Jump to content

Top 10 worst state-sponsored hack campaigns: From PRISM to Stuxnet and Mask


Recommended Posts

Since the first computer was connected to the internet we've seen a steady stream of a new malware variants and cyber scams doing the rounds. However, it's only in the last few years things have really heated up, with a number of startling revelations showing it's not just criminals playing fast and loose with the law and online data.

Since 2011 when the infamous Stuxnet malware was discovered, researchers have uncovered evidence that many of the most dangerous known hack campaigns are actually being carried out by government agencies. This is troubling as the attacks' cutting-edge technologies make them close to impossible to protect against. Worse still, the campaigns also give the average cyber criminal ideas about ways to improve their own attacks.

As a consequence, even if a business is not the direct victim of a government attack, their CIO still needs to stay savvy and learn from the state victim's plight. To help with this we've come up with a definitive list of the 10 worst state-sponsored hack campaigns that IT managers need to be aware of.

10. Shady RAT


Shady RAT is a remote access Trojan (RAT), which hit the headlines in 2011 after McAfee discovered numerous governments' and companies' networks had been compromised as part of a mass scale state-sponsored hacking campaign.

McAfee learned of the campaign after it gained access to a command-and-control server used by the attackers and collected log details revealing all the victims since 2006.

The McAfee research revealed that during its peak the Shady RAT campaign spanned 14 countries and compromised a staggering 72 organisations - including the United Nations, defence contractors and even Olympic committees.

Operation Shady RAT shares many similarities with the Operation Aurora and Night Dragon hack campaigns, and is believed to have been funded by the Chinese government.

9. Red October


Red October was uncovered by Kaspersky in January 2013. The security firm was fairly coy about divulging where it thought the attacks originated from, but the techniques employed by the miscreants pointed towards something fairly advanced.

"Attackers created unique, highly flexible malware to steal data and geopolitical intelligence from target victims' computer systems, mobile phones and enterprise network equipment," the report said at the time.

The malware targeted governments and political groups as well as businesses, with the majority of the infections found in Russia and Kazakhstan. Signs which pointed towards a state-sponsored attack include an advanced "resurrection module" which fooled users into thinking it had been removed. The malware also included traces of software used by the likes of Nato and the EU.

8. APT1


The APT1 hack campaign was uncovered by security firm Mandiant in February 2013. The campaign is notorious not just because it is believed to have successfully hacked 141 companies across the world, but also because of its alleged links to the Chinese government.

While there had been numerous accusations suggesting China may have been funding cyber attacks, APT1 was the first serious campaign to have a security firm directly name the Chinese. Specifically, Mandiant reported linking the campaign to a Chinese military unit based in Shanghai's Pudong district.

7. Mask


Mask is a notorious hack campaign uncovered by Russian security firm Kaspersky in February targeting diplomatic offices and embassies, energy, oil and gas companies, research institutions, private equity firms and activists with malware.

The Kaspersky researchers listed the Mask campaign as one of the most advanced ever seen, claiming it features several defence-dodging capabilities that make it almost impossible to defend against. The researchers said the advanced powers have allow the hackers to infiltrate 380 governments and businesses across 31 countries including the UK.

While it remains unknown who is behind the Mask campaign, researchers have taken its advanced nature as a sign it is state sponsored.

6. Duqu


The Duqu malware originally reared its ugly head in the fall of 2011, when it was spotted targeting numerous company and government systems in the Middle East and North Africa.

The Duqu malware caused waves in the security community as it used a mysterious, never before seen programming language. Some researchers believe Duqu is linked to Stuxnet - some have gone so far as to claim it may well have been created by the same group of hackers.

Whatever the case may be, Duqu is certainly scary in its own right and is designed to steal information that could be used to mount attacks on industrial control systems - the things running our critical infrastructure.

5. Gauss


Gauss was a particularly nasty espionage-focused malware uncovered by Russian security firm Kaspersky in 2013.

The malware is dangerous as it held several similarities to other advanced malware, like the infamous Flame. Gauss however was atypical as despite having all the hallmarks of a traditional espionage-focused, government-made malware, its target base wasn't a power plant or government department.

