Hungarian 'malware' intelligence researcher who detected the "MiniDuke" cyber attack say that cyber attack is "not over"
BUDAPEST, HUNGARY (FEBRUARY 28, 2013) (REUTERS) - Hungarian 'malwere' virus intelligence researchers who discovered the 'MiniDuke' malware on Wednesday (February 28) in co-operation with a lab in Russia say the attacks could not yet be over.
Hackers targeted dozens of computer systems at government agencies across Europet hrough a flaw in Adobe Systems Inc's software, security researchers said on Wednesday, while NATO said it too had been attacked.
The alliance said its systems had not been compromised, although it was sharing the details of the attack with NATO member states and remained vigilant. Security experts say governments and organizations such as NATO are attacked on a daily basis - although the sophistication varies wildly.
These particular attacks appeared both widespread and innovative, the private computer security firms announcing the discovery said, with one expert saying he believed a nation-state might be responsible.
Russia's Kaspersky Lab and Hungary's Laboratory of Cryptography and System Security, or CrySyS, said the targets of the campaign included government computers in the Czech Republic, Ireland, Portugal and Romania.
They also said a think tank, a research institute and a healthcare provider in the United States, a prominent research institute in Hungary and other entities in Belgium and Ukraine were among those targeted by the malicious software, which they have dubbed "MiniDuke".
The researchers suspect MiniDuke was designed for espionage, but were still trying to figure out the attack's ultimate goal.
The malware exploited a recently identified security flaw in Adobe's software. Adobe said a software patch issued last week should protect users from "MiniDuke" providing they downloaded it.
Boldizsar Bencsath, a cyber security expert who runs the malware research team at CrySyS, told Reuters that he had reported the incident to NATO, although it was not clear if that was what first alerted the alliance.
"By having detected the targets and by publishing the information these targets can now be found with the assistance of the governments of the various countries and the problems can be eliminated on these computers. The problem is that we do not know all the targets," Bencsath said.
He added that the attacks could continue in a new form. "Unfortunately we can also suspect that the attackers will not sit still; they will either stop the series of attacks and disappear so that they cannot be found and the whole process identified but it's also possible that they will re-configure their whole campaign and will activate new viruses on these machines that our detection methods are not suitable so it's possible that victims remain who cannot be detected."
Exactly how serious the attacks were was not immediately clear, nor who exactly the targets were or at what level European governments were alerted.
The Czech counterintelligence agency BIS said they were not aware of any massive hacking attacks on Czech institutions from abroad recently. The Czech National Security Bureau, responsible for government data, was not immediately available for comment. Neither were officials from other states said to be affected.
A NATO official in Brussels had earlier said the alliance was not directly hit, but he said later that he had been incorrect. He gave no further details.
The researchers, who declined to further elaborate on the targets' identities, released their findings as more than 20,000 security professionals gathered in San Francisco for the annual RSA conference.
MiniDuke attacked by exploiting recently discovered security bugs in Adobe's Reader and Acrobat software, according to the researchers. The attackers sent their targets PDFdocuments tainted with malware, an approach that hackers have long used to infect personal computers.
Bencsath said he believed a nation-state was behind the attack because of the level of sophistication and the identity of the targets, adding that it was difficult to identify which country was involved.
"We clearly rule out that someone would do this for money only. If not for money then it's for political motivation and the most likely case is that some state interest is behind it, so such a country is behind the series of attacks whose interest is to attack these organizations. And here the interesting question is how the attack against civil rights organizations comes into the picture. Presumably this must be a country which is unhappy about the actions of those civil rights organizations and presumably these organizations have been critical about the country behind the attacks," Bencsath said.
Bencsath said he believed the attackers installed "back doors" at dozens of organizations that would enable them to view information on those systems, then siphon off data they found interesting.
He said researchers had yet to uncover evidence that the operation had moved to the stage where operators had begun to exfiltrate data from their victims.
"Based on the internal data of the virus it's possible that it was made by a gang known earlier but from the structure of the virus it is difficult to tell. We could examine the servers and their connections through which the data are stolen. At the moment this leads to a server in Panama but it's almost sure that it's not an attack from Panama but it originates more likely from the eastern parts of Europe, or Asia or similar, but it's all guesswork and we only think this because of the nature of the process but we cannot say more and point to a concrete country because we could be wrong."
Privately, many Western government and private sector computer experts say China is the clear leader when it comes to state-sponsored cyber attacks to steal information - although they rarely say so publicly and Beijing angrily denies it.