In a blockbuster report that will severely increase your paranoia around digital devices, Moscow-based Kaspersky Lab revealed Monday how a group of NSA-affiliated hackers it calls the "Equation Group" have managed to infect thousands of computers around the world with malware and spyware.
These hackers are no amateurs; the cyberweapons they developed are some of the most capable ones ever seen. As the New York Times notes, the malware is particularly impressive in that it embeds itself in the firmware of a computer, meaning that an infected device cannot be treated; it has to be thrown out. Ars Technica described the work by the Equation Group as "superhuman technical feats" that reveal the group's "extraordinary skill, painstaking work, and unlimited resources."
What's interesting then is how these superhackers—who may have been spreading this malware undetected for 14 years—got busted. It involved, in part, ignoring those annoying emails from GoDaddy to re-up their domain registrations.
The Kaspersky Lab, which sells security software, first noticed the unfamiliar malware on a computer in the Middle East that it calls the "Magnet of Threats," because it gets infected with every high-level virus that the world's "cyber-warriors" come up with. After the researchers started gathering similar malware its products detected "in the wild," they looked at how the malware was communicating with those who had created it through "command and control domains." According to the Kaspersky report, the group "uses a vast [command & control] infrastructure that includes more than 300 domains and more than 100 servers… hosted in multiple countries."
As with normal people, when state-sponsored hackers want to create a domain, they have to register a website and pay to rent it for as long as they want to use it. According to Kaspersky Lab, the Equation Group registered all its domains through "Domains by Proxy," an Arizona-based, GoDaddy-owned company that will register for a website on your behalf to protect your privacy.
When Kaspersky Labs looked at the hundreds of websites that Equation Group had used, it discovered that the group had let "a couple dozen" domains lapse. (Whoops.) The researchers bought those domains—sites like successful-marketing-now.com and myhousetechnews.com and 247adbiz.net—and made them into "sinkholes," so that malware attempting to communicate with them would instead communicate with Kaspersky Lab's own servers. This would reveal devices that were infected, and what the malware was trying to do.
"The domains expired and became available to anyone," Vitaly Kamluk, Kaspersky Labs' chief malware analyst, said in a phone interview. "Surprisingly, some of the older malware—Fanny, for example, which dated back to 2008—was still connecting to the domain. We got more than 12,000 hits from malware still active in 2015."
Kamluk said it was unclear why the Equation Group abandoned its old domains. "Maybe they didn’t go through the proper shutdown and clean-up procedures," he said. "Usually, professional threat actors don’t operate this way. It was a lucky exception for us. Usually, they clean up all the affected machines or move them all to a different domain."
Such is the risk inherent in a web in which domains are rented, and not bought outright. (Tim Berners-Lee, inventor of the Internet, told Fusion in an interview early this year that he thinks website rental is a bad system.) Kamluk said that letting the website registrations expire was not the group's most critical mistake, as it mostly just revealed what kind of users the group had targeted with malware. He said the more embarrassing mistake was when the group left signatures in the malware that revealed code names—some of which matched operations described in the NSA documents leaked by Edward Snowden—and in one case, the username of one of the hackers, "RMGREE5."
Still, it's a good lesson: renew your domain names, kids. Learn from the failures of the best in the cyber biz.