Tag Archives: ECHELON

Regin: The Trojan Horse From GCHQ

In 2010, Belgacom, the Belgian telecommunications company was hacked. This attack was discovered in September 2013, and has been going on for years. We know that this attack is the work of Western intelligence, more specifically, GCHQ, thanks to documents from Edward Snowden. This operation was called Operation Socialist. Now, however, we know a little bit more about how exactly this attack was done, and by what means. Internet connections from employees of Belgacom were sent to a fake LinkedIn page that was used to infect their computers with malware, called “implants” in GCHQ parlance. Now we know that Regin is the name given to the highly complex malware that seems to have been used during Operation Socialist.

Projekt 28Symantec recently reported on this malware (the full technical paper (PDF) can be found here), and it’s behaviour is highly complex. It is able to adapt to very specific missions and the authors have made tremendous effort to make it hard to detect. The malware is able to adapt and change, and since most of anti-virus detection relies on heuristics, or specific fingerprints of known malware, Regin was able to fool anti-virus software and stay undetected. However, Symantec put two and two together and has now revealed some of Regin’s inner workings.

fig3-countriesThe infections have ranged from telecoms and internet backbones (20% of infections), to hospitality (hotels, etc.), energy, the airlines, and research sectors but the vast majority of infections has been of private individuals or small businesses (48%). Also, the countries targeted are diverse, but the vast majority of attacks is directed against the Russian Federation (28%) and Saudi Arabia (24%).

The Regin malware works very much like a framework, which the attackers can use to inject various types of code, called “payloads” to do very specific things like capturing screen-shots, taking control of your mouse, stealing passwords, monitoring your network traffic and recovering files. Several Remote Access Trojans (also known as RATs) have been found, although even more complex payloads have also been found in the wild, like a Microsoft IIS web server traffic monitor (this makes it easy to spy on who visits a certain website etcetera). Another example of a highly complex payload that has been found is malware to sniff administration panels of mobile cellphone base station controllers.

How Regin Works

As mentioned above, Regin works as a modular framework, where the attackers can turn on/off certain elements and load specific code, called a “payload,” to create a Regin version that is specifically suited to a specific mission. Note that it is not certain whether all payloads have been discovered, and that there may be more than the ones specified in the report.

fig2-sectorsRegin does not appear to target any specific industrial sector, but infections have been found across the board, but mostly in telecom and private individuals and small businesses. Currently, it is not known what infection vectors can possibly be used to infect a specific target with the Regin malware, but one could for instance think of tricking the target into clicking on a certain link in an e-mail, visiting spoof websites, or maybe through a vulnerable application installed on the victim’s computer, which can be used to infect the target with Regin. In one instance, according to the Symantec report, a victim was infected through Yahoo! Instant Messenger. During Operation Socialist, GCHQ used a fake LinkedIn page to trick Belgacom engineers into installing the malware. So one can expect infection to take place along those lines, but other possibilities may of course exist.

regin_stages

The various stages of Regin.

Regin has six stages in its architecture, called Stage 0 to Stage 5 in the Symantec report. First, a dropper trojan horse will install the malware on the target’s computer (Stage 0), then it loads several drivers (Stage 1 and 2), loads compression, encryption, networking, and EVFS (encrypted file container) code (Stage 3), then it loads the encrypted file container and loads some additional kernel drivers, plus the payloads (Stage 4), and in the final stage (Stage 5) it loads the main payload and the necessary data files for it to operate.

The malware seems to be aimed primarily against computers running the Microsoft Windows operating system, as all of the files discussed in the Symantec report are highly Windows-specific. But there may be payloads out there which target GNU/Linux or OS X computers. The full extent of the malware has not been fully revealed, and it will be interesting to find out more about the exact capabilities of this malware. The capabilities mentioned in the report are already vast and can be used to spy on people’s computers for extended periods of time, but I’m sure that there must be more payloads out there, I’m certain that we’ve only scratched the surface of what is possible.

Regin is a highly-complex threat to computers around the world, and seems to be specifically suited towards large-scale data collection and intelligence gathering campaigns. The development would have required significant investments of time, money and resources, and might very well have taken a few years. Some components of Regin were traced back all the way to 2003.

Western Intelligence Origins?

