Monthly Archives: December 2014

Talk at Logan Symposium 2014, London

A few weeks ago, I was in London at the Logan Symposium 2014, which was held at the Barbican Centre in London from 5 to 7 December 2014. During this event, I gave a talk entitled: “Security Dilemmas in Publishing Leaks.” (slides, PDF) The event was organised by the Centre for Investigative Journalism in London.

The audience was a switched-on crowd of journalists and hacktivists, bringing together key figures in the fight against invasive surveillance and secrecy. and it was great to be there and to be able to provide some insights and context from a technological perspective.

The Ukrainian Veto: Why The MH17 Report Will Not Reveal The Truth

On November 26, 2014 it was revealed by the Dutch news outlet RTL Nieuws that there exists a confidentiality agreement that was signed by the Netherlands, Belgium, Australia and the Kiev regime in Ukraine that gives each of the signatories a veto on any information that comes out of the investigation.

The existence of this confidentiality agreement is confirmed by the Australian Government, more specifically by Melissa Stenfors, Acting Director of the Crisis Management & Contingency Planning Section of the Department of Foreign Affairs and Trade:

Veto_Australia_Ukraine_MH17Later, the authenticity of this letter was confirmed by the Australian Ministry of Foreign Affairs and Trade in the following statement to RTL Nieuws:

“The letter to which you refer is authentic. Australia, The Netherlands, Belgium and Ukraine have signed a non-disclosure agreement with respect to the criminal investigation into the downing of Malaysian Airlines flight MH17.

This agreement requires consensus among the parties before information regarding the investigation can be released. The non-disclosure of information is important to avoid jeopardising the investigation or prejudicing a future judicial proceeding arising from the investigation.

The Joint Investigation Team non-disclosure agreement was communicated in confidence by foreign governments, and, as a result, cannot be made public.”

(emphasis mine)

An Elsevier magazine Freedom of Information Act (Wob) request to reveal the contents of the confidentiality agreement mentioned above, along with 16 other documents concerning the investigation was denied by the Dutch cabinet.


Unanswered Questions

So far, the investigation into the downing of Malaysian Airlines Flight MH17 is poorly done. The Dutch Safety Board (Onderzoeksraad voor Veiligheid) published a preliminary report about MH17 on 9 September 2014. This report was unsatisfactory for many parties. Basically it only says that the damage to the front section of the fuselage and the cockpit indicates that the plane was hit by a large number of high-energy projectiles coming from outside the aircraft, and that the damage pattern does not match with any damage one would expect in case of failure of the aircraft’s engines or other systems. In any case, there are no indications of any technical or operational problems with the aircraft or its crew prior to the CVR (Cockpit Voice Recorder) and FDR (Flight Data Recorder) stopping their recordings at 13:20:03 hours.

Important questions still remain unanswered, like whether the damage was caused by an air-to-air missile (which would support the Russians’ claims of a Ukrainian fighter jet near the Malaysian airliner), or surface-to-air (which supports the Buk weapons system theory). In the case of a surface-to-air missile, it still remains to be seen who fired the weapon at the time. Satellite pictures that claim that the Buk was operated by the rebels and then transported out of eastern Ukraine into the Russian Federation are very grainy, and one cannot discern any important details, let alone confirm their authenticity. These questions have not yet been answered, let alone asked by the investigation team (at least as far as we know).

The existence of the confidentiality agreement however, is very problematic. Especially if it contains, as sources seem to indicate, a veto right for all parties, including Ukraine. What if the investigation does reveal something that might point to the Ukrainians being behind the MH17 disaster? Would that ever get published? I think not, given the fact that they have a veto. Basically, the way this investigation was set-up, almost guarantees an outcome that will absolve the Ukrainians of any blame in the disaster. When the report does come out eventually, it will no doubt serve as new fuel on the pyre, with the West trying to blame Russia for the downing of MH17. Another reason why the investigation might be slow-going, besides the obvious difficulties in collecting all the evidence, is because the release of the final report might need to be carefully timed, released only when there’s a lull in the anti-Putin rhetoric, and this could then serve to ignite people’s anger and play on emotions to start a war with Russia. Which is a horrible thought, and I certainly do not hope things will play out this way.

But just as we have been stumbling into World War One, some of the signs are seen again nowadays. For instance, just look at the sheer level of propaganda found in the mainstream media, impervious to facts and reason. We are stumbling into another World War before we realise what happened. As the distinguished journalist John Pilger so brilliantly said during his speech at the Logan Symposium in London this month, “the most effective propaganda is not found in the Sun or on Fox News, but beneath a liberal halo.” We need to find the counter-narrative, figure out what is really going on to try and prevent this tragedy from happening.

