The modern black market for implants—programs that are implanted on devices during a hacker attack—offers the rental of malware that can be configured for specific tasks by simply checking the boxes in the right places. If the software does not work, technical support will help the attackers understand the reasons and eliminate them. That is why, in the absence of an appropriate level of cyber protection at an enterprise, any person with three classes of education can try to gain access to the network of an industrial organization. Kirill Kruglov, senior researcher and developer of Kaspersky Lab, spoke about this and much more in an interview.
Is it clear where Russian industrial enterprises are being attacked from? From which continent, from which country?
“We assume with a high degree of probability that, in addition to Africa and Europe, from where cybercriminals engaged in mass campaigns operate, there are persistent groups based in the Asian region. Yes, it will not be possible to specify the countries, since let’s not forget about false flags, when groups from one country deliberately use signs of a group from another country or region to confuse their tracks. Therefore, we can only name the region.
How does the chain of hacking of a Russian industrial enterprise usually begin?
There can be many scenarios here, and they are often universal for enterprises all over the world.The attack may be motivated by a political decision, or the idea of hacking may arise from unfair competition, or a business may be targeted because it is likely to pay if its infrastructure is encrypted.
It is also possible that an archive with logins and passwords for systems in this organization was sold on the Internet. Thus, having purchased inexpensive access to a large number of computers within an enterprise, attackers can already at this stage decide that they will attack it.
If they sell logins and passwords, does that mean someone has already attacked this company?
You may be surprised, but it often happens that attackers decide to hack some organization from scratch.Most often, large organizations, including industrial ones, are attacked every day. Often such attacks are aimed at collecting a small amount of data.
We have interesting research on this: the data that is collected by attackers is mainly access information, logins and passwords, and key files. They are collected on a large scale, hacking thousands of different organizations and industrial enterprises. This is done in order to then sell them on different sites or through some brokers or intermediaries, receiving $2, $8, $25 for this.
But if the company name is quite well-known, then one pair of keys can cost either $100 or $150.
How many potential buyers are there?
“We can’t count them.” But the product – yes. Judging by the trading platforms that we were able to discover over two years, there are tens of thousands of compromised systems, access to which is being sold right here and now. And during the day they add several hundred new accounts on average. Therefore, absolutely all industrial enterprises need to be protected.
Let’s say the first stage is completed: someone bought the data of a Russian industrial company, for example, a list of employee addresses. What happens next?
The information obtained is used by attackers in different ways. They may start sending phishing emails. And not just once, but every day, send one letter in the hope that the user, having received such a letter, will open the attachment or follow the link inside the letter, thereby downloading malicious software that provides the attacker with remote access. Having gained remote access, no matter which computer in the organization, the attacker can already begin reconnaissance, collect information, find out where the systems that are of greatest interest to him are located, and systematically move towards these systems, step by step.
What happens after reconnaissance?
Infecting the target computer. An implant is installed on it. This is what used to be called a backdoor, but has evolved as backdoors have combined with another layer of malware – spyware, keyloggers. In terms of functionality, this is a “Swiss knife”.The word “implant” itself refers to the way this malware is inserted into the system. It tries to be hidden, tries to fit into the environment so as not to stand out.
How long ago did the implants appear?
I think about 7-8 years ago.
Is the implant designed for a specific enterprise?
– Not necessary.
-Are they for sale?
– Yes, sure. This is a whole big market. Moreover, the world of commercial malware does not stand still, but is rapidly evolving. Attackers picked up the platform-as-a-service idea from well-known IT brands and began providing their malware along with the infrastructure. Therefore, now some novice hacktivist or newly formed group does not need to “reinvent the wheel from scratch.” They can go out and acquire the entire infrastructure that can be used for an attack, sometimes for very little money.
– Can anyone figure this out?
– Yes, sure.
So this is just step-by-step instructions?
– Yes. The authors or owners of the infrastructure sell it for little money, providing instructions, technical support, if something doesn’t work, they help set it up.
– So there is technical support there? Attackers say: “We can’t hack the company. They answer: “Your call is very important to us. Wait two minutes and we will help you set up the equipment”?
“I don’t think they are directly involved in the attack, but they definitely help keep the entire infrastructure running.” If some IP addresses are included in the block list, then their IP addresses are changed. To ensure that malicious software is not detected at the first stage, so-called obfuscation services are used. They confuse and mix up all the malware code, so it is not so easy to detect. The essence of it is old, but this shell in which it is wrapped is new.And if it suddenly turns out that such packaged malware is detected, then, accordingly, the client has the right to contact technical support and they will do it again and check that everything is working as it should.
Judging by your description, this works better than any official technical support…
“Sometimes it seems to me that criminals cooperate much more effectively than legitimate companies.”
You talked about the developed implant market. Are they divided into different types, groups?
– Yes, there are a huge number of them. In addition, the legislation of some countries allows the creation of programs for secretly obtaining information. Therefore, semi-legal spyware is sold that is created by commercial organizations, for example, for intelligence services.
There are hundreds of these implants. They are grouped into families and differ in implementation.
That is, for example, implants are sold for industrial enterprises, and others for banks?
Specialized products are extremely rare. Because their tasks are extremely specific and hardly anyone on the market will purchase them for the first stages of an attack. Typically, specificity appears when attackers reach some very special infrastructure. For example, before encrypting virtual environments. There are certain characteristics that distinguish the virtual environment encryptor from regular disk encryptors.
Also, malware that is used to attack industrial systems with the aim not to steal data, but to disrupt the operation of industrial automation systems, must also contain specifics. And this specificity will vary from industry to industry, and even within the same industry if software from different manufacturers is used. This, of course, is taken into account in each specific case.
But such “last step” malware is quite rare. You can probably count such cases over the past 10 years on the fingers of both hands.
I know that now they don’t even sell, but rent malware. Does this apply to implants?
– Yes, I think that this form is due to the fact that over the past six years there have been many leaks of the source codes of various types of malware – ransomware, implants, and so on. In this connection, the authors decided to move from the model of selling a specific finished product to the model of selling access to the infrastructure where such implants can be produced.
– What does it mean to produce?
These are design programs with different settings, where you just need to check the boxes. After reading the instructions, you can select the parameters you need, indicate where to send the data, where you will have a command server, click the “create” button, and thus get your own unique piece of software.
It turns out you can assemble your own implant from “malicious Lego”?
– Yes, it works something like this. And in this way the authors are protected from leaks.
Can a cryptographer also be assembled for your own tasks?
Malicious programs created in such constructors are the most common type of computer threats in the modern world. And for industrial systems as well.
It turns out that now anyone can hack an industrial enterprise? And even specialized education is no longer needed?
If you set such a goal, then the chances of success are definitely above zero. It’s like riding a skateboard. If a person has two legs, then in theory he can learn to ride on it (and there are people who ride without legs). It’s about the same here. This requires some personal skills: attentiveness, composure, perseverance, the ability to purposefully make efforts to solve a problem, even if it didn’t work out the first, second, tenth time.That is, there must be serious motivation, but education is not particularly necessary for this. I believe that the first three grades of primary school are enough.
But anyone who has the motivation will most likely figure it out, he can. That is why it is so important now to pay special attention to the comprehensive cyber protection of our industrial enterprises, as Kaspersky Lab specialists have been talking about for a very long time.