In recent years, various governments, like the Chinese government, and the Russian government, have been implicated in various hacking attempts and attacks on Western infrastructure. In the article linked here, the FBI accuses the Russians of hacking for the purpose of economic espionage. However, Western governments also engage in digital warfare and espionage, not just for national security purposes (which is a term that has never been defined legally), but they also engage in economic espionage. In the early 1990s, as part of the ECHELON programme, the NSA intercepted communications between Airbus and the Saudi Arabian national airline. They were negotiating contracts with the Saudis, and the NSA passed information on to Boeing which was able to deliver a more competitive proposal, and due to this development, Airbus lost the $6 billion dollar contract to Boeing. This has been confirmed in the European Parliament Report on ECHELON from 2001. Regin also very clearly demonstrates that Western intelligence agencies are deeply involved in digital espionage and digital warfare.

Due to the highly-complex nature of the malware, and the significant amount of effort and time required to develop, test and deploy the Regin malware, together with the highly-specific nature of the various payloads and the modularity of the system, it is highly likely that a state actor was behind the Regin malware. Also, significant effort went into making the system very stealthy and hard for anti-virus software to detect. It was carefully engineered to circumvent anti-virus software’s heuristic detection algorithms and furthermore, some effort was put into making the Regin malware difficult to fingerprint (due to its modular nature)

Furthermore, when looking at the recently discovered attacks, and more especially where the victims are geographically located, it seems that the vast majority of attacks were aimed against the Russian Federation, and Saudi Arabia.

According to The Intercept and Ronald Prins from Dutch security company Fox-IT, there is no doubt that GCHQ and NSA are behind the Regin malware. Der Spiegel revealed that NSA malware had infected the computer networks of the European Union. That might very well been the same malware.

Stuxnet

symantic_virus_discovery.siA similar case of state-sponsored malware appeared in June 2010. In the case of Stuxnet, a disproportionate amount of Iranian industrial site were targeted. According to Symantec, which has published various reports on Stuxnet, Stuxnet was used in one instance to change the speed of about 1,000 gas-spinning centrifuges at the Iranian nuclear power plant at Natanz, thereby sabotaging the research done by Iranian scientists. This covert manipulation could have caused an explosion at this nuclear facility.

Given the fact that Israel and the United States are very much against Iran developing nuclear power for peaceful purposes, thinking Iran is developing nuclear weapons instead of power plants, together with Stuxnet’s purpose to attack industrial sites, amongst those, nuclear sites in Iran, strongly indicates that the US and/or Israeli governments are behind the Stuxnet malware. Both of these countries have the capabilities to develop it, and in fact, they started to think about this project way back in 2005, when the earliest variants of Stuxnet were created.

Dangers of State-Sponsored Malware

The dangers of this state-sponsored malware is of course that should it be discovered, it may very well prompt the companies, individuals or states that the surveillance is targeted against to take countermeasures, leading to a digital arms race. This may subsequently lead to war, especially when a nation’s critical infrastructure is targeted.

The dangers of states creating malware like this and letting it out in the wild is that it compromises not only security, but also our very safety. Security gets compromised when bugs are left unsolved and back doors built in to let the spies in, and let malware do its work. This affects the safety of all of us. Government back doors and malware is not guaranteed to be used only by governments. Others can get a hold of the malware as well, and security vulnerabilities can be used by others than just spies. Think criminals who are after credit card details, or steal identities which are subsequently used for nefarious purposes.

Governments hacking other nations’ critical infrastructure would constitute an act of war I think. Nowadays every nation worth its salt has set up a digital warfare branch, where exploits are bought, malware developed and deployed. Once you start causing millions of Euros worth of damage to other nations’ infrastructure, you are on a slippery slope. Other countries may “hack back” and this will inevitably lead to a digital arms race, the damage of which does not only affect government computers and infrastructure, but also citizens’ computers and systems, corporations, and in some cases, even our lives. The US attack on Iran’s nuclear installations with the Stuxnet malware was incredibly dangerous and could have caused severe accidents to happen. Think of what would happen had a nuclear meltdown occurred. But nuclear installations are not the only ones, there’s other facilities as well which may come under attacks, hospitals for instance.

Using malware to attack and hack other countries’ infrastructure is incredibly dangerous and can only lead to more problems. Nothing has ever been solved by it. It will cause a shady exploits market to flourish which will mean that less and less critical exploits get fixed. Clearly, these are worth a lot of money, and many people that were previously pointing out vulnerabilities and supplying patches to software vendors are now selling these security vulnerabilities off on the black market.

Security vulnerabilities need to be addressed across the board, so that all of us can be safer, instead of the spooks using software bugs, vulnerabilities and back doors against us, and deliberately leaving open gaping holes for criminals to use as well.

At the Crossroads: Surveillance State or Freedom?

