Burned malware returns, says Cylance report: Is Hacking Team responsible?

Think you burned that malware group? Think again.

hunting and monitoring security threats
Thinkstock

Burning malware is like Hercules fighting the nine-headed Hydra. For every head he cuts off, two more grow back in its place. That's the lesson from a new report by Cylance today, and one both enterprise network defenders—and the public at large—should pay attention to.

Cyber mercenaries sell malware to oppressive regimes in the Middle East, which then use that malware to attack their own citizens, research from the Citizen Lab suggested earlier this year. The current regimes in Turkey and Egypt compel local ISPs to run Canadian-made Sandvine/Procera deep packet inspection middleboxes that inject the malware into unencrypted HTTP downloads of popular software like Avast, VLC Player and WinRAR. Large numbers of users in Egypt, Turkey and Syria (near the border with Turkey) are affected.

For the last six months, Cylance has been studying how the malware, known as Promethium or StrongPity, has changed as a result of the Citizen Lab report. "Even though the indicators of compromise seem to disappear off your radar screen [it] doesn't mean they're gone," Kevin Livelli, director of threat intelligence at Cylance, tells CSO.

Instead, the malware group, widely believed to be developed by a cyber mercenary group, tweaks a little code to fly under the radar again and continues to sell to oppressive regimes.

Assigning attribution?

Oppressive regimes without the resources to develop their own malware instead turn to the grey market, where any number of cyber mercenary groups provide the software and hardware needed to identify, hack, stalk, harass, disappear, torture and murder dissidents, journalists, political opponents and anyone else the regime of the day doesn't like.

Explosive reporting from Israel's Haaretz newspaper exposed the dark underbelly of the cyber mercenary business in that country. Israel is far from the only country that permits cyber mercenaries to operate. Countries like Canada, Germany and Italy tolerate such activity as well.

Cylance declined, as a matter of company policy, to attribute the malware to a particular group of cyber mercenaries, but its report hints that it might be Hacking Team, the Italian cyber mercenary group that got hacked by a vigilante hacker by the name of Phineas Phisher and had 400GB of its source code, internal documents and emails dumped online. "We have reason to believe [this malware group] bears a strong connection to a company based in Italy, a lead we hope to investigate in the near future," the Cylance report said.

What happens when you burn a malware group?

Within a short time after the Citizen Lab report, the cyber mercenary group's malware was back at full throttle. "Two months after the Citizen Lab report, Cylance found new Promethium/StrongPity activity, utilizing new infrastructure," the report said. "The observed domains all appeared to have been registered about two weeks after Citizen Lab's report. The malware has continued to adapt as new information is published."

The retooling required to continue to operate was low, the report noted. "Minimal effort and code changes were all that was required to stay out of the limelight. Cylance observed new domains, new IP addresses, filename changes and small code obfuscation changes."

Cyber mercenary groups now have the resources of a small-to-medium nation-state, and should be considered an advanced persistent threat (APT), whose weapons are used against civilians with total disregard for the rule of law. "So often when security researchers publish reports, threat actor activity seems to disappear," Livelli says. "People move on and turn the page."

"Our research demonstrates how important it is, how powerful for network defenders and researchers to occasionally look backwards, and see what happened after research was published," Livelli adds.

Cyber mercenaries: A menace to society

Cyber mercenaries are willing accomplices to crimes against humanity. When Western nations that profess to promote human rights not only permit such mercenaries to operate but enable them by approving export licenses for such technology—hacking tools used to identify and torture people for exercising their freedom of conscience—then we become complicit in those atrocities.

Attempts to rein in the practice have so far failed. The proposed 2015 amendments to the Wassenaar Arrangement, an international accord that bans export to certain countries of dual-use technologies like fissile material and centrifuges, would have also forbidden export of a great deal of harmless security software as well, and were thus abandoned.

The plausibly deniable nature of government hacking means that it is impossible to govern such uses, even in a free society. Power unchecked will always be abused.

"There's no way that technology of this sort will not be wrongfully abused. The only question is in what way," a former cyber mercenary turned whistleblower identified as "Gal" told Haaretz. "I don't want to be part of that agonizing."

Related:
SUBSCRIBE! Get the best of CSO delivered to your email inbox.