It pains me to see how the U.S. is using Europe as its playground, themselves safely removed far away across the Atlantic Ocean, and we Europeans are allowing them to. Why should we be so subservient to a nation whose foreign policy in the past 70 years has only contributed to igniting crises and wars across the world? South America was ravaged by U.S. foreign policy, as was Vietnam, Cambodia, Laos, Afghanistan, Iraq, Syria, Pakistan, Yemen, Somalia, Cuba, and countless of other countries. Innocent citizens across the globe now have to live with the very real and daily fear of extra-judicial murder in the form of drone strikes, personally ordered and authorised by President Obama every Tuesday, extraordinary renditions (kidnapping) to “black sites” in countries like Poland and Romania where people are subject to CIA torture, as the executive summary of the Senate Select Committee on Intelligence Torture Report (PDF) recently revealed.

And the sad thing is, I’m not seeing any significant change in the US, where pundits the likes of Dick Cheney are still trumpeting torture (euphemistically called “enhanced interrogation”). When the Nazi’s were defeated after the Second World War, they were brought before the court during the Nuremberg trials, and some of the people deemed mainly responsible for the crimes against humanity and war crimes committed under Hitler’s regime were executed for their crimes. In the US, there isn’t even the slightest hint of a criminal investigation into the people responsible for the torture committed by CIA personnel and contractors, either directly or indirectly.

The Second Cold War

The coup in Ukraine was used to try and lure Russia into a second Cold War. A massive misinformation campaign was mounted in the Western press which totally ignored the real cause of the current crisis in Ukraine, namely the US putsch to oust the pro-Russian Yanukovich from power and install the pro-US Yatsenyuk. Yanukovich was democratically elected, Yastenyuk was not. On Maidan square, snipers attacked both the pro- and anti-Yanokovich protesters. The telephone conversation Victoria Nuland (Assistant Secretary of State) held with Geoffrey Pyatt (U.S. Ambassador to Ukraine) that was intercepted and posted to YouTube was blacked out from the mainstream media. This offered compelling evidence that the Ukrainian crisis was a U.S. led coup.

I have written extensively about the coup previously, explaining that NATO expansion after the Cold War ended has put Russia on edge, as they are obviously concerned about their national security. When the Soviets did a similar thing in Cuba, this led to Cuban Missile Crisis in October 1962. Why is it OK for the U.S. to respond by blockading Cuba, but when it’s Russia’s national security that is being threatened by NATO’s military bases, these legitimate concerns are hand-waved away and ignored? American exceptionalism has no place in the 21st century, or in fact, in any century.

After the referendum on the status of the Crimea, where the vast majority of the (mostly ethnic Russian) population (96.77% in fact) voted to re-join the Russian Federation, after the separation of the Crimea from Russia by Nikita Khrushchev in 1954, the Russians were immediately blamed for annexing the area. However, there were no such outcries when Kosovo declared itself independent from Serbia (without a referendum, mind you). In the case of Kosovo, it suited the Western powers, in the case of the Crimea, it did not.

The Crimea is of strategic importance to the Russians, as their Black Sea Fleet is based in the Crimean city of Sevastopol. When the Ukrainian coup started, Russia was getting increasingly concerned about whether it would be able to continue its lease of the military base, which was set to expire in 2042. Losing access to the base would be difficult, as Sevastopol’s warm water port, its natural harbour and the extensive infrastructure already in place there currently makes it one of the best-outfitted naval bases in the Black Sea. Sevastopol also allows the Russians relatively quick and easy access to the Mediterranean. The Russian Mediterranean Task Force, which is based in Sevastopol, was previously used to remove Syrian chemical weapons and conduct anti-piracy operations near Somalia.

All I hope is that the current crisis will be resolved quickly, as the path we currently seem to be on (one almost inevitably leading to war), is a foolish endeavour, and we need to realise that talking and diplomacy will get us much further than empty threats and baseless allegations. We’ve previously seen what US interference does to countries, like in the 2003 invasion of Iraq, and the sanctions that were put in place before that. Millions of people have been displaced and killed in that conflict alone. We need to stop this madness and start the dialogue to understand and hear the valid concerns put forward. Only then can war be avoided.

