The Pentagon Is Publishing Foreign Nation-State Malware

This is a new thing:

The Pentagon has suddenly started uploading malware samples from APTs and other nation-state sources to the website VirusTotal, which is essentially a malware zoo that's used by security pros and antivirus/malware detection engines to gain a better understanding of the threat landscape.

This feels like an example of the US's new strategy of actively harassing foreign government actors. By making their malware public, the US is forcing them to continually find and use new vulnerabilities.

EDITED TO ADD (11/13): This is another good article. And here is some background on the malware.

Posted on November 9, 2018 at 1:52 PM • 36 Comments


Peter S. ShenkinNovember 9, 2018 2:21 PM

Well, it could also, in part, be a strategy to mislead other countries into believing that we don't know about the malware that we don't upload.

Marco SchwierNovember 9, 2018 3:05 PM

Despite any intelligence mischief that is intend along the way, malware made public is good for it enhances the overall security.
Even if there is still a lot of it around.

HiTechHiTouchNovember 9, 2018 3:07 PM

Perhaps the policy battle of true secure systems vs hackable systems is starting another round. The powers-that-be might be shifting to where it's better that we (and indirectly everyone else) be harder to attack at the expense of easy access to the opposition.

Hardening everyone's system is goodness by getting the exploits out and fixed, even if it makes gathering information from the opposition a job harder.

And while ceding exploit disclosure, I suspect they are still keeping a few, just in case...

But I actually expect this just means that the super-sleuths believe control of the world's communications links gives them a big enough wedge to find out what they want to know without have to start by first powning an enemy system.

AndersNovember 9, 2018 3:51 PM

This is a two fold thing - govt APT uses lot of non-public tricks and vulnerabilities, developing and discovering them takes lot of time and effort, something that is out of reach for ordinary cyber crime industry. If all that lands on the hands of cybercriminals readily and easily, it helps them develop more devastating malware with tremendous ease. Remember how lethal was WannaCry and NotPetya with leaked EternalBlue exploit?

Those govt APT samples will be debugged to the latest bit ASAP and then next gen banking trojans will have all those goodies implemented.

GrauhutNovember 9, 2018 4:08 PM

@Peter S. Shenkin: Could also be a "i want to see" game. Maybe they want to know what others know and post as "retaliation"...

At least we will see a nice poker game and get some new yara rules.

Mike Hilton-BluesNovember 9, 2018 4:31 PM

> US's new strategy

Was the old strategy:
Don't let them know that we know.

zNovember 9, 2018 6:42 PM

The Feds are not exposing the Feds deep dark secret tricks but rather what the Feds know the Opposition knows & is using!

The choice is, the Feds keep quite & use what the opposition knows & is already using at the pubic's expense, or the Feds expose what the opposition knows, which then gets fixed, and the opposition is forced to resort to deeper secret tricks they'ed rather not risk exposing quite so soon.

All told, well done Feds! Way to go!

PhaeteNovember 9, 2018 10:42 PM

If this leads to the discovery and subsequent patching of zero day vulnerabilities it would be a good move for the public.

My guess is that they only release the malware using known vulnerabilities and keep the zero day ones internally for (re)use.

NameNovember 10, 2018 2:31 AM

Virustotal updates over time the list of antivirus software detecting each samples. Is there anywhere one could see the results of the very first scan, i.e. when the sample is first published?

It would be interesting to see if and which one of the commercial vendors may be consistently ahead of the game. Or a tleast who is the fastest reacting.

NameNovember 10, 2018 2:58 AM

Well I can answer myself - the Virustotal FAQ says that a private API key gives access to 'All reports on a given sample or URL, not only the most recent one', 'The service is designed as a volume stepped flat rate model' and ' If you are interested in the private API do not hesitate to contact us'.

I would be nice if someone with access to the private API compiled and published stats of which vendor if any detects these US-released samples upon release.

Denton ScratchNovember 10, 2018 7:51 AM

@Phaete "My guess is that they only release the malware using known vulnerabilities and keep the zero day ones internally for (re)use."

