Email: The Most Important Weapon of Hackers

How scared should you be of LoJax, the computer virus recently in the news for being almost invisible and ineradicable? 'Not very scared yet,' says the leader of the team that discovered LoJax. 'This is so complex that you can't use it on a large scale.'


Spy software and cyber terror have become a regular ingredient on the geopolitical chessboard in recent years. Just a few years ago, we looked surprised when major computer intrusions came to light at companies like Siemens or Belgacom, but today these incidents seem almost weekly fare. Just this week, the Slovak security company ESET warned at a conference in Bratislava that there are clear signs of imminent attacks on energy and infrastructure companies. It sees links to a hacker group that has already caused blackouts in Ukraine in recent years.

Late last month, ESET's Canadian research division came up with other disturbing news: for the very first time, the researchers found evidence of malware circulating that can survive an operating system reinstallation as well as a hard disk replacement. They christened that malware LoJax, because the hackers exploited a leak in a commercial theft protection for computers called LoJack.

LoJack was designed so that a completely erased computer could still be detected. Thanks to small changes in the software code, the hackers managed to nest their malicious software in the 'firmware' of infected devices, the pre-installed software that sits one layer deeper in the system than the operating software. That way, they can still re-infect a computer from which all viruses have already been removed.

The Canadian team, led by Alexis Dorais-Joncas, was able to prove that LoJax is the work of the notorious hacker group Fancy Bear, also known by names like Sednit or APT28. This is the same group believed to be responsible for the break-in of the US Democratic Party's mail servers in 2016, which Western intelligence agencies believe is controlled by the Kremlin. 'About the identity of the hackers we make no statements,' Dorais-Joncas said in an interview with De Tijd. 'For security companies, it is technically impossible to say anything about this with 100 per cent certainty anyway. Hackers can also deliberately leave misleading traces. What we do know is that Fancy Bear is a group that targets geopolitical targets and is therefore probably funded by a state.'

How significant is the discovery of LoJax for you?

Alexis Dorais-Joncas: (reflects) 'I've been doing this work for eight years, and this is definitely among the 10 per cent most significant incidents. We have known for years that it is theoretically possible to make such a virus, but this is the first time we have actually found it.'

Do you expect LoJax to be used by 'common' criminals now?

Dorais-Joncas: 'In principle it could, but we are talking about very complex malware. My team of ten researchers spent months familiarising themselves with UEFI, the part of the firmware in which the virus was planted. That is a very different operating environment from a normal operating system. Whoever wants to replicate that has to invest a lot of time and money in it.'

'In the long run, though, it could be that the technology becomes more widespread. An indicator of this could be that kits containing the LoJax code are being traded on the criminal circuit. But it is impossible to say when that will happen. I think it will remain a niche for a long time.

 

'Does the industry now work on safer UEFI standards?

Dorais-Joncas: ‘ Yes, a lot of people are busy with that. We must absolutely avoid that the UEFI firmware can still be overwritten by unauthorized persons. Planting a virus in firmware is a limit that should never be exceeded. Unfortunately, we don't yet know exactly how the hackers did that. ’

Is there a risk that legitimate firmware updates will be infected with such viruses?

Dorais-Joncas: ‘ If something like this ever happens, it would be very bad. Think of it as a large software company that sells infected software. It would destroy their reputation. I hope they do the necessary to avoid that. But I think the risk is rather small, I still have confidence in the security teams of software companies. ’

You have been following Fancy Bear for a long time. Is this the most active group of hackers you know?

Dorais-Joncas: ‘ They are very active, but they are certainly not the only ones. Think of the Turla group, which mainly focuses on NATO and the European institutions. We see other groups that are more active in Asia widening their targets. But there is a lot of talk about Fancy Bear because their targets are so well known – think of the suspected attempts to influence the elections in the US, or the hack of the Democratic Party. ’

‘ Some hackers also manage much better to hide their activities. Most attacks by the Equation Group (according to specialists in a unit of the US intelligence service NSA, ed.) We only discovered long after they had already been carried out. Then it turned out that they had worked under the radar for four years. Such groups erase their tracks by completely changing their shape: they change their modus operandi and prevent their new malware from being linked to their older malware. ’

Many countries are debating whether to try to fight the hackers with their own weapons. What do you think?

Dorais-Joncas: ‘ We do not do that in principle at ESET. I find it very delicate because you have to be sure that you are hacking the right person. How can you know for sure? Many hacks are performed from infected machines, without the owners being aware of them. If you hack them, you will not attack the perpetrator, but the victim. I don't think that's the solution. ’

Can we still keep up with the bad guys?

Dorais-Joncas: ‘ In any case, the big, final solution to prevent all cyber attacks will never come. What gives me hope is that the operating systems are getting safer. Ten or fifteen years ago, leaks were found almost daily along which worm viruses could spread very quickly. Today it is very rare. ’

‘ One of the most important ways to spread malware remains the abuse of human confidence. Email is the most important technique for spreading malware or performing very targeted attacks. As a security guard, we mainly strive to build in many layers, so that we can ward off the attacks at different angles. ’

Isn't it strange that there are so many leaks in new software? Are so many mistakes unthinkable in the production of, say, cars or planes?

Dorais-Joncas: ‘ That's right, but those companies shouldn't compete with an opponent whose only goal is to destroy their product. So that comparison does not really apply. ’

Could hackers focus more on firmware because ordinary software is increasingly difficult to crack?

Dorais-Joncas: ‘ You could, but don't forget that these are very complex techniques. Hackers always choose the path of least resistance. If they can achieve their goal with simple techniques such as spam, they will try to do it first. And at the moment they still have a lot of cheap techniques available. Our job is to increase the cost per infection for the hackers. If successful, the number of targets will decrease, or we can force them to invest more. ’

Wim De Preter,

Newsmanager Tech & Media

Recent posts