a secret that they try to disrupt and divide the states via internal conflicts so they can take over if we decline because of it. Here is just one example:
https://www.wsj.com/articles/russian-backed-facebook-account...
We also know that hundreds of thousands of foreign-sponsored accounts on Twitter, Reddit, Facebook, etc, have been banned over the years. (Please fact check by googling!)
18 minutes ago by freeflight
> Here is just one example:
Here's an example that in major parts contributed to a civil war going on to this day: The existence of a US military operation that manipulates social media trough sock-puppet accounts [0] was revealed around the same time Syrians were riled up to regime change trough.. social media [1].
Said social media presence kept announcing "Days of Rage" protests in Syria which initially no Syrian even showed up to.
These operations predate anything noteworthy Russia did on the same front, as most of that only started in the wake of the Ukraine revolution, which also saw plenty of blatant US interference [2]. Back then Russia was diplomatically very vocal about how unprecedented the foreign interference in Ukraine was.
What followed was St. Petersburg troll farms heavily targeting the US.
> We also know that hundreds of thousands of foreign-sponsored accounts on Twitter, Reddit, Facebook, etc, have been banned over the years. (Please fact check by googling!)
How many domestic sponsored accounts have been banned? Zero, which means that on US based social media these kind of outfits are fighting with a heavy home game advantage [3], yet in most of these places that never comes up, it's always "Look out for the Russian/Chinese propagandist!", just like you are doing here. Which usually ends up targeting skeptical people not wholeheartedly endorsing the "Good vs Evil" narrative and not any actual propagandists.
[0] http://www.theguardian.com/technology/2011/mar/17/us-spy-ope...
[1] https://www.france24.com/en/20110203-syria-democracy-protest...
[2] https://www.theguardian.com/world/2013/dec/15/john-mccain-uk...
[3] https://www.reddit.com/r/Blackout2015/comments/4ylml3/reddit...
an hour ago by Lammy
Meanwhile all you people stoking nationalist fervor keep the global population of generally-well-meaning humans divided and hating each other instead of uniting into a whole that demands a better life for everyone. Please stop.
3 hours ago by ClumsyPilot
Eh, we are at a apoint where every self respecting political party has thousands of fake twitter accounts.
4 hours ago by tsimionescu
There's a difference between Microsoft or Google or Symantec coming out and saying 'this was NK malware' and the CIA or NSA or FBI saying 'this was NK malware' - people would be more inclined to believe the former rather then the later, even though we would still have to imagine that it's possible they are saying this because of CIA/FBI/NSA influence.
Likewise, Kaspersky is more believable than if the FSB came out with this story, even if we must be cautious that it could be an FSB story.
5 hours ago by boomboomsubban
>But when someone accuses the US we never add any salt. Not that I donât think itâs false, itâs just that the lack of consistent skepticism is interesting.
This thread also isn't full of calls for sanctions against the US or talk of overthrowing the government.
I don't actually doubt many of the reports claiming North Korea or whoever were behind some attack, I know they are likely engaging in such activities. I just don't think the evidence is convincing enough to use as a casus belli or similar reason to take our own malicious actions. I would take a similar stance with this CIA malware, but nobody here is calling for punishment based on it.
4 hours ago by cyberlurker
Yea, I cautiously share this viewpoint. I donât want a cyber "Remember the Maine! To hell with Spain!" event.
2 hours ago by dilyevsky
Iâd say itâs likely they were instructed to sit on it until the time is right
2 hours ago by sturza
Did you take occamâs razor into account? Why is this likely?
an hour ago by dilyevsky
The timing is very sus given recent and ongoing spy mania in eastern europe (if youâve been following)
an hour ago by craig131
Using inductive reasoning, they're probably still deploying first-stage malware en mass that activates under certain network conditions. Truly scary stuff.
5 hours ago by Dolores12
Now compare it to how fast US intelligence analysts are. They may conclude who is behind attack in a matter of days. (For example, recent solarwinds attack)
3 hours ago by auiya
Correct, different campaign signatures can make attribution happen quickly, or slowly. Just depends what data the analyst has to work with.
5 hours ago by nzmsv
Conclusion prefetching is awesome, isn't it?
2 hours ago by fouric
Two weeks ago, the NSA accused the Russian SVR (intelligence agency) of exploiting vulnerabilities in US networks and suggesting that they were behind the SolarWinds compromise[1].
Now, Kaspersky (which is suspected to be affiliated with Russian intelligence - possibly unwillingly) claims to have found CIA malware (effectively "burning" it, if it's real).
The timing does not seem to be a coincidence. Tit-for-tat?
[1] https://www.nsa.gov/News-Features/Feature-Stories/Article-Vi...
2 hours ago by stunt
But CIA developing malware isn't news to anyone. How is this a tit-for-tat then?