Instead the Gauss campaign had a specific focus on stealing data from financial institutions. Worse still, the full scale of the campaign remains unknown, though Kaspersky researchers estimate it has infected at least 2,500 machines.

4. DarkSeoul


Relations between North and South Korea are tense at the best of times. Traditionally it's been North Korea's nuclear programme that has dominated the headlines and been a key reason for this. However, in 2013 this all changed, when hackers operating under the DarkSeoul alias claimed responsibility for a wave of attacks on several of the nation's banks and broadcasters.

Since then security experts from around the globe have compiled a growing list of evidence suggesting the DarkSeoul group is state sponsored. This started with Symantec in June 2013, which reported analysis of the attack tools used by the group showed a level of sophistication beyond most normal hacker groups.

It then continued in July 2013, when McAfee reported uncovering evidence suggesting the Dark Seoul attacks are part of a wider more dangerous hacking operation that has been ongoing for at least four years.

3. Flame


In May 2012 Iran revealed it was being hit by a high-level malware attack with the scary name of Flame.

The Iranian Computer Emergency Response Team (Maher) revealed it had discovered the attack despite the fact Flame had previously remained hidden from 43 different antivirus tools. It took the security team at Kaspersky to find it, and that was only after the UN’s International Telecommunication Union called the firm in to help discover why sensitive information was being deleted across the Middle East.

On discovering Flame the Russian security firm labelled it the "most sophisticated cyber weapon yet unleashed" and with several high-profile functions, including network monitoring, disk scanning, screen capturing, recording sound from in-built microphones and infiltrating various Windows systems.

"Flame can easily be described as one of the most complex threats ever discovered. It's big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyber-espionage," Kaspersky researcher Alexander Gostev said at the time.

Flame's uncovering was not the first time Iran revealed it was the target of a hyper-sophisticated cyber weapon, though, as we shall see.

2. PRISM spying scandal


Prior to summer 2013, the name Edward Snowden meant nothing and the word prism would have been written in lowercase. Now, though, Snowden is the scourge of spy agencies on both sides of the Atlantic, and PRISM has the notoriety of being written entirely in capital letters. Serious stuff.

In many ways PRISM only served to confirm paranoid theories that governments had been spying on our digital communications, but the scale of the espionage took many aback, as both the NSA and the UK’s GCHQ engaged in mass surveillance and data gathering of web users and governments.

Phone cables were tapped, world leaders’ phones bugged and encryption keys broken, all in the interests of national security. Europe was outraged and numerous reviews and reports have been commissioned, although no-one seems to have actually done anything wrong - except Snowden of course.

Regardless of legal loopholes, though, for businesses PRISM marked a watershed moment where data privacy and protection went beyond the fear of determined criminals and into the realms of a Franz Kafka or George Orwell story, where your own government may steal and pry on your private data.

As the old saying goes: "Just because you're paranoid doesn't mean they aren't after you."

1. Stuxnet


Stuxnet is quite possibly the most successful example of a targeted malware attack, at least of those that have become public knowledge.

The precise targeting of industrial controller devices from IT firm Siemens by Stuxnet led security researchers to quickly come to the conclusion that it was deliberately developed by one or more state security agencies - purported to be US and Israeli - in order to attack specific targets.

In this case it was centrifuge equipment being used to refine uranium at Iran's nuclear facilities. The malware almost wrecked the centrifuges by causing them to spin out of control while masking its activity with faked recordings showing normal functioning.

Stuxnet was a watershed moment in that it was the first known successful cyber attack on another nation's infrastructure. It has been criticised by many in the security industry for legitimising the use of such weapons, and because other nations may be able to adapt it for their own purposes.

Suspected variants of Stuxnet such as Flame and Duqu have already been documented, and have affected countries outside Iran, such as Indonesia, Pakistan and Azerbaijan.


Link to comment
Share on other sites

  • Views 1k
  • Created
  • Last Reply

Top Posters In This Topic

  • Reefa


Popular Days

Top Posters In This Topic

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...