Mikko H. Hypponen

Challenges of the Cyber Arms Race - UK Wired 2012 Conference

delivered 25 October 2012, London, England

Mikko Hypponen's Twitter Feed

[AUTHENTICITY CERTIFIED: Text version below transcribed directly from audio]

[Cue Video of Russian TV News Report on the capture of Arashi et al]

My name is Mikko Hypponen and this [individual subject to the Russian news report noted above] is Arashi. He's one of the examples of Russian organized cybercriminals who create malware, spread it around the world, and make money out of it. And this case -- his case he and eight of his partners in crime made something in the range of nine million dollars with different kinds of Trojans.

But I'm not today going to speak about cybercriminals who do their crimes to make money. I'll speak more about cyber-war. Because when we go from the world of cybercrime to the offensive world of cyberattacks, things change.

And I actually don't like the term "cyberwar."

Well, there's nothing wrong with the term, but I think it's way over used, 'cause you keep hearing this word whenever there's some denial of service attack somewhere, or something gets hacked.

And I don't think we've actually seen cyberwar.

How could we have seen cyberwar if it -- if we haven't seen a war? We will see, in the future, wars between technically advanced countries, and those wars will most certainly have cyberattacks as part of the real conflict. And that could be characterized as "cyberwar" -- maybe. But right now what's happening probably isn't -- even the Stuxnet saga, I wouldn't call that a cyberwar because there is no war going on between the countries involved.

But it's also important to understand that we have completely different players in place. People are worried about, in many cases, exactly the wrong thing. Like, people read about things like Stuxnet and then they worry about Stuxnet. Well, Stuxnet is nothing to worry about. Here, in London, none of you will be infected by Stuxnet. You're not a target. The local pizza place is not going to get infected by Stuxnet because they are not the target. Uranium enrichment facilities in Iran might get infected by Stuxnet because they are the target. So it's important to understand [the] different players we have, different actors, and their different motives.

And you can, roughly, split them into three:

We have the criminals who write malware to make money, like Arashi, who we saw in the video. 

Then we have hacktivists, who not to make money but to send a message: to protest; or to do something to embarrass their target, for example.

And then, as the third origin of attacks, we have governments: governments launching attacks, governments creating malware, writing Trojans, and infecting computers to gain their results.

And these hacktivist groups, or movements, like Anonymous are -- are a fairly new phenomena. Criminals have been writing malware now for a decade -- first money-making virus using 2003. Movements like Anonymous really only came into play only three of four years ago, and they have become one of the major players.

But I'm not going to speak about Anonymous today either. We'll focus on governments.

And within attacks coming from governments, we have a range of stuff. We have espionage. You might have heard about what has been characterized as "APT attacks" -- Advanced Persistent Threats -- and these are espionage attacks. A company gets infected because they were targeted particularly. You know, somebody created the malware from the very ground up just to target one organization; maybe to target one person inside an organization. So when they gain access to his computer, they gain access to his information; they can steal the info[rmation].

And this his happening between countries and nation states. So, spying has gone online; and of course it has gone online because spying is the act of collecting information; and information has changed. Information used to be something physical. It used to be something that was printed on paper. If you wanted to get the information you have to go where the paper was. Today, it's all data. You don't actually have to "go" anywhere. You can reach the information from the other part of the world. And especially China gets blamed for these espionage cases, and these have been going on for -- for quite awhile.

Then we have cases where malware and use the malware against their own citizens; and this is happening especially in totalitarian states. It's happening in Syria, happening in Iran. It's happening in the old Egypt regime. But it's also happening in democratic nations. It's -- It's happening in [the] United States. It's happening in the Netherlands. It's happening in Germany.

Especially the Germans have been very active in creating malware and infecting their own citizens with this malware. There are several examples. One of the well known examples is the so called R2D2 Trojan -- also known as Staats Trojan or Bundes Trojan, which is being used by [the] German government against German citizens. In fact if you go to the website of the German government, you'll find that they are openly recruiting backdoor writers and Trojan creators to come work for the government so they can create Trojans to infect German citizens. They do this as part of criminal investigation[s].

