The discovery of Flame and Stuxnet leaves security experts concerned there are similar malicious software attacks already underway that their systems cannot detect.
It’s rare to hear someone admit to failure. Even rarer to admit that their company and the entire industry it represents is guilty of a “spectacular failure”. But that is just what Mikko Hypponen, “cyber-security Jedi” and chief research officer at anti-virus firm F-Secure, did recently.
In a candid article for Wired published at the start of June, he admitted that the antivirus industry had been caught with its trousers down by what has been described by some as the most complex piece of malicious software ever created.
Known as Flame, the software is an example of a “spyware” infection, designed surreptitiously to record and transmit a record of actions taking place on a compromised system – from video and audio to the individual strokes of a keyboard – as well as offering access to sensitive and supposedly private information.
More striking than these capabilities, however, are two crucial factors: the sophistication of Flame’s targeting, and its ability to evade detection. Flame’s targets were almost certainly a handful of computers operating sensitive aspects of nuclear programs in the Middle East. And, as soon became apparent after its discovery, it had been spreading across the world towards these machines for over two years, undetected. Until its purpose was due to be served, one of the most important pieces of malicious code in existence had to all intents and purposes been invisible.
All of which marks out Flame as a tool not of mere criminality, but of cyber-espionage: one developed by a state-sponsored intelligence program with the intent of gathering technical information of the most sensitive kind. Hence Hyponnen’s remarkably frank assessment: “We really should have been able to do better. But we didn’t. We were out of our league, in our own game.”
Cyber-crime used to feel, if not like a game with rules, then at least like an arena of knowable motivations. Thanks to the internet, every petty criminal in the world suddenly had access to your front garden (metaphorically speaking) and would muster as much cunning as possible to break into your house – or at least your bank account.
Just a day after Iran had announced the discovery of Flame, I was speaking at the Thinking Digital conference in northeast England, where I listened to Hypponen outline one of the more ingenious of such scams. Once infected by the malware in question, your computer produces an official-looking message on startup claiming to be from the FBI.
It has been detected, the message says, that your hard drive contains a treasure trove of illicit materials, incriminating you in everything from terrorism to child pornography. Your entire system has been frozen, leaving you only two options: either click here to take the claim to “court” (a bogus dead end); or pay an instant fine to unlock your system. Some users, Hypponen went on to explain, actually paid the fine even though they knew it was a scam – because they couldn’t face the potential humiliation and suspicion of explaining what was going on.
Such attacks can be destructive, disturbing and costly. Yet it is, at least, clear what’s going on once you see behind the deceiving veil: what the scammers want (money); how they aim to get it; and what your recourses may be (download a fix; contact the police or civilian digital security experts). Even when it effectively entails taking your computer hostage, financial gain remains a comprehensible motive.
What, though, is to be done when the actors involved are states themselves; or digital aggressors acting with the resources of a state behind them? Shrouded by plausible deniability on all sides, it’s increasingly clear that a kind of silent war is beginning online: one whose battles even the experts may only recognize after they’ve been fought, and whose potential targets encompass almost every system or service plugged into a computer.