Regin: The Trojan Horse From GCHQ

In 2010, Belgacom, the Belgian telecommunications company was hacked. This attack was discovered in September 2013, and has been going on for years. We know that this attack is the work of Western intelligence, more specifically, GCHQ, thanks to documents from Edward Snowden. This operation was called Operation Socialist. Now, however, we know a little bit more about how exactly this attack was done, and by what means. Internet connections from employees of Belgacom were sent to a fake LinkedIn page that was used to infect their computers with malware, called “implants” in GCHQ parlance. Now we know that Regin is the name given to the highly complex malware that seems to have been used during Operation Socialist.

Projekt 28Symantec recently reported on this malware (the full technical paper (PDF) can be found here), and it’s behaviour is highly complex. It is able to adapt to very specific missions and the authors have made tremendous effort to make it hard to detect. The malware is able to adapt and change, and since most of anti-virus detection relies on heuristics, or specific fingerprints of known malware, Regin was able to fool anti-virus software and stay undetected. However, Symantec put two and two together and has now revealed some of Regin’s inner workings.

fig3-countriesThe infections have ranged from telecoms and internet backbones (20% of infections), to hospitality (hotels, etc.), energy, the airlines, and research sectors but the vast majority of infections has been of private individuals or small businesses (48%). Also, the countries targeted are diverse, but the vast majority of attacks is directed against the Russian Federation (28%) and Saudi Arabia (24%).

The Regin malware works very much like a framework, which the attackers can use to inject various types of code, called “payloads” to do very specific things like capturing screen-shots, taking control of your mouse, stealing passwords, monitoring your network traffic and recovering files. Several Remote Access Trojans (also known as RATs) have been found, although even more complex payloads have also been found in the wild, like a Microsoft IIS web server traffic monitor (this makes it easy to spy on who visits a certain website etcetera). Another example of a highly complex payload that has been found is malware to sniff administration panels of mobile cellphone base station controllers.

How Regin Works

As mentioned above, Regin works as a modular framework, where the attackers can turn on/off certain elements and load specific code, called a “payload,” to create a Regin version that is specifically suited to a specific mission. Note that it is not certain whether all payloads have been discovered, and that there may be more than the ones specified in the report.

fig2-sectorsRegin does not appear to target any specific industrial sector, but infections have been found across the board, but mostly in telecom and private individuals and small businesses. Currently, it is not known what infection vectors can possibly be used to infect a specific target with the Regin malware, but one could for instance think of tricking the target into clicking on a certain link in an e-mail, visiting spoof websites, or maybe through a vulnerable application installed on the victim’s computer, which can be used to infect the target with Regin. In one instance, according to the Symantec report, a victim was infected through Yahoo! Instant Messenger. During Operation Socialist, GCHQ used a fake LinkedIn page to trick Belgacom engineers into installing the malware. So one can expect infection to take place along those lines, but other possibilities may of course exist.


The various stages of Regin.

Regin has six stages in its architecture, called Stage 0 to Stage 5 in the Symantec report. First, a dropper trojan horse will install the malware on the target’s computer (Stage 0), then it loads several drivers (Stage 1 and 2), loads compression, encryption, networking, and EVFS (encrypted file container) code (Stage 3), then it loads the encrypted file container and loads some additional kernel drivers, plus the payloads (Stage 4), and in the final stage (Stage 5) it loads the main payload and the necessary data files for it to operate.

The malware seems to be aimed primarily against computers running the Microsoft Windows operating system, as all of the files discussed in the Symantec report are highly Windows-specific. But there may be payloads out there which target GNU/Linux or OS X computers. The full extent of the malware has not been fully revealed, and it will be interesting to find out more about the exact capabilities of this malware. The capabilities mentioned in the report are already vast and can be used to spy on people’s computers for extended periods of time, but I’m sure that there must be more payloads out there, I’m certain that we’ve only scratched the surface of what is possible.

Regin is a highly-complex threat to computers around the world, and seems to be specifically suited towards large-scale data collection and intelligence gathering campaigns. The development would have required significant investments of time, money and resources, and might very well have taken a few years. Some components of Regin were traced back all the way to 2003.

Western Intelligence Origins?

