How the Operations of State-Sponsored Malware Match the Operations of Human Intelligence Agencies

By Adam Kujawa on at

Unlike typical, run-of-the-mill malware threats, state-sponsored malware is developed for the purpose of cyber espionage or sabotage; aspects that are -- believe me -- kept in mind at every stage of its inception. Their operations are strikingly similar to human intelligence agencies rather than traditional malware which steals your passwords; read on for four main similarities below.


1. Heavy target background research versus the 'spray and pray' approach

With most commercial malware out there today, the tactic is usually to spread the malware as far as possible, be it through drive-by exploits or fake advertisements posted on social media. In essence, the goal is to infect as many people as possible. This isn't the case with state-sponsored malware.

When an intelligence organisation wants to deploy an operation against a certain target, the first thing it does is learn everything it can about them; trends, infrastructure, weak points and signs of entry is the first data obtained. The same applies with state-sponsored malware. The target is identified and research begins on what the network looks like; who uses the network, and do they have any available information about them that might provide an exploit opportunity? This process might take months of preparation and the early prototype of the malware may be modified to be more effective against a target. Historically we have seen state-sponsored malware that spreads via web exploits, USB flash drives and even emails containing malicious attachments such as PDF files or Word documents, all based on previously researched intelligence on the most effective method of entry.


2. Complex team efforts

Commercial malware tends to have one specific purpose or numerous purposes but usually works alone in its goal. We may even see malware that only installs other malware, however execution and infection is where the line is drawn. State-sponsored malware almost never works alone and is usually in direct communication with another piece of malware or plays a role to collect, disrupt or destroy the data, even remnants left by its brother malware.

When trying to infiltrate and collect data from a target, intelligence agencies will put numerous agents in play, all working as one towards a specific goal. An operation might require one operative who looks for vulnerabilities in security and another who exploits that vulnerability and yet another who might clean up afterwards or secure the area. State-sponsored malware works in the same way, looking at all the different malware found in the same area. As with Flame or Stuxnet you will notice each one had its own purpose that contributed to the operation. In the case of Flame, you had Gauss that worked to identify targets while Flame worked as the intelligence collection device.


3. Moving like a shadow

State-sponsored malware moves quickly and cleans up after itself; this is not only evident from in-depth analysis performed on samples but also because at the time of discovery, the malware had already been moving through the network for months. Commercial malware tends to stay in one place, bury itself deep and quietly wait for the right opportunity to steal data, focused solely on the individual. Easy to detect and easy to remove but for a smash and grab operation where it is about the quantity not the quality.

An intelligence operative would get in and out of a hostile area as fast as they could, for fear of being compromised -- the team would not hide behind a potted plant or under a desk for a month. State-sponsored malware follows this stealthy trend because of its ability to quickly install, collect, transfer or store the data and move on to the next target before anyone was the wiser. This functionality was found in nearly all state-sponsored malware and is proven by the heavily developed functionality to quickly move through a network using multiple types of transmission media (i.e. internal network, internet, USB).


4. Closely guided operations

If you have ever wondered if commercial malware is remotely controlled to the level of changing operations specifically because of your own actions, most times you would be wrong. Normal malware drops, installs and takes commands from a command and control server that operates hundreds or thousands of other malware currently installed on different systems, just like a general telling his troops what to do as a formation. State-sponsored malware is more like a single intelligence operative being given direct instructions on what to do.

Intelligence agencies target specific individuals or organisations with specific data in mind, all while under the radar for fear of losing their ability to collect intelligence or worse. In the same way, state-sponsored malware is never left on autopilot. While it may perform the same operations as normal malware as far as communicating with a remote command and control, sending and receiving data and commands, the interaction concerning state-sponsored malware is far greater. Depending on the task at hand, the malware might even be modified to perform different tasks. For example, the Flame malware was modular in design, meaning that it could add and remove different modules that allowed it to perform different tasks or break through certain types of security. This made Flame lightweight and easy to move but also allowed for more powerful functionality, kind of like Voltron or the Power Rangers Megazord.

The methods discussed here might have changed your perception of state-sponsored malware from the greatest threat known to computers to a special ops team full of James Bonds or even alien-fighting transforming robots. However, no matter how stealthy it may seem, removing it is as simple as getting rid of a banker trojan installed on your PC. Malware is nothing more than just software, after all.

Adam Kujawa works as Malwarebyte's malware intelligence lead, where he's spent over eight years analysing, teaching and fighting cyber threats. Some might say he puts right what once went wrong.

Spiels From “Them Below” is our new series of columns written by “them below”; the thousands of readers who comment tirelessly, or tirelessly read, Gizmodo UK. Have you got something to lament? Extol? Ponder? Get in touch at kat.hannaford[at], after reading the details here. Disclaimer: Spiels From “Them Below” doesn’t necessarily reflect the opinions of Gizmodo UK or its editors.

Image Credit: Malware from Shutterstock