Some uncomfortable truths about state-sponsored malware

This year, given the headlines brought about by Edward Snowden regarding the NSA, there is a renewed and significant interest in state-sponsored malware. 


It is a topic I feel is reasonably well-understood among insiders to the security and anti-malware industry, but perhaps not-so-well-understood by our clients.  It is a topic that brings about questioning and some distrust.


Whether for purposes of data collection or of destruction, there is no denying that state-sponsored malware is a real and regular occurrence in our present cyber reality.  For example, presently, one can question the impact of Stuxnet on the potential shift in relations between East and West… And, industry researchers are actively studying underlying similarities in malware of Chinese origin linked to wide theft of global corporate intellectual property.  Mandiant’s APT1 report may be the best known example of this research.


It has long been the general ethic of the anti-malware community to detect malware regardless of its creator. The industry detects malware, including state-sponsored malware, without regard for which state nor judgments about the political rightness or wrongness of the state-sponsor nor the intended target.


A recent and public letter to some of the larger anti-malware firms in the community from an international coalition of rights organizations asks:

  1.  Have you ever detected the use of software by any government (or state actor) for the purpose of surveillance?
  2. Have you ever been approached with a request by a government, requesting that the presence of specific software is not detected, or if detected, not notified to the user of your software? And if so, could you provide information on the legal basis of this request, the specific kind of software you were supposed to allow and the period of time which you were supposed to allow this use?
  3. Have you ever granted such a request? If so, could you provide the same information as in the point mentioned above and the considerations which led to the decision to comply with the request from the government?
  4. Could you clarify how you would respond to such a request in the future?”

I can address my own professional experiences, without saying exactly where nor when the events occurred, only that during my career, I have been asked by a government to remove detection of a malware and even (laughably) to ‘return’ the malware.  I can also say that I did, with the backing of my then management, decline any such request.  But this was a good many years ago and the threat-landscape is vastly more distributed today.  My experience is that for such threats, when the threat became known, detection was added.  I know of no cases of compliance with any such government requests.  Aside from the fact that malware is malware, I have seen variations on the following as industry justification for detection of state-sponsored malware:

 

  1. Antimalware analysts often don't know exactly who wrote any given sample of code.
  2. Why should governments call out any given code to say ‘don't detect this?’ To do so makes the malcode known.
  3. The same code could fall into other hands for other nefarious purposes.

To that list I would add that, really, today, in this vastly distributed threat landscape, why should any government come asking?  If discovered and detected, wouldn’t they just do what any producer of malware would do and tweak a new variant until that was not detected…?


I have seen evidence that such malware is sometimes intercepted by the targeted government, reconfigured and turned back on its creators. 


So, what does all of this have to do with HP Security Research?  We do and will continue to study the space and inform our customers about malware, vulnerabilities and threat actors – regardless of who those actors are.  See HP Threat Central (HPTC) announcement blog here and field intel blogs here.


At HP’s ZDI, for example, the mission, in part, is to keep vulnerabilities off the black market and out of the hands of rogue actors - before such weaponized malware can be targeted – and to provide the best protection we can for our customers while responsible vendor partners take the needed time to correct open vulnerabilities.


I am sure, seeing the space evolve as it has, that some of our independent contributing researchers have been approached by parties interested in their research without any intent to responsibly disclose those newly discovered potential vulnerabilities.  However, we have seen the commitment of these independent contributing researchers to responsible disclosure.


One does hear tales of researchers and research companies that are ‘in the pockets of’ governments… All of this does not mean, however, that as an industry we cannot partner and share responsibly security and threat intelligence with governments.  We absolutely can and do.  These are critical infrastructure partners in need of protection. 


Ultimately, we do not withhold threat information nor protection from our customers, when we are able to write protection, because anyone comes asking, regardless of who may ask.  Our ongoing commitment is to education and protection.

 

Shannon Sabens

HP Security Research

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation