| Researchers January 18, 2019
On Saturday, January 19, we presented research on our latest investigation into nation-state surveillance programs during a session called, “Behind Enemy Lines: Inside the operations of a nation state’s cyber program” at ShmooCon in Washington, DC.
Based on attacker communications found on a command and control server, this talk provides rare insight into a nation state’s $23 million surveillance program, including the build or buy decisions they deliberated on. Key findings include:
Throughout many of our investigations into the targeted use of custom surveillanceware against mobile endpoints, we’ve often wondered exactly what factors influenced an adversary’s decision to internally develop or externally purchase this capability. For the first time, we now have direct evidence of some of the deliberations that occur when a nation state group is tasked with developing a cyber surveillance program. As with our research into other high profile malware families and threat actors like Pegasus, Dark Caracal, Desert Scorpion, FrozenCell, ViperRAT, and SilverHawk, it’s clear adversaries have a staggering amount of options.
We’ve noticed a trend in the surveillanceware ecosystem where attackers consider the same decisions and trade-offs that any other engineering organization would. In fact, in their decision-making process on whether to create or purchase a surveillance solution, they asked questions around budget, resourcing, desired implant capabilities, the need for exploits, viable attack vectors, and vendor products. We saw these above questions asked when this particular nation-state communicated with and trialed many solutions from vendors such as NSO Group, Verint, FinFisher, HackingTeam, IPS, Expert Team, Wolf Intelligence, and others.
These messages were uncovered during an in-depth investigation and reverse engineering effort into the infrastructure and malware tooling that this group built themselves. These messages also revealed many potential 0-days that a buyer could purchase along with their cost, effectiveness, and seller guarantee for both mobile and desktop operating systems.
- Buyers debating their build decision for iOS malware
- Buyers debating buying exploits for their Android malware
Ultimately this nation-state decided to build the tooling for their cyber surveillance program themselves, and our research shows that they have been highly effective, as we discovered several hundred custom malware samples attributed to them that have collected what we estimate to be 50GB of exfiltrated data. That said, this actor made several operational security missteps, which resulted in their discovery and allowed us to gain long term visibility into their operations. This access and level of insight show how creative some adversaries have to be in the development of their surveillance tooling.
Our continued research into nation-state surveillance illustrates that it is now standard and practical for a nation-state or group of any size to acquire or build up its surveillance capabilities. These capabilities affect citizens, employees, and corporations worldwide that do business with and travel to and from these countries. While we see a lot of mobile surveillanceware being built and designed for use by nation-states, these tools could be commercialized to target the enterprise by non-nation states actors too. As we continue to move toward a post-perimeter world, CISOs that do not prioritize mobile security may put their enterprises at risk, since these surveillance capabilities are not only widespread, but exist with different incentives and use cases from traditional security models.
Learn more about how to protect your users and corporate data with a post-perimeter security strategy.