Are cyber spies looking at you?

A good-looking spy sips a cocktail after ingeniously breaking into a high-security compound and then casually walks away with some confidential documents. That's what spies do in the movies. In the real world they are more likely to use a keyboard.

Spying is about collecting information. When information was still written on pieces of paper, a spy had to physically go and steal it. These days information is data on computers and networks, so modern spying is often carried out with the help of malware. The cyber spies use trojans and backdoors to infect their targets’ computers, giving them access to the data even from the other side of the world.

Who spends money on spying? Companies and countries do. When companies do it, it's called industrial espionage. When countries do it, it's just espionage.

Spying Eyes

In most cases, the attack is made through e-mail to a few carefully selected people or even a single person in the organization. The target receives what seems like an ordinary email with an attached document, often from a familiar person. In reality, the whole message is a forgery. The email sender’s details are forged and the seemingly harmless attached document contains the attack code. If the recipient does not realize the email is a forgery, the whole case will probably go unnoticed, forever.

Program files like Windows EXE files do not get through firewalls and filters, so the attackers commonly use PDF, DOC, XLS and PPT document files as the attachment. These are also more likely to be viewed as safe documents by the recipient. In their standard form these file types do not contain executable binary code, so the attackers use vulnerabilities in applications like Adobe Reader and Microsoft Word to infect the computer.

The structure of these attack files has been deliberately broken so that it crashes the office application in use when opened, while simultaneously executing the binary code inside the document. This code usually creates two new files on the hard disk and executes them. The first is a clean document that opens up on the user’s monitor and distracts the user from the crash.

The second new file is a backdoor program which starts immediately and hides itself in the system, often using rootkit techniques. It establishes a connection from the infected computer to a specific network address, anywhere in the world. With the help of the backdoor the attacker gains access to all the information on the target computer, as well as the information in the local network that the targeted person has access to.

The attacks often use backdoor programs like Gh0st RAT or Poison Ivy to remotely monitor their targets. With such tools, they can do anything they want on the target machine. This includes logging the keyboard to collect passwords and a remote file manager to search documents with interesting content. Sometimes the attackers can eavesdrop on their target by remotely controlling the microphone of the infected computer.

It will get Worse

I've been tracking targeted spying attacks since they were first observed in 2005. Targets have included large companies, governments, ministries, embassies and non-profit organizations like those who campaign for the freedom of Tibet, support minorities in China or represent the Falun Gong religion. It would be easy to point the finger at the Government of China. But we don't have the smoking gun. Nobody can conclusively prove the origin of these attacks. In fact, we must assume several governments are engaging in similar attacks.

It's also clear that what we've seen so far is just the beginning. Online espionage and spying can only become more important tool for intelligence purposes in the future. Protecting against such attacks can prove to be very difficult.

The most effective method to protect data against cyber spying is to process confidential information on dedicated computers that are not connected to the Internet. Critical infrastructure should be isolated from public networks. And isolation does not mean a firewall: it means being disconnected. And being disconnected is painful, complicated and expensive. But it's also safe.

Photo Credit: Kheng Guan Toh/Shutterstock

Mikko Hypponen is the Chief Research Officer for F-Secure and is based in Finland. He has worked with computer security for more than 20 years. Please follow him on Twitter.

2 Responses to Are cyber spies looking at you?

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.