The Hip Trend of 2015 Is Designer Government Malware

Experts talked state-sponsored malware at the Black Hat conference in Las Vegas.

Photo by Lily Hay Newman

LAS VEGAS—Names like Regin, Duqu, Stuxnet, Babar, and Putter Panda probably sound familiar to you even if you can’t quite remember what they are. That’s because with high-profile hacks in the news every month, we’re all starting to hear about the high-end software that’s making the breaches possible. State-sponsored malware is the new Birkin bag.

At the Black Hat conference this week, cybersecurity experts are owning the trend. They’re often the people who discover and publically disclose the malware, and once it’s out in the open, they’re the ones reverse-engineering it, picking it apart, and trying to figure out where it came from.

“All of the big countries are using hacking as a tool for espionage, and the smaller countries wish that they were,” said Morgan Marquis­-Boire, a senior researcher at University of Toronto’s Citizen Lab and the director of security at First Look Media, in a presentation about malware attribution. “We know that actually everybody [is] selling exploits, and implants, and trojans. Someone tried to sell me some at the door.” (Naturally, news started coming out on Thursday that hackers, possibly Russian, had broken into a Pentagon email system)

Even after it’s exposed, state-sponsored malware is powerful because it is generally created by hackers who have an unusual amount of funding and resources at their disposal. Unlike ragtag criminals or hacktivists like the Anonymous collective, developers working for a large government have full support to create maximally pernicious code. And these software tools often turn into families of related malware as a team builds on what it has done.

For example, the powerful surveillance tool Babar, which was allegedly developed by the French government and can do everything from logging keystrokes to tapping Skype calls, is part of a larger suite. Marquis-Boire and research partner Marion Marschalek of Cyphort explained on Wednesday that they can prove Babar’s connection to “NBOT, TFC, Bunny, Babar, Casper, and Dino”—other malware that was all written by the same group.

In a Black Hat presentation on Thursday, Joshua Pitts, the director of security research at NopSec, talked about the evolution of malware. “Nation-state weapons really are not special or magical, they’re just developed in private,” he said. Pitts, who discovered and disclosed malware called OnionDuke last year, gave a demonstration of how he could make small changes to turn OnionDuke into a new exploit that could slip past anti-virus programs even though the original is now well known.

Pitts pointed out that it’s relatively safe to plagiarize and build on malware because the authors are not going to want to expose themselves in the process of seeking retribution. OnionDuke itself, which was allegedly developed by Russia-sponsored hackers, is part of a malware family that includes other exploits like MiniDuke, and it could reappear in other forms, too. “I think it’s going to be seen again, because they could recompile OnionDuke and change some settings and probably get it down to zero detections again,” Pitts said.

Like North Face jackets and iPhones, it’s hard to keep up with the endless iterations of state-sponsored malware. But whether you want to buy a copy of the exploit North Korea used to infiltrate Sony or you’re looking through the source code of NSA surveillance tools, there are plenty of ways to stay hip to the haps. “Repurposing is what we do as humans. It’s why we’re alive. It just makes sense,” Pitts said.