Thursday, May 31, 2012

Flame, Russia and the ITU: A Geopolitical Agenda?

Both the ITU and the Russian government have been united in their interest to secure a global cyber warfare treaty since at least 2010. In recent weeks, Evgeniy (Eugene) Kaspersky has been increasing his rhetoric regarding a future cyber catastrophe and most recently his company was chosen by the ITU to investigate the Flame attack. That attack prompted today's press release by the ITU calling for "greater international collaboration" on cyber security matters at their upcoming conference in Dubai; a conference sponsored by Kaspersky Labs and where CEO Kaspersky will deliver the keynote:
Cybersecurity will be a major agenda theme at ITU Telecom World 2012 (Dubai, 14-18 October 2012), supported by key partners, one of whom is Kaspersky Lab. This agenda will explore issues such as mitigating risks posed by major coordinated cyber-attacks at the national level, the threats posed by malware such as Flame, and strengthening international cooperation. Kaspersky Lab CEO Eugene Kaspersky will deliver a Visionary Keynote speech at the event, outlining the magnitude and global nature of cyberthreats today.
 The Russian government has long been an advocate of an Information Warfare treaty limiting the use of cyber weapons and other acts of IW because it serves the interests of the Russian government (which has other means of conducting IW) while restricting cyber weapons development in the West. An excellent overview of the ramifications of such a treaty is Tom Gjelton's "Shadow Wars: Debating Cyber Disarmament".

Evgeniy Kaspersky, Kaspersky Labs, and the Russian Security Service

In November 2009, the Duma Committee on Security met on “the legislative, organizational and technical security aspects of the national info-communications infrastructure.”  The meeting included the Experts Council and several additional experts.  The invited experts were primarily senior government officials—including two from the FSB--with two from industry.  One was the President of MFI-Soft—the company that provides internet intercept systems to the FSB ISC—and the other was Evgeniy Kaspersky, Director of JSC Kaspersky Labs.

The President of MFI-Soft Alexander Ivanov is a former senior military communications officer.  MFI-Soft’s bread and butter are lawful intercept systems including SORM-1, SORM-2, and SORM-3.  MFI-Soft holds numerous licenses from the FSB and FSTEC for work on state secret information and encryption systems.  JSC Kaspersky Labs does as well.  While the Duma Security Committee did not post the meetings minutes, both companies are now involved in pushing Russian standards for the Commonwealth of Independent States (CIS).

Kaspersky Labs holds numerous security clearances authorizing work on projects involving state secret information (current list is posted at The FSB only licenses two antivirus companies for work with state secret information; JSC Kaspersky Labs and Dr. Web. The licensing requirements effectively give JSC Kaspersky Labs and Dr. Web a monopoly on the Russian market since the IT market is dominated by the Russian Government and large industry closely aligned with the government.  Indeed, in 2009, the Russian Federal Antimonopoly Service (FAS) initiated proceedings against Kaspersky for possible violations of Russian antitrust laws, but no action appears to have been taken. Russian government tenders posted at frequently specify JSC Kaspersky Labs products as required based on their FSB/FSTEC licenses.  The licenses are almost certainly critical to Kaspersky’s future.  According to Interfax, Kaspersky sales totaled $538 million in 2010 (last year for full data).  However, the revenue breakdown was stated in such a way that it is impossible to identify specific sources.

Kaspersky's elevation of Flame to a status that it doesn't deserve (a "highly sophisticated cyber weapon") takes on a new meaning when you examine the close relationship between Kaspersky Labs and the Russian government along with their relationship with the ITU and their parallel interests in promoting international cyber security agreements and cyber warfare treaties. Is Flame a means to a geopolitical end that favors those players interests? I think it is.

"Kaspersky's Problematic Flame Analysis"

Monday, May 28, 2012

Kaspersky's Problematic "Flame" Analysis

Countries infected by Flame (SecureList 28MAY12)
I'm beginning to wonder what's going on over at Kaspersky Labs. Eugene Kaspersky has begun sounding like Richard Clarke with his warning about mega-cyber disasters during his keynote address at the AUSCERT IT security conference. Then there's his repeating of the Russian government mantra that a cyber weapons treaty is needed (it's not). Now Kaspersky Labs has called a virus whose only purpose is to steal data a "cyber weapon". Come on, guys. You've done some terrific research in the past with DuQu. Now all of a sudden, it seems like you've become evangelists for a Russian government strategy to raise the stakes in cyber war rhetoric. Espionage is not warfare and never has been. Hence a tool created solely to conduct cyber espionage cannot also be legitimately called a cyber weapon.