29 minutes ago by marcosdumay
Well, at least for once the general public wins. Let's hope they fight more this exact way, and less on every other way.
an hour ago by fallingknife
The tit-for-tat goes the other way:
1. expose malware the CIA doesn't want exposed
2. get accused by the CIA of being in bed with the Russians
"working for the Russians" is the go to baseless political smear these days
an hour ago by sophacles
I would like to point out that a russian security company almost certainly has ties with the russian government. Particularly a very large, well respected one. It would be like accusing oracle or amazon of having ties with the US government.
2 hours ago by fallingknife
Interesting. But if you had cited "my ass" as a source it would be more reliable, because the NSA is probably better at lying.
an hour ago by ARandomerDude
The parent commenter was sourcing "the NSA accused..." with the accusation, not making a claim as to whether the accusation was true.
2 hours ago by squarefoot
We're lucky that we can still catch some of them now. The current status of closed CPUs running proprietary firmware talking with closed chipsets running proprietary firmware blobs would make trivially easy to move the malware injection to the iron level for agencies funded by governments. Once they accomplish it, detecting their spyware using software, at any privilege level, will become impossible. I fear the scenario in which magic packets with a signature that turns off detection in network hardware (proprietary firmware) and interfaces (again, proprietary firmware) can directly instruct a system (proprietary firmware) unbeknownst to the user; it seems impossible today, however all it takes is having enough closed software and firmware so that a covert channel can be created from the CPU to the external world. Governments have enough funds and motivation to tell most network iron manufacturers to produce hardware according to some additional specifications.
an hour ago by 2OEH8eoCRo0
It's not impossible but it's complicated and the more complicated the harder to it is to keep secret. It's easier to just amass exploits for use when needed.
2 hours ago by f430
not convinced. since its the CIA, I trust them they are doing it for a good cause.
2 hours ago by trampi
you forgot /s
40 minutes ago by f430
not needed. if this was FSB or PSB then...
5 hours ago by cyberlab
> the malware samples appear to have been compiled seven years ago, in 2014
So it was possible then to analyze the metadata of the files and determine when the malware was made/compiled? That seems like bad OPSEC. If I was CIA I would be rigorous in modifying and faking when certain files were last modified or created, and possibly stripping other damaging metadata (if it's incriminating enough). This is basic metadata hygiene employed by journalists, whistleblowers etc
4 hours ago by londons_explore
Don't overestimate government coders skills...
Often it's a massive team with people of very varied programming skills. The core exploit might be some super high tech, hand coded in assembly rootkit, but then the remote control stuff might ends up being some badly written powershell script or multi-megabyte dot-net, java or python binary pulling in every library under the sun.
2 hours ago by Godel_unicode
There's a fantastic example of this from fall of 2019. China was using an iPhone 0day which was extremely complicated to do internal surveillance, and the C2 for it was happening over http.
an hour ago by distribot
What is a C2?
an hour ago by joe_the_user
It seems like this is simply the approach of any coder who's just trying to get X done without worrying about maintaining stuff. Academic code is often "crap" and it's written by smart people but smart people only concerned about getting the algorithm implemented.
Which is say to say, no one yet come up with an approach that combines "fast to write, fast to run, and easy to maintain".
5 hours ago by hugh-avherald
Maybe it's less suspicious to have benign metadata than no metadata.
4 hours ago by cyberlab
Yeah, which is why I suggest faking metadata than simply stripping it. There are anti-forensic tools for doing that.
5 hours ago by asimpletune
I think it was based more on when the samples were found
5 hours ago by cyberlab
Yet the samples retain their original creation date?
4 hours ago by phendrenad2
Is there a link to any actual posts or blog by Kaspersky on the matter? This seems to be missing from their official communications...
an hour ago by hoppyhoppy2
The link is included in the article ("Kasperskyâs full description is below, from its <link>quarterly APT report</link> released today.")
The linked article's url is https://securelist.com/apt-trends-report-q1-2021/101967/ , which is from a site called "SECURELIST by Kaspersky".
5 hours ago by brummm
I always wonder. The CIA/NSA must essentially target the big Amazon, google and microsoft clouds to get blanket access to everything running and stored there. Seems like a no brainer from their standpoint.
5 hours ago by oefrha
Iâd say the likelihood of an American Big Tech without CIA covert operatives working there is essentially zero, even if thereâs no direct cooperation. It doesnât make sense to not utilize some of your most valuable assets.
4 hours ago by xtracto
Back in the 70s to 90s the CIA had presidents of Mexico as operatives (see LITEMPO). So, I wouldn't be surprised that nowadays some high level people at Google, Microsoft, etc are CIA assets.
4 hours ago by mhh__
Similarly, the KGB (as later exposed by VENONA) had their fingers in extremely sensitive pies during the early cold war period.
2 hours ago by Pompidou
From another point of view, we can see American Big Tech and CIA (and some other agencies) as the two faces of a same coin : america leadership, as usa are raising their power from economical and cultural supremacy over other country. I may have a blurry foreigner (french) view on your country, but I really see this intrication as real and substential as it was in URSS. In a much robust way, of course, making your country so powerfull.
