Security firm Kaspersky Lab recently announced the discovery of miniFlame, a small and highly flexible malicious program designed to steal data and control infected systems during targeted cyber espionage operations.
Comparison of miniFlame with other malicious programs
miniFlame, also known as SPE, was found by Kaspersky Lab’s experts in July 2012, and was originally identified as a Flame module.
However, in September 2012, Kaspersky Lab’s research team conducted an in-depth analysis of Flame’s command control servers (CC) and from the analysis found that the miniFlame module was actually an interoperable tool that could be used as an independent malicious program, or concurrently as plug-in for both the Flame and Gauss malware.
Analysis of miniFlame showed there were several versions created between 2010 and 2011, with some variants still being active in the wild.
The analysis also revealed new evidence of the cooperation between the creators of Flame and Gauss, as both malicious programs can use miniFlame as a “plug-in” for their operations.
Main findings:
• miniFlame, also known as SPE, is based on the same architectural platform as Flame. It can function as its own independent cyber espionage program or as a component inside both Flame and Gauss.
• The cyber espionage tool operates as a backdoor designed for data theft and direct access to infected systems.
• Development of miniFlame might have started as early as 2007 and continued until the end of 2011. Many variations are presumed to be created. To date, Kaspersky Lab has identified six of these variants, covering two major generations: 4.x and 5.x.
• Unlike Flame or Gauss, which had high number of infections, the amount of infections for miniFlame is much smaller. According to Kaspersky Lab’s data, the number of infections is between 10-20 machines. The total number of infections worldwide is estimated at 50-60.
• The number of infections combined with miniFlame’s info-stealing features and flexible design indicate it was used for extremely targeted cyber-espionage operations, and was most likely deployed inside machines that were already infected by Flame or Gauss.
Discovery
The discovery of miniFlame occurred during the in-depth analysis of the Flame and Gauss malware.
In July 2012 Kaspersky Lab’s experts identified an additional module of Gauss, codenamed “John” and found references to the same module in Flame’s configuration files.
The subsequent analysis of Flame’s command and control servers, conducted in September 2012, helped to reveal that the newly discovered module was in fact a separate malicious program, although it can be used as a “plug-in” by both Gauss and Flame. miniFlame was codenamed SPE in the code of Flame’s original CC servers.
Kaspersky Lab discovered six different variations of miniFlame, all dating back to 2010-2011.
At the same time, the analysis of miniFlame points to even earlier date when development of the malware was commenced – not later than 2007. miniFlame’s ability to be used as a plug-in by either Flame or Gauss clearly connects the collaboration between the development teams of both Flame and Gauss.
Since the connection between Flame and Stuxnet/Duqu has already been revealed, it can be concluded that all these advanced threats come from the same “cyber warfare” factory.
Functionality
The original infection vector of miniFlame is yet to be determined. Given the confirmed relationship between miniFlame, Flame, and Gauss, miniFlame may be installed on machines already infected by Flame or Gauss.
Once installed, miniFlame operates as a backdoor and enables the malware operators to obtain any file from an infected machine.
Additional info-stealing capabilities include making screenshots of an infected computer while it’s running a specific program or application in such as a web browser, Microsoft Office program, Adobe Reader, instant messenger service, or an FTP client.
miniFlame uploads the stolen data by connecting to its CC server (which may be unique, or “shared” with Flame’s CCs). Separately, at the request from miniFlame’s CC operator, an additional data-stealing module can be sent to an infected system, which infects USB drives and uses them to store data that’s collected from infected machines without an internet connection.
Alexander Gostev, chief security expert at Kaspersky Lab, said “miniFlame is a high precision attack tool. Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyberattack.
“First, Flame or Gauss are used to infect as many victims as possible to collect large quantities of information. After data is collected and reviewed, a potentially interesting victim is defined and identified, and miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage.
“The discovery of miniFlame also gives us additional evidence of the cooperation between the creators of the most notable malicious programs used for cyber warfare operations: Stuxnet, Duqu, Flame and Gauss.”
October 2006: Bryan Wagner, right, stands next to Matthew DePante and Ronald DeLia, in a San Jose, California, courtroom. Photo: AP/Paul Sakuma
The final chapter in the pretexting scandal that rocked Hewlett-Packard, once one of Silicon Valley’s most esteemed companies, is drawing to a close.
Bryan Wagner is getting set to be sentenced in federal court in San Jose, California. He’s the low-level private investigator who was charged with pretending to be a Wall Street Journal reporter in order to obtain telephone records. This sort of illegal false identify scheme is known as pretexting.
His sentencing hearing is set for Nov. 1, but after nearly six years of delays, it’s likely to be put off yet again. The reason? Wagner pleaded guilty so long ago that the Probation Office’s pre-sentence report is now out of date, and the judge has ordered an update.