OHM2013

When I went to OHM2013 last week, it was great to see such increased political activism from the hackers and geeks at the festival. I truly believe we are currently at a very important crossroads: either let governments the world over get away with crimes against the people’s interests, with programs like PRISM, ECHELON, TEMPORA and countless other authoritarian global surveillance schemes, or enter the path towards more freedom, transparency and accountability.

A good example of what not to do is Google Glass. A few weeks ago I came across the story of a hacker who modded Google Glass as to allow instant facial recognition and the covert recording of video.  Normally you need to tap your temple or use voice commands to start recording with Glass, all of which are pretty obvious gestures. But now people can record video and do automatic facial recognition covertly when they wear Glass. I even saw that there’s an app developed for Glass, called MedRef. MedRef also uses facial recognition technology. This basically allows medical professionals to view and update patient records using Glass. Of course having medical records available on Glass isn’t really in the interests of the patient either, as it’s a totally superfluous technology, and it’s unnecessary to store patient records on a device like that, over which you have no control. It’s Google who is calling the shots. Do we really want that?

Image above © ZABOU.

Image above © ZABOU.

As hackers, I think it’s important to remember the implications and possible privacy consequences of the things we are doing. By enabling the covert recording of video with Google Glass, and also adding on top of that, instant and automatic facial recognition, you are basically creating walking CCTV cameras. Also given the fact that these devices are controlled by Google, who knows where these video’s will end up. These devices are interesting from a technical and societal standpoint, sure, but after PRISM, we should be focusing on regaining what little we have left of our privacy and other human rights. As geeks and hackers we can no longer idly stand by and just be content hacking some technical thing that doesn’t have political implications.

I truly and with all my heart know that geeks and hackers are key to stopping the encroaching global surveillance state. It has been said that geeks shall inherit the earth. Not literally of course, but unlike any other population group out there, I think geeks have the skills and technical know-how to have a fighting chance against the NSA. We use strong encryption, we know what’s possible and what is not, and we can work one bit at a time at restoring humanity, freedom, transparency and accountability.

These values were won by our parents and grandparents after very hard bloody struggles for a reason. They very well saw what will happen with an out-of-control government. Why government of the people, for the people, and by the people, is a very good idea. The Germans have had plenty of hands-on experience with the consequences as well, first with the Nazis who took control and were responsible for murdering entire population groups, not only Jews but also people who didn’t think along similar lines: communists, activists, gay people, lesbians, transgenders, etc. Later the Germans got another taste of what can happen if you live in a surveillance state, with the Stasi in the former East-Germany, who encouraged people to spy on one another, exactly what the US government is currently also encouraging. Dangerous parallels there.

But you have to remember that the capabilities of the Stasi and Gestapo were only limited, and peanuts to what the NSA can do. Just to give a comparison: the Stasi at the height of its power, could only tap 40 telephone lines concurrently, so at any one time, there were at most 40 people under Stasi surveillance. Weird isn’t it? We all have this image in our minds that the prime example of a surveillance state would be East-Germany under the Stasi, while they could only spy on 40 people at a time. Of course, they had files on almost anybody, but they could only spy on this very limited number of people concurrently. Nowadays, the NSA gets to spy continuously on all the people in the world who are connected to the internet. Billions of people. Which begs the question: if we saw East-Germany as the prime example of the surveillance state, what do we make of the United States of America?

The Next Step?

I think the next step in defeating this technocratic nightmare of the surveillance state and regain our freedom is to educate others. Hold cryptoparties, explain the reasons and need and workings of encryption methods. Make sure that people leave with their laptops all configured to use strong encryption. If we can educate the general population one person at the time, using our technological skill and know-how, and explain why this is necessary, then eventually the NSA will have no-one to spy on, as almost all communication will flow across the internet in encrypted form. It’s sad that it is necessary, really, but I see no other option to stop intelligence agencies’ excess data-hunger. The NSA has a bad case of data addiction, and they urgently need rehab. They claim more data is necessary to catch terrorists, but let’s face it: we don’t find the needle in the haystack by making the haystack bigger.

My Move to Switzerland

Accelerated because of the recent exposure of the NSA’s horrible PRISM program by whistleblower Edward Snowden, I’ve decided to finally take the steps I’ve contemplated about for roughly a year now: moving my online persona to Switzerland.

Why Switzerland?Swiss Flag

The reason I chose Switzerland is because of United States policy, really. In recent years, the US administration has been flexing their jurisdictional muscles and have been putting several perfectly legitimate websites out of business because their owners published things the US junta didn’t like. This happens even when your servers aren’t located in the United States, and even when you don’t market your site to Americans. Having a .com, .net or .org is apparently enough to fall under US jurisdiction.