In recent years, various governments, like the Chinese government, and the Russian government, have been implicated in various hacking attempts and attacks on Western infrastructure. In the article linked here, the FBI accuses the Russians of hacking for the purpose of economic espionage. However, Western governments also engage in digital warfare and espionage, not just for national security purposes (which is a term that has never been defined legally), but they also engage in economic espionage. In the early 1990s, as part of the ECHELON programme, the NSA intercepted communications between Airbus and the Saudi Arabian national airline. They were negotiating contracts with the Saudis, and the NSA passed information on to Boeing which was able to deliver a more competitive proposal, and due to this development, Airbus lost the $6 billion dollar contract to Boeing. This has been confirmed in the European Parliament Report on ECHELON from 2001. Regin also very clearly demonstrates that Western intelligence agencies are deeply involved in digital espionage and digital warfare.

Due to the highly-complex nature of the malware, and the significant amount of effort and time required to develop, test and deploy the Regin malware, together with the highly-specific nature of the various payloads and the modularity of the system, it is highly likely that a state actor was behind the Regin malware. Also, significant effort went into making the system very stealthy and hard for anti-virus software to detect. It was carefully engineered to circumvent anti-virus software’s heuristic detection algorithms and furthermore, some effort was put into making the Regin malware difficult to fingerprint (due to its modular nature)

Furthermore, when looking at the recently discovered attacks, and more especially where the victims are geographically located, it seems that the vast majority of attacks were aimed against the Russian Federation, and Saudi Arabia.

According to The Intercept and Ronald Prins from Dutch security company Fox-IT, there is no doubt that GCHQ and NSA are behind the Regin malware. Der Spiegel revealed that NSA malware had infected the computer networks of the European Union. That might very well been the same malware.


symantic_virus_discovery.siA similar case of state-sponsored malware appeared in June 2010. In the case of Stuxnet, a disproportionate amount of Iranian industrial site were targeted. According to Symantec, which has published various reports on Stuxnet, Stuxnet was used in one instance to change the speed of about 1,000 gas-spinning centrifuges at the Iranian nuclear power plant at Natanz, thereby sabotaging the research done by Iranian scientists. This covert manipulation could have caused an explosion at this nuclear facility.

Given the fact that Israel and the United States are very much against Iran developing nuclear power for peaceful purposes, thinking Iran is developing nuclear weapons instead of power plants, together with Stuxnet’s purpose to attack industrial sites, amongst those, nuclear sites in Iran, strongly indicates that the US and/or Israeli governments are behind the Stuxnet malware. Both of these countries have the capabilities to develop it, and in fact, they started to think about this project way back in 2005, when the earliest variants of Stuxnet were created.

Dangers of State-Sponsored Malware

The dangers of this state-sponsored malware is of course that should it be discovered, it may very well prompt the companies, individuals or states that the surveillance is targeted against to take countermeasures, leading to a digital arms race. This may subsequently lead to war, especially when a nation’s critical infrastructure is targeted.

The dangers of states creating malware like this and letting it out in the wild is that it compromises not only security, but also our very safety. Security gets compromised when bugs are left unsolved and back doors built in to let the spies in, and let malware do its work. This affects the safety of all of us. Government back doors and malware is not guaranteed to be used only by governments. Others can get a hold of the malware as well, and security vulnerabilities can be used by others than just spies. Think criminals who are after credit card details, or steal identities which are subsequently used for nefarious purposes.

Governments hacking other nations’ critical infrastructure would constitute an act of war I think. Nowadays every nation worth its salt has set up a digital warfare branch, where exploits are bought, malware developed and deployed. Once you start causing millions of Euros worth of damage to other nations’ infrastructure, you are on a slippery slope. Other countries may “hack back” and this will inevitably lead to a digital arms race, the damage of which does not only affect government computers and infrastructure, but also citizens’ computers and systems, corporations, and in some cases, even our lives. The US attack on Iran’s nuclear installations with the Stuxnet malware was incredibly dangerous and could have caused severe accidents to happen. Think of what would happen had a nuclear meltdown occurred. But nuclear installations are not the only ones, there’s other facilities as well which may come under attacks, hospitals for instance.

Using malware to attack and hack other countries’ infrastructure is incredibly dangerous and can only lead to more problems. Nothing has ever been solved by it. It will cause a shady exploits market to flourish which will mean that less and less critical exploits get fixed. Clearly, these are worth a lot of money, and many people that were previously pointing out vulnerabilities and supplying patches to software vendors are now selling these security vulnerabilities off on the black market.

Security vulnerabilities need to be addressed across the board, so that all of us can be safer, instead of the spooks using software bugs, vulnerabilities and back doors against us, and deliberately leaving open gaping holes for criminals to use as well.