HP was once considered the gold standard of high technology companies, but the pretexting scandal shadowed the tech giant’s precipitous fall from grace. In fact, HP seems to have done nothing but stumble since the incident, which stemmed from HP Chairwoman Patricia Dunn’s ill-advised efforts to stop boardroom leaks to journalists. The company has cycled through two CEOs since the scandal — Mark Hurd and Leo Apotheker — and it continues to see its business prospects shrink. Last month, HP said it planned to lay off nearly 30,000 employees over the next two years.
Although Dunn did at one point face criminal prosecution, the charges against her were eventually dropped. She died last year. No HP executive has been convicted of any criminal activity in the case.
The company did pay a $14.5 million fine to the state of California, but that’s a “pretty light” punishment, given the wrongdoing, says Terry Gross, a San Francisco attorney who represented reporters who were victims of the pretexting. “HP is an incredibly wealthy company,” he says. “$14.5 million is almost nothing to it.”
The wheels of justice have also moved pretty slowly. The case has switched prosecutors in the years since the California Attorney General, and then ultimately the U.S. Department of Justice took an interest in the matter.
Although the scandal captured the national spotlight for a time and even prompted a Congressional investigation, “It has ended with less a bang than a whimper,” said one person familiar with the case who spoke on condition of anonymity.
Wagner pleaded guilty to conspiracy and aggravated identity theft charges nearly six years ago, but his sentencing has been postponed as the court has finished up cases against the two men who hired him: Joseph DePante and his son Mathew DePante. They were sentenced in July to three years of probation and six months of electronic monitoring.
The DePantes pleaded guilty to conspiracy charges, but with the aggravated identity theft count, Wagner is facing a tougher go of things. Aggravated identity theft comes with a minimum two-year prison sentence.
Representatives from the DePantes’ company, Action Research Group, faxed Wagner and others the social security numbers of the pretexting victims and then Wagner and a business associate Cassandra Selvage actually called up the telephone companies to obtain phone records, according to Joseph and Matthew Depante’s plea agreements.
Action Research Group grossed between $20,000 and $30,000 in the scheme, the plea agreements state.
In 2006, after learning that he could be the subject of a criminal investigation, Wagner allegedly took his a hammer to his computer and “destroyed,” his hard drive, according to a report in The Wall Street Journal.
Through his lawyer, Federal Public Defender Cynthia Lie, Wagner declined to comment for this story. Spokesmen for the U.S. Department of Justice did not return messages seeking comment for this story.
SUDDENLY, Washington is extremely concerned about Chinese espionage.
Last month, the White House blocked a Chinese company from operating a wind farm near a sensitive Navy base in Oregon. Next, the House Intelligence Committee said two Chinese telecommunications firms were manufacturing equipment that could be used to spy on the United States, and Defense Secretary Leon E. Panetta told business leaders that the country faced the risk of a “cyber-Pearl Harbor” — an attack that could come from terrorist groups or a country like China. Finally, during Monday’s presidential debate, Mitt Romney warned that the Chinese were “stealing our intellectual property, our patents, our designs, our technology, hacking into our computers.”
There’s no question that American companies today are under surveillance: I’ve learned that the F.B.I. has obtained a video taken inside a hotel in China that shows Chinese agents rifling through an American businessman’s room, according to two sources familiar with the tape, which the F.B.I. has been playing as a warning for corporate security experts. But while the Chinese spying push is aggressive, American companies have been tapped, bugged and spied on for more than a hundred years. As often as not, the perpetrators have been other Americans — motivated not by patriotism for a foreign flag, but by simple profit.
In Placerville, Calif., a stockbroker named D. C. Williams took advantage of the latest high-tech telecommunications gear in an insider trading scam. The year was 1864. Mr. Williams, claiming to be in the stagecoach business, rented a room at a hotel called the Sportsman’s Hall, where the State Telegraph Company had offices. Sitting in his room, within earshot of the receiving equipment, Mr. Williams simply decoded the messages about business deals as they clattered in. When he tried to bribe the telegraph agent for exclusive access to news on an important mining lawsuit, the agent turned him in, and Mr. Williams was arrested.
Or take the case of John Broady, an audacious wiretapper who in the mid-1950s set up an eavesdropping nest at an apartment in Midtown Manhattan. Working with a source inside the phone company, he set up equipment capable of tapping and simultaneously recording 10 phone lines in the area. Among Mr. Broady’s clients was the drug company Pfizer, which hired him to tap the phones of its own employees and those of a competitor, Squibb.