Now that actually makes perfect sense. If you are the police and you are investigating a crime and you have a suspect -- well, it's -- has always been the case that you get a court order and you tap his phone; and then you tap his mobile phone. And if that's not enough then you tap his Internet connection so the ISP or the Telco starts recording all the Internet traffic coming and going to this individual.

But today that's not going to get you very far, 'cause today we extensively use services which are encrypted -- everyday services, services like Gmail, which is encrypted end to end; or Skype, which is encrypted end to. Even if your ISP is recording all of your traffic, they can't see what you're doing in Gmail or Skype. And this irritates the police 'cause they'd like to see what you're doing, if you are a suspect of a crime. And the way they get around this is with Trojans.

And there really isn't a problem here. There isn't a problem at all. It isn't a problem if the suspect turns out to be guilty, if the suspect turns out to be a potential school shooter or a drug lord or whatever. Then it's great. But if the suspect turns out to be innocent, this is a major problem, because it's hard to imagine a bigger breach of privacy, where your own government gains access to your computer -- and not just gains access to your files but sees all your network traffic, collects all your passwords, can even turn on the microphone and record what's being spoken close to your computer --  or turn on the webcam. I don't think we've really understood what it means when our own governments are using Trojans against us.

And then we have the attacks which go beyond just criminal investigations and which start to go in[to] the realm of -- of intelligence agencies and the militaries: offensive cyberattacks. In most examples in this area, the targets are in [the] Middle East. Iran has been targeted extensively. So have many other countries in the area.

This is the Bushehr nuclear plant in Iran, which has been one of the targets of these attacks. What I find fascinating is that if you actually go to Google Maps and look up Bushehr -- like I did -- Google Maps actually labels different facilities. Like here's the Emergency Feedwater building. And here's the ventilation chimney. And here's the solid waste building. That's Google Maps telling us what's what in Bushehr. It's quite fascinating.

And many of the researchers who work with the Iranian nuclear program work with the Atom Energy Organization of Iran. And that organization has been targeted by what's known as Operation Olympic [Games], which has been in the news since 2009. But the real major news really came out this May when New York Times editor David Sanger wrote and released a book called Confront and Conceal. And in that book he provides evidence leaked from U.S. governments that all of the related malware in this operation are coming from the government of the United States and Israel.

And this was what was being suspected already two years earlier. But we had no information. We couldn't really prove it and we weren't really expecting ever to get concrete evidence on that. But they actually leaked the information proving it. They took the blame and the took the credit.

Now we don't actually know exactly why. I don't -- It's pretty obvious this wasn't leaked by accident. Things like this don't leak. This was leaked on purpose to David Sanger. Maybe it's because it's the election year. Maybe it makes President Obama look strong and creative in using new kinds of technologies and techniques to go after their arch enemy, Iran.

And we must assume there's been a series of different attacks. We've only found five malware which have been related: Stuxnet which was the first one we found in 2009; since then, Flame, Duqu, Gauss, and just two weeks ago, MiniFlame, which is a smaller version of the Flame malware which was one -- one of the largest malware we've ever seen in history.

Stuxnet is the only one which actually does physical damage. It controls the PLC gear inside the Natanz nuclear enrichment facility, blowing up centrifuges. All the others here are like supporting malware: they gather information, gather intelligence, which can then be used to launch attacks like Stuxnet. We believe some of the information which was needed to launch the Stuxnet attack was collected with Duqu or other related malware before the actual attack was launched.

Now, there’s one key aspect about Stuxnet which is often missed, and that’s the fact that it’s perfectly possible that Stuxnet killed people. We don’t know that. We don’t know whether Stuxnet killed people or whether it did not kill people. But the possibility is there, because what it did is that it exploded centrifuges -- centrifuges which were two-meter high, made out of carbon fiber, were spinning at very high speeds, and they were filled with Uranium gas. And when they start failing, they fail catastrophically and they easily create a chain reaction, where one exploding centrifuge will make other centrifuges explode as well. And if there are scientists in the control room, it’s not a good place to be.

Now we don’t know if this happened, but I think the key point here is that the countries launching these attacks, they must have known that at least a possibility of killing people with this malware is there, and they went ahead and did it anyway. And when they did that, I think we crossed an important line.

