In March 2018 Kaspersky Lab published analysis of an APT they called "Slingshot", after a cleartext string in a commonly used module. Some of their customers had been hit with this. As far as Kaspersky could tell, it had been active at least since 2012 and it was still active in February 2018.
Victims were primarily individuals but also government organizations. 47% of the victims were in Kenya, 13% in Yemen, 7% in Libya, and 6% in Afghanistan. Smaller numbers, presumably in decreasing order, were in Iraq, Tanzania, Greece, Jordan, Mauritius, Somalia, Tunisia, Turkey, and the U.A.E.
The attack came in through a previously unknown vulnerability in Mikrotik routers, which are manufactured in Latvia.
Kaspersky's overview says:
The malicious samples investigated by the researchers were
marked as 'version 6.x', which suggests the threat has existed
for a considerable length of time. The development time,
skill and cost involved in creating Slingshot's complex
toolset is likely to have been extremely high.
Taken together, these clues suggest that the group behind
Slingshot is likely to be highly organized and professional
and probably state-sponsored.
Text clues in the code suggest it is English-speaking. Some of the techniques used by Slingshot, such as the exploitation of legitimate, yet vulnerable drivers has been seen before in other malware, such as White and Grey Lambert. However, accurate attribution is always hard, if not impossible to determine, and increasingly prone to manipulation and error.
Kaspersky's detailed analysis says:
The malware is highly advanced, solving all sort of problems
from a technical perspective and often in a very elegant way,
combining older and newer components in a thoroughly
thought-through, long-term operation, something to expect
from a top-notch well-resourced actor.
In terms of attribution, we have not been able to find any definitive links to any previously known APTs. Some of the techniques used by Slingshot, such as the exploitation of legitimate, yet vulnerable drivers has been seen before in other malware, such as Turla, Equation's Grayfish platform and White Lambert. Most of the debug messages found throughout the platform are written in perfect English. The references to Tolkien's Lord of the Rings (Gollum, Smeagol) could suggest the authors are fans of Tolkien's work.
Then there were reports that Slingshot was run by JSOC or Joint Special Operations Command, part of the U.S. SOCOM or Special Operations Command. Cyberscoop reported that "current and former U.S. intelligence officials" told them that is was a U.S. military operation "used to target ISIS and al-Qaeda members". These officials said that it targeted computers in Internet cafés in developing countries, where ISIS and al-Qaeda targets used those computers to send and receive messages.
Kaspersky Lab overview Kaspersky Lab detailed analysis Cyberscoop announcment that Kaspersky exposed sensitive information, which itself exposes sensitive information
U.S.A versus Iran
Stuxnet, Duqu, Flame and Gauss are sophisticated threats, the first three deployed against Iran and the fourth against Middle Eastern banking. Top analysts have shown that they share many modules, and have concluded that they must have been created by a group with nation-state level resources.
In February 2016 the documentary film Zero Days premiered at the Berlin Film Festival. It's now available on YouTube.
The documentary claimed that Stuxnet was just a small part
of a vast set of U.S. hacking programs covered by
the code name NITRO ZEUS.
U.S. hackers at the Remote Operations Center (or ROC)
at Fort Meade had penetrated a wide range of Iranian
infrastructure, including military command-and-control
facilities, the air defense grid, industrial plants,
the electrical grid, and transportation systems.
A source said that there were hundreds of thousands
of implants in Iranian targets.
The ROC was ready to launch disabling attacks
in parallel with any military operation.
Hundreds of personnel had worked over several years at a
cost of hundreds of millions of dollars.
The New York Times on NITRO ZEUS Business Insider on NITRO ZEUS
OLYMPIC GAMES was a long collaboration between the U.S. and Israel, working to frustrate Iran's nuclear program without the airstrikes and assassinations that Israel had deployed. That gave Israel access to the Stuxnet worm. Israel modified Stuxnet, making it far more aggressive, and unilaterily launched the new version. It was the Israeli modification that escaped into the wild to be discovered and analyzed by security researchers.
A U.S. source said, "Our friends in Israel took a weapon that we jointly developed — in part to keep Israel from doing something crazy — and then used it on their own in a way that blew the cover of the operation and could've led to war."
A 2011 video created to celebrate the retirement of Gabi Ashkenazi, head of the Israeli Defense Forces, listed Stuxnet as one of his successes.
