Decade-Old Espionage Malware Found Targeting Government Computers

alancronin writes "Researchers have unearthed a decade-long espionage operation that used the popular TeamViewer remote-access program and proprietary malware to target high-level political and industrial figures in Eastern Europe. TeamSpy, as the shadow group has been dubbed, collected encryption keys and documents marked as 'secret' from a variety of high-level targets, according to a report published Wednesday by Hungary-based CrySyS Lab. Targets included a Russia-based Embassy for an undisclosed country belonging to both NATO and the European Union, an industrial manufacturer also located in Russia, multiple research and educational organizations in France and Belgium, and an electronics company located in Iran. CrySyS learned of the attacks after Hungary's National Security Authority disclosed intelligence that TeamSpy had hit an unnamed 'Hungarian high-profile governmental victim.'"

How many of these could be out there?

[dunkmark]

It is possible that any number of threats could be out in the wild. How would we really know?

Re:

[Anonymous Coward]

How would we really know?

Which part of "Microsoft product" did you not understand?

Re:

[poofmeisterp]

It is possible that any number of threats could be out in the wild.

How would we really know?

Apparently the same way the governmental bodies did. Wait. LOL

Re:

[Medievalist]

I say we take off and nuke the place from orbit.

It's the only way to be sure.

decade long op!?

[TaoPhoenix]

That's rather disturbing - that the best defense that money can buy failed to pick up a spy op for an entire decade!! I don't even know what to make of this news. Do you SysAdmin types out there have some input? Wouldn't you have noticed suspicious activity *sometime* sooner than a decade?

Re:decade long op!?

[erroneus]

Suspiscious based on what criteria?

1. We aren't allowed to use open source and so we have to "trust" every 'signed binary' which executives and leaders want to use. If we could use open source, we could at least read the source and even compile it to ensure the source we read was the binary which was compiled.

2. When the malware doesn't do "harm" to anything, the symtoms of malware are non-existant. No pop-up ads, no unusual crashing (see note about being unable to use open source... the 'other' operaitng system crashes often enough for inexplicable reasons that no one suspects malware as the cause any longer) and when a commonly used utility program which performs remote access is used, how can it be detected as malware?

Arguably, that it was proprietary and commercial software which was exploited is pretty disturbing. But at the same time, that software makers (and other device and product makers, and service providers too) frequently enter into deals with government to spy on people is unfortunately very common. That the "white-hat" (heh, I accidentally typed "white-hate"... apropos?) nation called the USA has compromised global communications with Echelon and more recently with the much celebrated NSA wiretapping, does not help matters.

I think no one appreciates the value of trust. Once it's lost, it's lost. What amount of trust in government... any government... may have existed, it is gone for most of us. The unenlightened? Well... they still watch MSM (mainstream media, I have come to know these initials). What hope have they against that?

Re:

[Anonymous Coward]

the 'other' operaitng system crashes often enough for inexplicable reasons that no one suspects malware as the cause any longer)

- would like to know what OS is this, cause my windows 7 install is rock-solid since I installed it on 2011...

Re:

[Anonymous Coward]

The 90s called,

Did you warn them? [xkcd.com]

Re:

[Anonymous Coward]

The initial argument was invalid. Just because something does not crash means absolutely nothing security-wise. HP-UX was long considered a "rock-solid" operating system until sombody discovered you could crash entire HPUX servers by sending an "oversized" ping packet from a random Windows machine.

Stuxnet was possible because Windows security is abysmal.

Re:

[Bigbutt]

I currently have a pair of nVidia 560's driving 4 monitors which have a video driver not responding issue pretty regularly and the system gets lost periodically (spinning cursor and can't get to the other monitors). Occasionally I'll come back and find the system has rebooted for no apparent reason.

Prior to that, I had a pair of AMD 4xxx (4870? don't remember for sure now) cards also driving the 4 monitors. During boot, the system would blue screen on the ati driver pretty much every time I turned on the sy

Re:decade long op!?

[erroneus]

I'll respond to this but not to the others.

