Beware Greeks Bearing Gifts — and ‘Western’ Operatives Bearing the ‘Regin’ Trojan

images

How notable that the genius of Odysseus’ Trojan Horse has lent its name perfectly to the modern “backdoor trojan.”  With this subtle tool in its back pocket, a nation’s hacker unit can infiltrate and neutralize a target with little risk to itself.  With well-placed uploads and the proper patience, governments may achieve their military objectives with little more than a few keystrokes.

The classic example is Stuxnet.  Transmitted to Iran’s Natanz nuclear facility via a humble thumb drive, the worm, allegedly a joint U.S. – Israeli project, made history by sabotaging roughly a fifth of Iran’s nuclear centrifuges.  The worm opened up a new dimension in cyber-warfare:  unlike the blunt-force DDoS attacks perpetrated by Russia in its war with Georgia in 2008, Stuxnet was capable of long-term infiltration; a worm like Stuxnet could stay undetected for long periods of time, lying in wait until the most opportune moment to strike.

It was certain, even then, that Stuxnet was not a one-off.  And now a new back-door remote access trojan has come to light.  According to tech giant Symantec, the advanced piece of malware, known as Regin, is likely the tool of a western government which has used it in systematic spying campaigns against a range of international targets since at least 2008.  The report’s description of the five-stage trojan is ominous:

Regin is a highly-complex threat which has been used for large-scale data collection or intelligence gathering campaigns. The development and operation of this threat would have required a significant investment of time and resources. Threats of this nature are rare and are only comparable to the Stuxnet/Duqu family of malware . . . Many components of Regin have still gone undiscovered and additional functionality and versions may exist.

To date, Symantec has discovered about 100 infections involving the malware.  As reported by Reuters, Russia and Saudi Arabia accounted for about half of Regin’s confirmed infections; other countries targeted included Mexico, Ireland, India, Iran, Afghanistan, Belgium, Austria, and Pakistan.

The quandary from an International Law standpoint is that when attempting to classify the Regin trojan as either a ‘cyber-attack’ or, perhaps, an example of ‘cyber-espionage,’ one runs into the ever-present issue of attribution in cyberspace.  Rule 22 of the Tallinn Manual attempts to codify the standard for approaching this problem.  Under Rule 22, “An international armed conflict exists” only when “there are hostilities, which may include or be limited to cyber operations, occurring between two or more States.”  Note 14 following Rule 22 reports that with Stuxnet,

[c]haracterization was . . . complicated by the fact that questions remain as to whether the Stuxnet operation was conducted by a State or by individuals whose conduct is attributable to a State for the purposes of finding an international armed conflict.

Thus, with Regin, whose operations are perpetrated by an “unknown western government,” the hero Odysseus may yet again have the last word.  Before blinding the giant cyclops Polyphemos, Odysseus introduced himself to the monster as “Outis,” meaning “No-man” in Greek.  When the blinded cyclops left his cave screaming in agony, and calling to his friends for help, he cried out “No-man is killing me by fraud! No-man is killing me by force!”  His friends mocked him, saying “if no man is attacking you, you must be ill . . .”  In the ensuing confusion, Odysseus and his crew slipped away unscathed.

By way of analogy, the modern cyber-war creates a similar opportunity for governments following in Odysseus’ footsteps:  where no clear evidentiary trail exists to the government perpetrating the cyber-attack, crafty states may act behind shadowy programs such as Stuxnet and Regin, gaining intelligence and executing their cyber-operations with impunity.

What tools should the international community employ to bring state actors conducting cyber-attacks out from the shadows?  Share your thoughts in the comments below.

 

Related Readings:

David E. Sanger, Obama Order Sped Up Wave of Cyberattacks Against Iran, New York Times (June 1, 2012), available at http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=1&_r=3&hp&.

William J. Broad, John Markoff, David E. Sanger, Israeli Test on Worm Called Crucial in Iran Nuclear Delay, New York Times (Jan. 15, 2011), available at http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?pagewanted=all.

Tom Espiner, Georgia accuses Russia of coordinated cyberattack, Cnet.com (August 11, 2008), available at http://www.cnet.com/news/georgia-accuses-russia-of-coordinated-cyberattack/.

Symantec Security Response, Regin: Top-tier espionage tool enables stealthy surveillance (2014), available at http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf.

Dan Goodin, Highly advanced backdoor trojan cased high-profile targets for years, Ars Technica (Nov. 23, 2014), available at http://arstechnica.com/security/2014/11/highly-advanced-backdoor-trojan-cased-high-profile-targets-for-years/.

Grant McCool, Computer spying malware uncovered with ‘stealth’ features: Symantec, Reuters (Nov. 23, 2014) available at http://www.reuters.com/article/2014/11/23/us-symantec-malware-regin-idUSKCN0J70SH20141123.

Tallinn Manual on the International Law Applicable to Cyber Warfare § 22 (Michael N. Schmitt, ed. 2013), available at http://nuclearenergy.ir/wp-content/uploads/2013/11/tallinn_manual.pdf.

Homer, The Odyssey, Book IX (c. 800 B.C.E.), available at http://classics.mit.edu/Homer/odyssey.9.ix.html.

Leave a Reply

Your email address will not be published. Required fields are marked *