44 minutes ago by joe_the_user
It should noted that they can also assign agents to work at these firms or recruit existing employees, so they have a broad pallet to deal with. And a given person working for the secret agencies might not have to do more than turn a blind eye to something once in a while.
However, these large firms have enterprise-wide security and too many people would notice the vacuuming of data for this to be done by single agents. So that would require secret court order and secret laws, as we know existed a few years ago.
So no doubt you have some level of secret agency access but exactly how much is difficult to say. Remember these are companies operating globally and it's in their interests to not be seen as mere extension of US intelligence and foreign policy but at the same time these agencies can very persuasive, etc. etc.
4 hours ago by cyberlab
Yes. Although with Google and other tech giants, they have good security, but really bad privacy. So there is little chance of your Google searches being leaked onto some shady darkweb forum, but a better chance it is being leaked to NSA etc. Also haven't you heard about NSLs[0] & Prism[1]?
[0] https://en.wikipedia.org/wiki/National_security_letter
[1] https://en.wikipedia.org/wiki/PRISM_(surveillance_program)
5 hours ago by sascha_sl
Or they just ask, which is essentially how prism already worked for user data.
5 hours ago by boston_clone
Didn't some PRISM documents show that Google's internal use of TLS 1.2 was blocking a more widespread collection of data?
I'll see if I can find the slide that articulated the issue.
2 minutes ago by caeril
That was part of it.
The other part was "Do what we tell you, or you'll be Joe Nacchioed"
In a 2013 interview, Marissa Meyer made it abundantly clear this is why Yahoo "voluntarily" joined PRISM. One can assume the rest were similarly influenced.
an hour ago by hu3
They just ask: https://www.bbc.com/news/technology-51207744
5 hours ago by reedjosh
Yeah, I highly doubt there's any targeting there. The big tech Co.s are practically fronts for the US Gov.
4 hours ago by noir_lord
> Yeah, I highly doubt there's any targeting there. The big tech Co.s are practically fronts for the US Gov.
https://en.wikipedia.org/wiki/War_Is_a_Racket (1935).
History doesn't repeat but it does rhyme.
It seems to be the natural state that centres of power co-operate with each other lest they lose their power.
Churches with Kings, Corporations with Government.
22 minutes ago by hilyen
We need to end all secret gov agencies. They are out of control & happily stomping out liberties without discretion.
21 minutes ago by INTPenis
Sure, as soon as we end all jealousy and suspicion in the human race. Glhf
6 hours ago by jmann99999
I may have missed it in the article, but as a sysadmin, iâm trying to figure out what I should do. It appears the CIA has created malware. I assume, if they have exploited some hole, others will too.
While I appreciate the heads up, Can anyone offer suggestions on how to mitigate this malware? What do I do? Do I have to rely on Kaspersky?
5 hours ago by barkingcat
Almost all government created malware uses 0days that they've kept back or held back from public disclosure, so there's nothing really you can do (aside from waiting for disclosure). That's the point of a CIA hack isn't it?
If there's something you can do, then they've failed at their job, and it's time for hiring the next batch of developers (yes these are developers with a paid day job - to make malware for the CIA).
In university, most computer science or computer engineering students had to make a choice whether to work for the country's security agencies and/or the military industries (via internships, being recruited, or just plain applying to government/pentagon/fbi/cia/nsa/csis jobs, etc), and that's their choice to make.
From the government's point of view, it's no different than recruiting soldiers for the Army/Navy/Marines. If they couldn't train you to their standards for basic fitness and basic shooting skills, they've failed and you'd probably wash out from infantry school.
The other thing you could do is to contribute to initiatives that do specific research into looking for vulnerabilities. It's no guarantee that you'll find the same vulnerabilities that the CIA is exploiting though, or you might find entirely other ones that they've been using for other exploits.
4 hours ago by chelmzy
The only thing you can truly do is look for anomalies in network traffic, processes, files, etc. This malware is not immune to that unless it has features specifically to hide from monitoring tools.
Even then there will almost always be evidence if you log network traffic. But obviously this is very difficult.
4 hours ago by MauranKilom
> Even then there will almost always be evidence if you log network traffic.
You'd need to know what to look for though. It was shown that the CIA can hide its communication in metadata of legitimate traffic which is then recovered at intermediate hops to the target. So, do you know precisely what an innocent DNS packet looks like to detect this anomaly?
5 hours ago by wil421
> Kaspersky said that while it has not seen any of these samples in the wild, they believe Purple Lambert samples âwere likely deployed in 2014 and possibly as late as 2015.â
You donât do anything because you are not the target. Itâs never been seen in the wild.
4 hours ago by staticassertion
While I have no information to share on this specific malware, here is the NSA's TAO Chief on what makes their jobs harder:
an hour ago by anoraca
Why would you rely on a company that is banned? https://www.nextgov.com/cybersecurity/2019/09/us-finalizes-r...
Daily digest email
Get a daily email with the the top stories from Hacker News. No spam, unsubscribe at any time.