Examples are legion: Mega (previously known as MegaUpload), ran by the New Zealand citizen Kim Dotcom, whose domains have been seized by the US government because of vague copyright infringement allegations. Their website got defaced by the American government, and you can imagine the kind of damage this may inflict if you’re running a company or non-profit, and the image put up by the US authorities says your website was taken down because of, shall we say, ‘questionable’ content.

TVShacks, the website ran by the then 23-year-old Richard O’Dwyer, a UK citizen who faced extradition to the United States in 2011 because of copyright allegations, even when he was not doing anything illegal according to UK law. His website simply aggregated links to where copyrighted content could be found on the Internet, and he complied with proper notice and take-down requests. Yes, you’ve read it correctly: here is someone who actually faced extradition to the US, even when he didn’t do anything illegal under UK law, based on what exactly? Some vague copyright claims by Hollywood.

You have to be careful about which companies you deal with, and especially in which country they are incorporated. Because if you’re dealing with a US-based company, any US company, it will be subject to the US PATRIOT Act, NSLs (National Security Letters), FISA and legally required to put in back-doors and send logs containing your traffic to the US intelligence community, the NSA in particular. And in the order by the FISC (Foreign Intelligence Surveillance Court) it explicitly says that you can’t inform your clients about the fact that you have to send all their communications to the NSA. It also stipulates hefty prison sentences for the leadership of the US companies that are found to be breaching this stipulation in the order. And they aren’t collecting just meta-data: the actual content of your communications are recorded and profiled and searched through as well. But this wasn’t really anything new: the US plus the UK and her former colonies have been running the ECHELON program for many years. Its existence was confirmed by a European Parliament investigation into the capabilities and political implications of ECHELON in 2001.

What Can You Do?

The solution to this is quite complex and involves many factors and variables you have to consider. But here are some of the things I did:

Basically you want to have nothing to do with US companies. Basically don’t have any US ties whatsoever. Because as soon as there is a US link, your service providers are subject to US legislation, have to comply with the spooks’ orders and more importantly: can’t tell you about it. So avoid US companies, US cloud providers, etc. at all costs if you want to stay really secure. So no Google, Facebook, Twitter, LinkedIn, etc. without approaching this with a clear strategy in mind. Be careful when (if at all) you’re using these services.

Be sure to install browser plugins like HTTPS Everywhere (to use secure HTTPS connections wherever possible; providing end-to-end encryption) and Ghostery to prevent letting these companies track the web pages you visit.

The hardware and software you’re using also needs to be as secure as possible. Don’t order your new computer on the Internet, but go to a physical (brick-and-mortar) store (pick one at random that has the model you fancy in store) and buy one cash over the counter. The computer should preferably be running a free software (free as in freedom, not free as in ‘free beer’) operating system like GNU/Linux (there’s an easy to use distribution of GNU/Linux called Ubuntu) or BSD, and the software running on top of that should preferably be free software as well. This is done to ensure that the hardware cannot be compromised in the transfer from the manufacturer to you (since it’s impossible to tell which computer you’re going to pick at the store), and to ensure proper review of the source code of the software you are using. Or, as Eric S. Raymond said in his book The Cathedral and the Bazaar: “Given enough eyeballs, all bugs are shallow.” You cannot trust proprietary software, since you cannot check the source code, and it’s less flexible than free software because you cannot extend or change the software to fit your needs exactly. Even if you yourself don’t have the expertise to do so, you can always hire someone to do this work for you.

With regards to domain security (to prevent the US authorities from defacing your website) you can register a domain name that doesn’t fall under US jurisdiction. I chose Switzerland (.ch) because of the way they’ve been resisting pressure by the US authorities when they clamped down on Wikileaks. The server is also physically located in Switzerland. This server is also running my email, which I access through a secure, encrypted SSL/TLS connection.

Now, e-mail is basically a plain text protocol, so people still get to read them if they sniff your packets somewhere between source and destination. The best way to prevent this from happening, is to use encryption, not just for authentication, but encrypt the content as well whenever possible. I use GnuPG, an open source implementation of PGP, together with the Enigmail plug-in for Thunderbird. This works using asymmetric encryption, with two keys, a public key and a private key, which you generate on your machine. The public key can be published and shared freely, as this is what allows other people to send encrypted mail to you. You have to keep the private key secret. You can then send encrypted email to people if you have their public key.

If you want to read up some more on some of the practical measures you can take to increase your security, please visit Gendo’s Secure Comms webpage. It contains comprehensive practical advice and lots of links to the software you need to set up secure comms.

My plan is to write more articles on this website, so I’d like to thank you for your time, and hope to see you again soon!