14 DAY TRIAL // Cyber security companies have a privileged position as far as digital crime is concerned, as they get to see what happens on both sides of the cybercrime fence.
Their activity requires to keep a constant eye on the underground forums to stay updated with the trends and develop new strategies and methods to thwart the nefarious actions against their clients.
Malware is malware, no matter who wields it
The technology created for this purpose is often used to help law enforcement disrupt the actions of organized cybercrime groups across the world, as trumpeted past operations from the FBI or Europol show.
There is a different story when it comes to the discovery of cyber-espionage activities that point to a nation-state. As expected, neither the government nor the security companies would admit to being involved in these campaigns.
However, cyber-espionage relies on complex software platforms with numerous modules that are caught and analyzed by antivirus companies.
What may appear at the beginning as a standalone piece of malware is sometimes connected with other components of the spying platform and thus a larger operation is discovered and publicly exposed every now and then, when sufficient data has been gathered.
Pointing the finger is a difficult task
Determining with absolute certainty who is behind the operation is a totally different game, as the threat actor oftentimes purposely plants evidence pointing to a different party.
Unless there is inside information available, such as the NSA documents leaked by Edward Snowden, attributing an espionage campaign to a certain entity is a tough task, which can have a significant impact on the business, regardless if the results of the investigation are right or wrong.
Some of states believed to be the most active on the cyber-espionage scene are Russia, the US, China and North Korea, although other countries are definitely doing it, either on their own (recent reports hinting at France and Iran), or part of intelligence alliances, such as the Five Eyes.
Obviously, none of the parties involved would admit to taking such actions, as it would be highly detrimental to both their political and business relations.
Kaspersky Lab accused of ties with FSB
Recently, antivirus company Kaspersky, which, as other reputable security firms, is also actively involved in investigations focusing on nation-state cyber-espionage campaigns, has been accused of maintaining a close relationship with the Russian Federal Security Service (FSB), the successor of KGB intelligence services.
Rumors about this have existed for a long time and the Moscow-based company carried a tough fight to make itself trustworthy in the eyes of the US market in particular.
An article in Bloomberg this week alleges that Eugene Kaspersky, founder and CEO of Kaspersky Lab, runs his ship with a focus on exposing cyber campaigns from Western intelligence, while turning a blind eye to the same operations conducted by Russia.
Equation Group details are the cause
The jab was at the recently published investigation of the Equation Group, which has been found to be tied with advanced persistent threat (APT) campaign Stuxnet and the more recently discovered Regin; these are both attributed to the NSA based on connections found in highly detailed analysis reports from Kaspersky and documents leaked by Edward Snowden.
It must be mentioned that the Equation Group handles the most sophisticated cyber-espionage platforms identified to date, and its activity spans as far back as 2002, as per the compilation date of the first known sample.
Kaspersky points to Russian-related spy campaigns
“We’ve nothing to hide: we’re in the security business and to be successful in it you have to be open to scrutiny,” the CEO said in a quick reply to Bloomberg’s piece, continuing with defending the company by providing evidence contradicting the allegations.
One of the accusations was that “while Kaspersky Lab has published a series of reports that examined alleged electronic espionage by the U.S., Israel, and the U.K., the company hasn’t pursued alleged Russian operations with the same vigor.”
In response, Eugene Kaspersky pointed to a set of 10 reports, all involving Russian-speaking malware authors or non-English speakers, as determined from artifacts found in executables. Some of these campaigns were either completely new or a continuation of a previous one.
Reports are technical
None of the investigations published by Kaspersky have been attributed to a specific country and they focused on the technical part. This included the methods used by the authors to infiltrate the target (where such information was known), the various stages of the attack and the modules identified, the technique for uploading the data to a machine controlled by the operators, and the behavior of the malware on the infected system (propagation, self-delete, update).
Also disclosed are the field of activity of the targets and their location, and the identified command and control (C&C) servers.
Costin Raiu, Director of Kaspersky Lab's Global Research and Analysis Team (GReAT), indicated in a conversation on the matter over Twitter that the division had been monitoring more than 60 APTs detected in cyber-attacks across the world.
APT campaigns are monitored by others, too
Other security companies are also implicated in such type of analysis, using their own data collection systems. Symantec revealed the activity of Dragonfly operation, also known as Energetic Bear, whose operators are likely to be based in Eastern Europe; and later in 2014, the company presented its findings on Turla.
FireEye has also published analysis of APT campaigns they uncovered, as did CrowdStrike with Chinese-run cyber-espionage.
However, details on US spying activities are far from abundant from US-based security companies; they may have the details, but they keep them out of public scrutiny for now.
This does occur when competitors manage to publish their investigation results first, as Eugene Kaspersky also said in his answer to Bloomberg.
What if?
Although security companies do reveal such activities, some may think that this does not necessarily mean that they are not cooperating with intelligence agencies. It may happen, with or without their knowledge, as spies can be planted in any industry.
But until undeniable evidence of this surfaces, I think it would be better to dismiss conspiracy theories of this sort. In the end, what can one do in the short run if this proves to be the reality?