That YOUR instance works great is fine. My instance also works flawlessly. The problem is often blamed on "third party software." Great. While the actual cause may actually be third party software as is demonstrable by the removal of (or omission of in a system reload) that doesn't escape the fact that the OS itself is vulnerable to 3rd party software crashing the OS. This is a kind of important rule of a good OS not to be vulnerable to 3rd party software causing it to crash.

And here's a great example of what I mean: In the past, I have had my laptop running Linux fail. The video chip failed. But I had applications and processes running in the background which I didn't want interrupted. So what did I do?

I was able to SSH into the machine which was STILL RUNNING despite the fact that the video was completely out. I was able to monitor the progress of the software and shut it down without problem, then shut down the computer as well. I was hoping it was some sort of [proprietary] software glitch in the driver, but alas, the video chip had died and I could get no video from the display or from the VGA port. The machine had to be replaced.

Now I ask you this. If this were Windows, would a video driver failure, especially one which started as a hardware failure, do you think the machine would have continued running or do you think the whole machine would have been taken down with it? (Rhetorical question, we all know the answer.) So now I point out that if other OSes can withstand hardware failures by crashing only the affected components (in this case, my X session was killed and the applications running under X also killed) why doesn't Windows? And if the OS on common PC hardware is capable of this level of resilience, why is Windows not? I get that speed and power and blah-blah-blah are imporant... on DESKTOP machines. But the problem is that Microsoft took a desktop OS and uses it as a server OS. Arguably, you can say that's not true -- the NT kernel was intended to be used for servers and stuff like that. Okay great. It still falls short. Drivers live in ring-0 and they don't (all) need to be running there.

I have argued this point numerous times with the same failing arguments presented. At the end of the day x86 hardware, when running a properly engineered OS, can compartmentalize all peripheral devices to the point that a crash on any given controller or whatever, will not crash the whole OS. I have experienced this often enough in Linux to know this works nicely. (I once had a vmware guest running Linux and had the storage fail... the damned thing kept running and when I SSH'd into the machine, it showed me HDD controller failures and stuff. It was pretty awesome.) So once again, WHY NOT WINDOWS?! Why can 3rd party software, whether they are drivers or applications, crash the damned OS?!

Re:

[endus]

Because there's not really a great financial incentive to make the changes. The OS works well enough for what it is. The OS works well enough to garner pretty good market share. It could be better, but its pretty stable...stable enough to do its job.

It all comes down to money in the end.

Re:

[erroneus]

interesting you think their market share is due to sufficient quality.

Re:

[endus]

Not really. Your implication is that your opinion on the matter trumps what companies spending millions and millions of dollars believe is valuable.

Most enterprises run both Windows and open source operating systems these days. They do this because each is better suited to different tasks, not because of some ideological crusade.

Re:

[erroneus]

Microsoft is a convicted monopolist. It was shown not only that they abused their monopoly position, but pulled numerous tricks to get there. You are either new to IT or you've been smoking something. Everyone should know Microsoft's history by now.

Re:

[endus]

You're obviously very young or have worked for smaller companies, which is why you think that their status as "convicted monopolist" makes any difference to anyone. If their products didn't fill a need which there was not a better product available to fill, trust me, they wouldn't retain the business they do.

No one cares about ideology or even ethics. What they care about is making money. Windows fits into some big but very specific niches, and it performs that role extremely well. That's why it's still

Re:

[whoever57]

You're obviously very young or have worked for smaller companies, which is why you think that their status as "convicted monopolist" makes any difference to anyone. If their products didn't fill a need which there was not a better product available to fill, trust me, they wouldn't retain the business they do.

And you don't understand the concept of monopoly abuse. There were few "better products" because Microsoft used its monopoly power to suppress them. Microsoft did not make products that were better th

Re:

[endus]

And you don't understand the concept of monopoly abuse. There were few "better products" because Microsoft used its monopoly power to suppress them. Microsoft did not make products that were better than the competition, instead, they used illegal means to prevent the competition from developing and releasing competing products.

So, go make a better product then.

I saw a fair number of products in process that may have provided a better experience in particular areas, but none that seemed to have the same goals as Windows had in mind. OS X is a pretty good example on the desktop. In some contexts it is a better product, but it's not enterprise focused.

We can cry foul all day, but that's the way life goes. Move forward.