Mr. Broady was ultimately undone by an anonymous tipster, most likely someone inside his organization. Bizarrely, at his trial he claimed there was a nefarious Chinese angle to his scam — he said he’d used the equipment to spy on a rogue Chinese Air Force general who’d stolen millions from his government. Mr. Broady said that someone who wanted to stop the investigation had killed one of his own agents in Mexico. “I didn’t want them to knock me off, like they did my man,” he said, breaking down in tears. “I have a wife and kids.” The jury thought it was an act, and Mr. Broady received a two- to four-year prison sentence.
In London in the fall of 2008, I met with Nick, a former British Special Forces soldier who has gone into the private espionage business — working for companies around the world to dig up dirt on their competitors or their own employees. Nick, who asked that I not use his last name, told me that they often used a simple strategy: they hired subcontractors to rent space in a building across the street from their competitor, and pointed laser microphones at conference rooms across the way. Voices in the rooms made slight vibrations in the windows, and Nick’s microphones could translate those back into sound that he could record.
Technology has changed the volume of information spies can purloin from corporate files, as well as the types of attacks possible from a distance. But the principle remains the same: spying is often easier than conducting one’s own research and development. This is certainly true from China’s perspective.
What has people in Washington really worried is the idea that such passive theft could turn into an active threat — not just snooping, but knocking out elevators or communications at a presidential event, or shutting down software controlling water supplies, electrical grids and nuclear power plants.
But while we deal with this new generation of spies, we shouldn’t forget the lessons learned battling the old. The best way to fight technology is not always with more technology — it’s with human beings. As Mr. Williams and Mr. Broady learned, the most dangerous threat to a high-tech snoop is an inside source who’s willing to come forward and expose the scheme. Law enforcement officials in the 19th and 20th centuries found ways to motivate those whistle-blowers. We must do the same.
Eamon Javers is a Washington correspondent for CNBC and the author of “Broker, Trader, Lawyer, Spy: The Secret World of Corporate Espionage.”
LONDON — Vacuum powerhouse Dyson filed legal proceedings Wednesday against Bosch in Britain’s High Court, accusing its German rival of having obtained corporate secrets through a mole within a high-security research and development department.
Dyson, known for its popular bagless vacuum cleaner, claims that a rogue engineer working in its facility in Malmesbury for Dyson digital motors was handing information on “secret motor technology” to Bosch for up to two years.
“Dyson has confronted Bosch with evidence of wrongdoing but it has refused to return the technology. Nor has it promised not to use the technology for its benefit, forcing Dyson to take legal action,” the company said in a statement.
Dyson alleges that Bosch paid the mole through an unincorporated business created solely for that purpose and that Bosch’s vice president, Wolfgang Hirschburger, was aware of the engineer’s work.
Mark Taylor, Dyson Research and Development director, said that Bosch had benefited from Dyson’s know-how and expertise.
“We have spent over 15 years and 100 million pounds ($160.2 million) developing high-speed brushless motors, which power our vacuum cleaners and Airblade hand dryers,” he said in a statement. “We are demanding the immediate return of our intellectual property.”
Bosch disputed some of the facts. It said in a statement that Dyson had employed an individual with a pre-existing consultancy agreement with Bosch Lawn and Garden Ltd. in relation to garden products — “and not vacuum cleaners or hand dryers as Dyson implies.”
The company expressed regret that Dyson has pursued legal action, saying it has been trying to establish what happened and what, if any, confidential information was supposedly passed between the companies.
SAN FRANCISCO (Reuters) – A White House-ordered review of security risks posed by suppliers to U.S. telecommunications companies found no clear evidence that Huawei Technologies Ltd had spied for China, two people familiar with the probe told Reuters.
Instead, those leading the 18-month review concluded early this year that relying on Huawei, the world’s second-largest maker of networking gear, was risky for other reasons, such as the presence of vulnerabilities that hackers could exploit.
These previously unreported findings support parts of a landmark U.S. congressional report last week that warned against allowing Chinese companies Huawei and ZTE Corp to supply critical telecom infrastructure.
But it may douse speculation that Huawei has been caught spying for China.
Some questions remain unanswered. For example, it is unclear if security vulnerabilities found in Huawei equipment were placed there deliberately. It is also not clear whether any critical new intelligence emerged after the inquiry ended.
Aided by intelligence agencies and other departments, those conducting the largely classified White House inquiry delved into reports of suspicious activity and asked detailed questions of nearly 1,000 telecom equipment buyers, according to the people familiar with the probe.
“We knew certain parts of government really wanted” evidence of active spying, said one of the people, who requested anonymity. “We would have found it if it were there.”
White House National Security Council spokeswoman Caitlin Hayden declined to comment on the review. A spokesman for Huawei said the company was not familiar with the review but it was not surprised that no evidence of Huawei espionage was found.