It can be argued that nuclear scientists lost their innocence in 1945 when we, the mankind, used the atom bomb for the very first time. And if that’s the case, then we could argue that exactly in the same way computer scientists lost their innocence in 2009, when we started using malware as an offensive attack weapon.

That is a Siemens S7-400 PLC. This is the basic building block of any modern society. This runs our factories. This runs our power plants, runs our nuclear plants, runs our food processing plants, runs our chemical plants, most likely runs the elevators in this building. These are being used everywhere, and that’s what Stuxnet infected.

So, Iranian Atomic Energy Organization -- that’s where they do their research. They publish scientific papers about nuclear radiation and nuclear power and related things

And I’m bringing this up because in June I got an email from the Atomic Energy Organization of Iran. And I don’t usually get emails from the Atomic Energy Organization of Iran. But I got an email -- this email right here, which was sent by a scientist working in there, and he explains that they’ve had problems and he wants the world to know that they are under attack again. And then he explains that some of the computers inside their nuclear research facility were waking up in the middle of the night and starting to play music, starting to play AC/DC, specifically playing Thunderstruck at full volume.

Hmm. Nuclear research machines in the middle of the night playing Thunderstruck. Doesn’t sound very plausible, does it? Like, was this really happening?

Now I don't actually know if this really happened or not. All I know [is] that this guy was telling me this, and this guy was emailing from the Atomic Energy Organization of Iran. I -- I checked it. He...was sending it from there. And the name he was using belonged to a real nuclear scientist. I don’t know if this was true or not. But if it was true -- let's assume for a second it really happened. Why would any attacker do this? Why would they start playing AC/D[C] -- or any music in the middle of the night? Because obviously they'd blow their cover, right? And everybody will know that there is a problem.

But maybe that was the idea to begin with. If you actually read Sanger’s book, one of the key points about Operation Olympic [Games] was to make the enemy feel stupid. Make the enemy feel stupid. Many of the attacks they were doing with the centrifuges were very slow in the beginning. They were just failing, and Iranian nuclear scientists ended up firing tons of people because they couldn’t get the job done, and they didn’t realize why they weren’t getting the job done. They were feeling stupid.

So maybe here what they want to do is to show the employees of this organization that your IT department can’t protect you. Like, if your computer plays AC/DC you know that something’s going on, and your own IT department looks stupid because they can’t stop it -- they can’t keep the malware out. Maybe it’s mind games; or maybe it never happened; maybe this guy was just playing some kind of a joke.

But I did find it interesting that around four weeks after this, when the Gauss malware was found, if you look at the network traffic -- 'cause Gauss collects information and sends it out, and it encrypts the information before it sends it out -- now, the encryption it uses -- uses encryption key, and that key is four characters, and those characters are A, C, D, C -- which could be a coincidence, right? Right?

However, if you look at MiniFlame, which I found two weeks ago, MiniFlame -- one of the files actually contains country information which tells us in which country that file was created. And the country information belongs to Australia. And AC/DC is from Australia. Hmm. Maybe we can’t jump into any conclusions here; maybe they are all mind games; maybe there’s smoke and mirrors in play here.

But it’s quite clear that we have entered a new era of cyber arms race, and it’s...only going to get more and more active. Iran is one of the key locations. For example they -- Iranians themselves have been very active in using technology to monitor their own people and find dissidents and -- and revolutionary people inside Iran.

But the critical infrastructure as a whole is what’s at stake here, because we've, over the last decade or two, [have] completely switched to computer automation to run our factories, and this does make us vulnerable. In fact, the United States, which is arguably one of the most active attacking partners right now, is actually the one with most to lose. They -- They have -- They're much more dependent on computers than any other country probably anywhere in the world.

And there is possible retaliation. The largest company in the world, Saudi Aramco, company which is about twice the size of Apple in wealth, they were attacked six weeks ago. They were attacked with an attack which wiped 30,000 computers, like three -- 75% of their computers were wiped overnight, wiped with an attack which [was] overwriting all the files with an image, and the image was [a] burning flag of the United States. And if you read [The] New York Times, there's been two articles which put the blame directly on Iran. We can’t prove that, but at least it’s being claimed, a retaliation of [a] sort.