Selective Malware: A New Cyber Weapon? (By Clémence Le Liepvre, CEIS)
![Image Report examines recent activities of Russian cybercriminals from [Sandworm]](https://incyber.org//wp-content/uploads/2024/04/incyber-news-cybersecurite-cybersecurity-attack-danger-2024-885x690.jpg)
In the increasingly digital societies in which we live, cyberattacks targeting not only individuals and companies but also States are proliferating. This proliferation is bestowing a strategic dimension on cyberspace. Indeed, as this space becomes a new source of power, economic and political players must greatly concern themselves with controlling it, securing it and dominating it. Cyberspace constitutes not only a new playground for criminals, but also a new chessboard for geopolitical confrontations, as demonstrated by the Ukrainian crisis and the suspicions of Russian hacking during the American presidential campaign. One unique feature of this new arena of competition lies in the diversity of players therein and, in particular, the lack of clear dividing lines between State agents, criminals, patriots and small malware developers acting in their own interest.
This distinction between public and private seems harder to make in the case of Russian players, who are particularly active and competitive. Russians enjoy a certain amount of protection from Moscow while operating from Russian territory, so long as their activities have no impact on Russian citizens or former Soviet Union members.
In recent years, large-scale hacking campaigns have grown in accuracy and efficiency, and are now taking the form of highly targeted location-based attacks. As a corollary of this shift, the programming of malware designed to spare certain countries further complicates the already difficult process of distinguishing between public and private players. Russia and the former Soviet Union countries have generally been seen to be the beneficiaries of this special treatment. These software programs are programmed to refrain from activating before detecting various pieces of information that might indicate the origin or location of the owner of the computer onto which they have been downloaded: IP address, time zone, domain name, default language of the computer and default language of the keyboard. If this information indicates that the computer belongs to a citizen of a country « to be avoided, » then the malware does not activate. This scenario arose, for example, during the latest variant of the Locky ransomware attack. In 2016, more than 400,000 people fell victim to the attack in just the first week following its detection. It affected people in 105 countries and infected an average of 90,000 devices per day. Locky, like Cerber, another large-scale ransomware program, is programmed to avoid the computers of Russian speakers. Variants of the Win32/TrojanDownloader.Swizzor and Win32/Conficker Trojan horses, as well as the more recent Hermes ransomware program, also have similar characteristics.
Apart from patriotism and the possibility of direct support from Moscow (which are often difficult to dissociate), the precautions taken by Russian hackers to avoid attacking certain players may also be explained by the fact that Russia has become a real sanctuary for cybercriminals. Observers have put forward the three unwritten rules of Russian cyberspace. The first and most important rule is to attack neither Russia nor the former members of the Soviet Union. The second rule concerns a tacit agreement between the Russian government and hackers that it would be inappropriate to turn down requests from intelligence services to enlist them for their expertise. Moscow has a tendency to turn a blind eye to players on Russian territory suspected of being behind criminal activities in cyberspace. It generally refuses to cooperate with other countries in the fight against cybercrime and rarely complies with extradition requests. However, when a cybercriminal violates one of the two above-mentioned rules, the Russian authorities typically adopt a far less conciliatory attitude. The case of the Russian hacker Dimitri « Paunch » Fedotov is a good example. Mr Fedotov developed the BlackHole exploit kit, first detected in 2010. This kit was hired by numerous hackers to carry out cyberattacks throughout the world and dominated the malware market in 2012. Ultimately, Fedotov and his gang were arrested by the Russian police in October 2013 while attacking a bank in Russia. A similar case is that of the arrest of Russian twin brothers accused of being responsible for malware that successfully targeted clients of Sberbank, one of the biggest banks in Russia and Eastern Europe, whose majority shareholder is none other than the Russian government. The third and final rule of Russian cyberspace, which is directly linked to the fact that Russia now represents a safety zone for hackers, is to be extremely careful about leaving Russian territory. Given Moscow’s resistance to extraditing its nationals, countries hoping to nab a hacker established in Russia must first wait for the hacker to leave the country. For instance, the Russian hacker Vladimir Drinkman, accused of orchestrating attacks against American banks, was arrested during a trip to the Netherlands in 2012, at the request of a United States Attorney. More recently, in April 2017, the Russian spammer Peter « Severa » Levashov, ranked the seventh worst spammer in the world by the NGO The Spamhaus Project, was arrested by the Spanish police. Severa was suspected in particular of being responsible for the Kelihos botnet, described by the United States Department of Justice as a « global network of tens of thousands of infected computers […] used to facilitate malicious activities. » Shortly after Severa’s arrest, Washington requested his extradition and announced its intention to dismantle Kelihos. Despite Russian attempts to block the American request to the Spanish authorities, Madrid ultimately ruled in favour of Washington in early October 2017.
The decision made by hackers operating from Russia or former Soviet Union countries not to attack these countries may be understood both as an act of patriotism and as a measure of self-protection. This practice can help to determine the origin of certain malware, by inference. However, it can also mislead or be used to carry out false-flag attacks. For some time now, certain malware programs have been seen to be programmed to avoid these countries even though their authors neither come from nor work for any of the countries that are spared.
Documents published by WikiLeaks confirm that the CIA has attempted to disguise its own attacks and attribute them to the Russians, the Chinese, the North Koreans or the Iranians. These efforts to disguise the origin of attacks may be intended to hinder investigations, but they may also be meant to satisfy the ambition of fuelling international tensions by blaming attacks on rival countries. Thus these attacks are turning into tools for a new type of geopolitical confrontation in cyberspace in which players compete for both soft and hard power.
Finally, transnational exchange of information technology tools between cybercriminals makes the situation all the more complicated. Malware is exchanged internationally between players in cyberspace just as arms are traded internationally between players in physical space. In this scenario, an individual from Country A might perpetrate an attack using a software program developed by an individual from Country B. CEIS Cyber Threat Intelligence analysts have found, for example, that North Korean hackers have supplied themselves through Russian-speaking cyber weapon factories. Indeed, the Hermes ransomware program used by the Lazarus group (probably of North Korean origin) to conceal bank robberies during an attack on the SWIFT system of Taiwan’s Far Eastern International Bank was initially purchased on a Russian-language forum. This ransomware was programmed to deactivate when the default language of the system onto which it was downloaded was Russian, Ukrainian or Belorussian. This unique feature enabled the ransomware to be identified.
Several conclusions on the present state of cyberspace may be drawn from this malware specially programmed to sidestep certain countries. First, today, many economic and geopolitical issues in physical space have been transposed to a cyberspace notable for its opacity. Russian malware programmed to avoid Russia and the Russian Commonwealth suggests that cybercriminals may have negotiated some sort of « non-aggression pact » with the Russian Federal Security Service (FSB) in exchange for a measure of peace in these countries. Second, the programming of the Hermes malware program highlights complexities that characterise cyberspace: the difficulty of distinguishing between publish and private players, and the particular difficulty of discerning their ties to States. However, the fact that this malware specifically bypasses the Russian Commonwealth countries suggests that Moscow has gained a certain amount of control over the Russian-speaking subset of cyberspace, one of the most active and advanced reaches of the cyber realm. This seems to give the Kremlin an advantage over other State players in a cyberspace often regarded as a lawless area that traditional authorities struggle to police.