Last week’s report from the Republican and Democratic leaders of the House Intelligence Committee noted the potential for spying through Huawei gear installed to manage traffic on wireless networks. The committee also criticized Huawei’s leadership for failing to provide details about its relationships with Chinese government agencies.
Huawei, whose chief executive officer, Ren Zhengfei, founded it 25 years ago after he was laid off by the Chinese army, has rejected the House report as unfair and inaccurate. China’s Commerce Ministry has also called the accusations “groundless.”
“Huawei is a $32 billion independent multinational that would not jeopardize its success or the integrity of its customers’ networks for any government or third party. Ever,” the company’s U.S. spokesman Bill Plummer said on Wednesday.
The House Intelligence Committee’s report did not present concrete evidence that either Huawei or ZTE have stolen U.S. data, although it said a classified annex provided “significantly more information adding to the committee’s concerns” about the risk to the United States.
Speculation has swirled about the contents of the secret annex, and both committee Chairman Mike Rogers and some intelligence officials have hinted at evidence that Huawei has participated in espionage.
Rogers, the report’s lead author, stoked concerns by saying some customers had seen routers sending off “very valuable data” to China.
But in the one case a committee staff member pointed out to Reuters, the victim – Leap Wireless International Inc – said that while some of its computers were infected with viruses earlier this year, an investigation found no evidence that the infection was deliberate or that confidential data had been stolen.
PREVENTIVE MEASURES
Pressed about why the White House review and unclassified version of the House Intelligence Committee report had not turned up a “smoking gun,” two officials familiar with intelligence assessments said U.S. agencies were most concerned about the capability for future spying or sabotage.
Similarly, Chris Johnson, a former CIA analyst on China, said he had been told that the White House review had come up empty on past malicious acts. Nonetheless, officials emerged from the review with “a general sense of foreboding” about what would happen if China asked Huawei for assistance in gathering intelligence from U.S. customers, he said.
“If the Chinese government approached them, why would they say no, given their system?” Johnson said.
Preventing state spying through technology is a high priority for U.S. President Barack Obama’s administration, which is lobbying for legislation to raise private-sector security standards and readying a more limited executive order along those lines.
Reuters interviews with more than a dozen current and former U.S. government officials and contractors found nearly unanimous agreement that Huawei’s equipment poses risks: The company could send software updates that siphon off vast amounts of communications data or shut them down in times of conflict.
More than anything else, cyber experts complained about what they said was poor programming that left Huawei equipment more open than that of rivals to hacking by government agents or third parties.
“We found it riddled with holes,” said one of the people familiar with the White House review.
At a conference in Kuala Lumpur last week, Felix Lindner, a leading expert in network equipment security, said he had discovered multiple vulnerabilities in Huawei’s routers.
“I’d say it was five times easier to find one in a Huawei router than in a Cisco one,” Lindner said.
Lindner, who spent months investigating Huawei code, said the vulnerabilities appeared to be the result of sloppy coding and poor procedures, rather than any deliberate attempt at espionage. Huawei is looking into his findings, he said.
Some in the U.S. government, however, have said the alleged poor security practices at Huawei could be a deliberate cover for future attacks.
One computer scientist, who helped conduct classified U.S. government research on Huawei routers and switches four to six years ago, told Reuters that he had found “back doors” that his team believed were inserted with care.
He said these back doors could enable attackers to install malicious software that would make critical government networks inoperable, allow hackers to gain entry into highly classified systems and enable them to spy on all traffic. He requested anonymity because he was not authorized to discuss the research.
Huawei has denied the existence of these back doors. Plummer also noted that any vendor’s gear could be targeted by hackers, and the company would address any vulnerabilities it finds.
The United States’ closest allies have rendered a split verdict on Huawei. Earlier this year, Australia barred Huawei from becoming a contractor on the country’s National Broadband Network, and Canada said last week that Huawei could not bid to help build a secure national network. In Britain, however, a spokesman for the Cabinet Office said Huawei’s products were fully vetted and did not represent a security concern.
Dutch Ruppersberger, the ranking Democrat on the House Intelligence Committee and co-author of the report, told Reuters that the burden of proof had been on Huawei and ZTE, which cited Chinese government restrictions in limiting their responses.
“China has the means, opportunity, and motive to use telecommunications companies for malicious purposes,” Ruppersberger said.
Republican Rogers’ staff did not respond to questions about the contents of the classified annex or the White House review.
(Reporting by Joseph Menn in San Franciso, Jim Finkle in Boston, and Mark Hosenball in Washington; Additional reporting by Paul Eckert and Jim Wolf in Washington and Jeremy Wagstaff in Kuala Lumpur; Editing by Tiffany Wu and Lisa Von Ahn)