You've also wrongly simplified the scope of cyber actors out there to three when it has never been that cut and dried:
Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states. Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group.
You've conveniently failed to mention an important fourth category: mercenary hacker crews - principally from Russia and the Commonwealth of Independent States - who steal IP and sell it to both corporations and governments. Crews that would love a tool like Flame and who, in my opinion, are the most likely actors involved in using such a tool. If you'd be forthcoming with more information - such as Flame's Command and Control server URLs - a lot more could be learned about who may be behind this virus.

UPDATE (31 MAY 2012): See my related article "Flame, Russia and the ITU: A Geopolitical Agenda?"

Wednesday, May 23, 2012

Who Will You Meet At Suits and Spooks LA?

The most exciting part of a Suits and Spooks anti-conference isn't listening to our accomplished and fascinating speakers. It's meeting the other attendees. At last February's DC event, attendees included the founder of GreenPeace and an individual who was almost killed by a Russian assassin involved in the Alexander Litvenenko poisoning. In Los Angeles, attendees will include a career Mossad agent, a C-level executive from a major studio, a hacker that used to work for the IDF, and the creator of numerous "spy" TV shows and movies. Since attendance is usually less than 100 people, you get to spend a lot of time interacting not only with some truly fascinating people but with the speakers as well including retired Navy SEAL Rob DuBois, George Clooney and John Prendergast's Satellite Sentinel Project spokesman Jonathan Hutson, former FBI SSA Jason Smolanoff, China expert Matt Brazil, two former CIA intelligence officers Lisa Chambers and Nada Bakos, Doug Wilson of Mandiant and Jim Hake, the founder and CEO of Spirit of America. You'll also enjoy a lunch prepared by the Bel Air Bay Club chef in a beautiful space overlooking the Pacific ocean; definitely NOT conference cuisine.

Don't miss out or wind up paying more because you didn't get your registration in on time.. The early bird discount for our Los Angeles event is ending on June 1st so get your registration in early and be a part of a truly unique security event.

Wednesday, May 16, 2012

China's Intelligence Apparatus: Implications for Foreign Firms

While I've been quite vocal about my views on both the wrongness and potential blowback of blaming China for every breach committed against U.S. companies and Western governments, it's important to understand the precise role that the Chinese intelligence services play in the interception of valuable IP through network attacks, industrial espionage, and other methods both within its borders and around the world.

To that end, I've asked Taia Global's newest China Security analyst Matt Brazil to write a white paper on this topic. Before joining Taia Global, Matt was a  former commercial officer at the U.S. embassy in Beijing. Matt has done a terrific job with this paper and I'm proud to offer it for general distribution to those companies who do business in China and want solid, hype-free data on the threat landscape. Questions or comments are welcome via email. Firms interested in Taia Global's services may contact us at 855-777-TAIA (8242).

Matt Brazil will be speaking at Suits and Spooks LA on the subject "Protecting IP By Cultivating Employee Loyalty in China". Space is limited and the early bird rate will expire on May 31.

Monday, May 14, 2012

Announcing Project Grey Goose - Operation Poachers

I'm pleased to announce that the fourth Project Grey Goose investigation, commencing today, will target the very serious problem of domestic and international poaching of endangered species. I founded Project Grey Goose in August, 2008 as an experiment in crowd-sourcing an Open Source Intelligence (OSINT) effort whose goal was to investigate possible Russian government connections in the cyber attacks against Georgian government websites during the Russia Georgia war. Rather than focusing on hackers, this project will focus on criminals who are viciously taking the lives of rare and beautiful animals for body parts and profit; i.e. poachers. The problem is vast and growing, and it's my sincere hope that Project Grey Goose's unique international collaborative approach to OSINT will make an impact.

I'm particularly happy to announce that my co-manager for this project is Nada Bakos, a former CIA intelligence analyst and targeting officer. I can't imagine a more qualified person to help lead this effort than Nada and I'm excited to have her aboard to help this mission succeed.

If you have a passion for helping animals and doing something about the people that harm them, please contact me via email. Include a link to your LinkedIn profile or a recent copy of your CV. Internationally-based volunteers are welcome. Our first report will be issued in 45 days at the Suits and Spooks LA anti-conference. Follow us on Twitter (@ProjGreyGoose).