Re:Do YOU mean "this other operating system"?

[myowntrueself]

Please, just cut to the chase and tell us how MyCleanPC will fix everything for us.

Re:

[endus]

1.) You aren't allowed to use open source software because there's often no support or "community" support for it. With closed source products you can also require the company selling the software to have an independent code review done and (depending on your clout) provide some version of the results to you for review. If you could use open source, you would cost an enormous amount of money doing code review on someone else's code. No one wants to spend the money to do this, because it would only preven

Re:

[endus]

My response is that of an engineer who has run into multiple instances where open source software was tried in enterprise scale implementations and there were serious issues which we were not able to get a resolution for. Posting a message about performance problems with an agent running on domain controllers for an 80,000 node network and hoping that someone will eventually get around to fixing it is not what most companies consider, "support". They are looking for someone's feet to hold to the fire. No

Re:

[SuricouRaven]

They probably used a patched version that doesn't put the icon there.

Poland?

[Jacek Poplawski]

Is this country Poland?

A strong push for open source in government

[Morgaine]

I suspect that as more malware and backdoors are discovered in systems used by government, the penny will begin to drop more frequently. Closed source is incompatible with security, by definition, since you cannot validly trust what you cannot see.

Companies have the luxury to risk their security by placing their trust in a corporation and in closed source brands, and to pay the price of failure. But governments do not have this luxury, because failure compromises the security and sovereignty of a nation.

T

Re:

[Anonymous Coward]

I suspect that as more malware and backdoors are discovered in systems used by government, the penny will begin to drop more frequently. Closed source is incompatible with security, by definition, since you cannot validly trust what you cannot see

Bullshit. Open or closed source has no direct bearing on the ability of an attacker to infect a binary. Open source provides more eyes on a given bug or problem, but once compiled and running its the exact same problem.
The article mentions use of a modified signed binary. So tell me how open source is going to remedy that? Unless you're recompiling from scratch (your entire tool chain, plus dependencies) on each launch, you're just as fucked as the next guy. Are you going to checksum the binary in memory ea

Re:

[Anonymous Coward]

The fact it's open source IS (or can be) the pathway. If it's a small piece of software that does a specific function that's not of use to many people, your million eyeballs shrink rapidly. And what you're left with (IMO) is a handful of eyeballs thinking "I don't have the time/skills for this, it's open source, I'm sure someone will have looked over it" while no one actually does. Or someone auditing the code but not the stuff around it, or maybe the code as distributed is clean and will compile into a cle

Re:

[Anonymous Coward]

We're talking binaries here. A running binary is a running binary, no matter the philosophy behind creating it

All binaries are not created equal. A binary made from open source code cannot have direct support for a deliberate backdoor nor blatantly obvious security holes because they would show up...

You're assuming that anyone bothers to look for vulnerabilities in the source. This is only guarantied to be true if you do so yourself (and have the skills to do it effectively).

In the real world this means "open source is more secure" is as useless an attitude as "security through obscurity".

Re:

[jader3rd]

With open source you can check for the existence of such pathways, easily.

Your statement kind of assumes that every little shop can afford someone so deeply intimate with C++, and every known security hole that it is "easy" for them to check. It is certainly not easy for the vast majority of places to crack open the source code and go "oh look, a hole!".

Re:

[Anonymous Coward]

Your reasoning is based on the implicit assumption that governments have information security as their highest priority. I can tell you that MONEY trumps all of that. Commericalware plus commercial firewalls and other "security solutions" entail more money, more scope for kickbacks to uniformed and civil politicians.

That's why your reasoning is entirely faulty.

Re:

[endus]

Most companies don't have the resources to do really good code review on their own software, much less on every piece of software that comes in the door. The government has (unfortunately) many more resources, and they also have the clout to get source code or request independent code reviews on software which they buy. Actually, independent code reviews and penetration testing are becoming a part of most customer contracts now anyway, even between two regular businesses.

Support. That's why companies and

Windows only ...

[dgharmon]

"The attackers relied on a variety of methods, including the use of a digitally signed version of TeamViewer that has been modified through a technique known as "DLL hijacking" to spy on targets in real-time." link [arstechnica.com]