There has been a growing realization by the global cyber security community that cybercriminals of all shapes, sizes, and motivations are getting a lot better at finding and exploiting zero-day attacks. Furthermore, while the bulk of these attacks still target the Microsoft family of operating systems, increasingly attacks are being targeted at the Unix/Linux family of operating systems. Correspondingly, there is also more recent awareness of the extent of Advanced Persistent Threat (APT) rootkits that were also previously unknown. So, many are asking what is the source of this very worrisome increase in sophisticated cyber attacks?
As revealed by the WikiLeaks classified documents exposure and more recently discussed by the National Counterintelligence Center, there is a more intimate technology sharing and peer review relationship between some of the nation-state offensive cyber programs and the global cybercriminal industry. It is believed that there are both formal (i.e., documented) and informal (i.e., attempting to stay secret) relationships between both major, and even minor, nation-states and cybercriminal organizations. The reasons for this new unholy "coziness" are obvious. The large nation-states can increase their cyber operations effectiveness by obtaining intelligence on vulnerable systems known to the cybercriminal industry. Even small nation-states can join the offensive cyber industry by purchasing tool kits and/or "subcontracting" penetration services to the cybercriminal industry. A few nation-states have even set up very private networks in the bowels of the Internet to perform joint code reviews with "vetted" members of the cybercriminal industry. The cybercriminal industry learns new tricks (e.g., zero-days), makes more money and can have their code reviewed by sophisticated nation-state testing tools.
Awareness of this relationship is not exactly new but its depth and breadth were previously unknown. As far back as 2008, Russian intelligence used a vulnerability in the Microsoft Autorun.inf to "bridge the air gap" and exploit U.S. government classified computer networks. Just a few months later this very same code was added to a version of the cybercriminal attack named Conficker to dramatically expand the attack surface of the exploits. A few years earlier, the Aleuron (bootkit) attack surprised many of us who track the evolution of malware. Aleuron demonstrated sophisticated attack and evasion techniques that many felt were restricted to the domain of the nation-states. Since that time, additional attacks (mostly kernal rootkits) have appeared that reflect the "trickle down" of APT technology from nation-states to the cybercriminal industry. The Wikileaks revelations included reporting that the Chinese government engaged cybercriminals to assist in the development and peer review of the Aurora attack code and even shared the final product with them.
In the last few years, we have witnessed cybercriminal organizations utilizing hacking techniques like polymorphic code generation, signed kernal loadable modules, direct injection of malware into running processes (e.g., DLLs) and advanced cryptography to include not only stronger algorithms but also sophisticated key generation, key obfuscation and management functions. Either the cybercriminals have made exceptional leaps in skills or, more likely, they have also made new friends. While most cybercriminal organizations do not have the resources to monitor the evolution of malware detection/prevention techniques, the nation-states devote considerable resources to ensuring that their offensive cyber tools will work. This relationship may now enable cybercriminals to also stay one step ahead of the good guys.
However, what makes this relationship most worrisome is that the use of zero-day rootkits with sophisticated exploitation techniques operate totally outside the visibility of signature-based antivirus software. Most organizations suffered the effects of Conficker, Aleuron, and Aurora for months, and even years, before their malware protection products were able to detect and prevent them. The last thing the good guys need is for cybercriminals to continue to "up their game" by trading secrets (and code) with the professional organizations of determined nation-states. This is why next-generation malware defense products (that do not rely on malware signatures) like FireEye must be a critical part of any organization's protection profile.
About Robert Bigman
Robert Bigman recently retired from the Central Intelligence Agency (CIA), after serving a thirty year distinguished career. Recognized as a pioneer in the field of classified information protection, Mr. Bigman developed technical measures and procedures to manage the nation’s most sensitive secrets. As an information security trailblazer, Mr. Bigman participated in developing security measures for government computers well before commercial industry found the Internet. He then developed creative solutions to allow the CIA to use the Internet to further its mission without exposure. With twenty-five years of experience, Mr. Bigman worked in every area of information and data security, the last fifteen years as the Agency's Chief Information Security Officer (CISO). As the Agency CISO, Mr. Bigman managed a large organization of technical and program officers responsible for the protection of all Agency information. As the CISO, his responsibilities included cryptography, information security policy/processes, standards and requirements, testing and network defense/response. Mr. Bigman also served as the Agency's designated officer for all discussions with the information security industry and its commercial partners. Mr. Bigman has contributed to almost every Intelligence Community information security policy/technical standard and has provided numerous briefings to the National Security Council, Congress and presidential commissions. Mr. Bigman's earlier assignments at the CIA included participation in the technical design of the Intelligence Community's first counterterrorism database and delivery of the Agency's first secure TCP/IP local and wide area network for the Counterintelligence Center. In recognition of his expertise and contributions, Mr. Bigman has received numerous CIA and Director of National Intelligence awards.