The Stuxnet worm was detected in June, 2010. In September, 2010, analysts announced that it seems to have been designed specifically to take control of a real-world industrial target, the SCADA software running chemical plants, factories, and electrical power generation and transmission systems. Its infections have been concentrated in Iran, Pakistan, India, and Indonesia, although systems have been infected world-wide. It was targeted at a specific facility — Iran's Bushehr nuclear plant. The Christian Science Monitor had a good report on this story, with more technical details than typically found in newspapers. Dark Reading goes deeper into the technical details and the analysis. Ars Technica and the New York Times describe how Stuxnet was a US-Israel operation, described in detail in David Sanger's book Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power. Symantec reported in February 2013 that what they call Stuxnet 0.5, a less aggressive version that used an alternative attack strategy of closing valves within the Natanz uranium enrichment facility, was in development as early as November 2005 and was out in the wild by November 2007.
Duqu was discovered on 1 Sep 2011, and is related to Stuxnet. It has been analyzed in detail by CrySyS, the Laboratory of Cryptography and System Security at the Budapest University of Technology and Economics, Kaspersky Lab, and Symantec. The Intercept has an overview. Unlike Stuxnet, which causes industrial controllers to drive centrifuges so they destroy themselves, Duqu gathers data for future attacks. The newer Duqu 2.0 attacks seem to be from Israel.
CrySyS Lab, Budapest University of Technology and Economics
Flame, first deployed in March 2012, is an impressively complex system. It gathers data from the local disk, screenshots, keylogging, and data captured from the camera and microphone if they exist. The collected data is compressed and encrypted, and then exfiltrated by enabling the Bluetooth interface and transferring the data to a mobile phone. It also involved a world-class cryptographic breakthrough in its collision-based digital signature forgery used to make it appear to be a legitimate Microsoft Windows update. Microsoft has explained the use of an MD5 collision to forge digital signatures based on one of their weaker code-signing certificates.
Gauss was discovered in early August, 2012, and is believed to have been deployed since August or September of 2011. It combines the cyber-surveillance of Flame with a Trojan targeting online banking. It moves via USB memory sticks. The majority of the infected systems have been detected in Lebanon. Kaspersky has an overview and a detailed analysis. Other descriptions appeared in CNN Money, Wired The Register, and Ars Technica.
February 2015 — Kaspersky Labs released a report describing what they call the Equation Group. This seems to be their discovery of NSA TAO software and firmware in some of their customers' systems. Software and firmware, as it includes the ability to modify the firmware within more than a dozen brands of disk drives including Maxtor, Seagate, Hitachi, and Toshiba. Kaspersky describes this as the most sophisticated attack group of the approximately 60 such groups they track. The Equation Group software and firmware has ties to both Stuxnet and Flame among others, and goes back at least to 2001, possibly to 1996. Kaspersky has detected it in their customers' systems in at least 30 countries, concentrated in Iran, Russia, and Pakistan. It can travel on its own as a worm, or embedded in an email message or a hostile web page, or moved via USB devices.
August 2016 — Kaspersky Labs announced the discover of what they call "ProjectSauron", a cyber-espionage system designed to steal encryption keys and other sensitive data, a system of complexity adequate for them to credit it with national backing.
See their announcement and their research paper in which they show probable American UNIX-centric authorship.
Also see Symantec's analysis in which they dub the group "Strider".
These analyses brag on the attacks' sophistication, but they also describe some unexpected design choices like the use of RC4 and RC6, plus encryption by XOR with 8-bit and 16-bit patterns. So which is it, NSA origin or 8-bit XOR?
Also see Iran versus the world
U.S.A. / South Korea / "North Korea" — July 2009
4 July 2009 —
Distributed Denial-of-Service (DDOS) attacks against
U.S. government servers including
on the U.S. national holiday, the same day that
North Korea launches a series of medium-range missiles,
are blamed on North Korea.
7 July 2009 — The same DDOS attacks move to South Korean servers, including the Ministry of Defense and the presidential Blue House, increasing the baseless theorizing that North Korea must be behind it.
8 July 2009 — Widespread coverage in Wired magazine and elsewhere reports that the DDOS seems to have been run by a sloppy hacker using five-year-old worm code.
10 July 2009 — Typically clueless U.S. legislator Peter Hoekstra of Michigan insists that the U.S. should conduct a "show of force or strength" against North Korea for its supposed role.
Lesson: Many legislators are idiots.
See Bruce Schneier's calm analysis that this is nothing new, just "kids playing politics".
U.S.A. Power Grid Panic
Yes, Russia has intruded into the U.S. power grid, but before that there were several years of silliness.
Dark Reading reported that after a million-dollar study by the Federal Energy Regulatory Commission in 2013, using confidential and private information, a group of research decided to research a related question in 2015. Spending just $15,000 for 250 man-hours, investigated what a small group of domestic terrorists could discover about the most critical U.S. power substations.
Meanwhile, news-reader and interviewer Ted Koppel wrote a rather silly book capitalizing on the worry over the power grid. It's an entire book about how hackers will take down the power grid, but he didn't bother talking to any information security experts.