The life of crimeware
A criminal group called Quedagh has been attacking Ukrainian government organisations using the BlackEnergy trojan, according to Finnish security firm F-Secure (PDF). BlackEnergy – which started out as a general-purpose cybercrime tool – was reapplied for APT-style cyber-espionage attacks, starting in Georgia in 2008, before more recently moving over to Ukraine, the Finnish firm explains.
BlackEnergy is a popular crimeware (that is, malware designed to automate criminal activities) that is sold in the Russian cyber underground and dates back to as early as 2007. Originally, it was designed as a toolkit for creating botnets for use in conducting Distributed Denial of Service (DDoS) attacks.
Over time, the malware has evolved to support different plug-ins, which are used to extend its capabilities to provide necessary functions, depending on the purpose of an attack.
Given the nature of its toolkit, BlackEnergy has unsurprisingly been used by different gangs for different purposes; some use it for sending spam, others for stealing banking credentials.
The most notorious use may be when it was used to conduct cyber-attacks against Georgia during the Russo-Georgian confrontation in 2008.
In the summer of 2014, BlackEnergy caught our attention when we noticed that samples of it were now tailored to target Ukrainian government institutions. Though it maybe unrelated, it is interesting to note that this change conveniently coincides with the ongoing crisis in that country.
Related or not, one thing is certain: the actor(s) using these customised BlackEnergy malware are intent on stealing information from the targets. The use of this crimeware in what constitutes as an advance persistent threat (APT) attack is interesting.
In ‘black operations’ (black ops), an important criteria is that the attack should not be attributable – and what provides better plausible deniability than crimeware known to be used by multiple parties?
Separately security software firm ESET warned last September that BlackEnergy had claimed a large number of victims in Ukraine and Poland, including state organisations and businesses.
My enemy's enemy
The introduction of malware-slinging tactics further muddles an already confusing threat landscape, particularly in Iraq and Syria, where some groups are thought to do business with ideological opponents in cases where it suits their short-term interests.
The same thinking in this respect operates in cyberspace as much as it does on the ground, according to some observers.
Centient's Gordon comments: "Hackers have no loyalty. They will co-operate/collaborate with each other whenever it suits them or to achieve a common end."
"Conflicts between groups can be a complicated matter and could be triggered by different factors, including politics or religion," Gordon explains.
"An Islamic hacker group might target another Islamic group such as the SEA and vice versa, because the countries they represent might have different political leanings and might support policies that negatively affect the other’s country."
"This has been evidenced with the SEA targeting hackers from Turkey, because they believe that the Turkish government is supporting the conflict in Syria by providing money, weapons and training to rebels fighting against the Assad regime. The Turkish groups will retaliate, as they believe it is their duty to protect their country."
Experts are split on whether or not recent conflicts have led to the militarisation of the internet. Some argue it's always been that way.
Adam Kujawa, head of malware intelligence at security software firm Malwarebytes – and a veteran of a number of United States federal and defence agencies – argues that the militarisation of the internet has been happening for years. The ongoing conflict in Ukraine is an example of real-world events spilling over into cyber-space:
“If you define the militarisation of the internet as the ability to conduct warfare over the medium, then this is something that has been happening for a very long time. The use of Russian hackers in conflicts in Georgia and the Ukraine is a perfect example of this kind of militarisation, as the actions of a nation and the actions of a single group align."
Russia has armed average users – not specialised super hackers – with simple tools, before telling them which direction to point them in, according to Kujawa.