Surely a "zero-day" is a vulnerability that has not been published, and has not yet surfaced as an exploit in the wild - a previously-unknown vulnerability. If the USG has detected samples of malware built by APTs and foreign governments, then those can't be zero-days. Unless the USG exfiltrated them directly from hostile malware labs... that's a possibility, I guess. USG penetrates foreign malware lab, steals malware, publishes it. => Malware is rendered useless.

I suppose you could argue that the USG is an APT itself; but I didn't read it as the USG publishing their own malware.

I'd still claim that a "zero-day" is a previously-unknown vulnerability, not a malware sample. If the vulnerability has been used in an exploit to create malware, then it can't be a zero-day.

I know, I know, the intarwebz hates pedants!

GrauhutNovember 10, 2018 8:57 AM

@Denton Scratch: "If the USG has detected samples of malware built by APTs and foreign governments, then those can't be zero-days."

I dont think this definition works well.

A 0day is a 0day until the coders of the hacked software and security firms know about it.

As long as .gov entities treat it as a secret it is still a 0day because it cant be fixed or blocked.

Clive RobinsonNovember 10, 2018 9:29 AM

@ Gerard van Vooren,

What could have gone wrong with (extremely) harassing "the other guys"?

Where would you like me to start ;-)

@ ALL,

The whole cyber-weapons game is like a "who can find a fallen leaf in Autumn" game[1].

As we are finding out year by year, more and more bugs, can with a little thinking, be weaponised.

I would expect not just that trend to continue, but the finding of new bug types with new exploit types to increase.

Thus the whole publish idea is not exactly a new thing...

Look at it this way the likes of stuxnet was discovered because people uploaded code to virus sites like those of Kaspersky et al.

The problem was so much code that the AV companies were always behind the curve.

Ask yourself two questions,

1, In what way is this realy any different?

2, Will it realy make any differance?

The answer to the second is probably "not that much" in the way of improving things, but it could make things one heck of a lot worse as it will make exploit stock piles and blitzkrieg attacks the more likely method of using vulnerabilities...

[1] Something parents do for very very small children who just find fun in running around and giggling. As an adult such games are great if you want to take photos or need a rest.

VRKNovember 10, 2018 12:52 PM

To reiterate Bruce's point, "computer security is really hard".

I would add that paying MORE protection money might be just a malevolent downward spiral: Feeding self-reinforcing mega monster cyber militaries.

Why not spend those dollars on incentivizing better solutions BEFORE release, perhaps in part by leveraging that money with good old, simple consumer focused propaganda?

Initiative will NEVER come from spell-bound voters otherwise, nor then from present governments, for that shift, but rather from the developers' own sheer force of forward thinking.

Surely there is power AND peace in ACTUAL systems integrity.

else: "deeper into darkness, my pretty...".

gordoNovember 10, 2018 1:20 PM

Cyber National Mission Force (CNMF) background:

Jan. 1, 2016 —

[. . .]

USCYBERCOM and its components act to help the joint force operate globally with speed, flexibility, and persistence. USCYBERCOM headquarters focuses on defining and achieving strategic objectives and has delegated operational-level cyber mission areas to three types of headquarters. The first of these is the Cyber National Mission Force (CNMF), which defends the United States and its interests against strategic cyber attacks.

[. . .]

The CNMF is a joint force of military and civilian members from the Army, Marine Corps, Navy, Air Force, Coast Guard, and Intelligence Community. It will comprise 39 teams and nearly 2,000 personnel spread over four locations. The force consists of three types of maneuver elements, each with a unique and specified mission. National Cyber Protection Teams (NCPTs) are defensive elements working within DOD networks and, when authorized, outside DOD networks, identifying and mitigating vulnerabilities, assessing threat presence and activities, and responding to adversary actions. National Mission Teams are maneuver elements conducting on-network operations in neutral and adversary territory, looking for indications and warning of adversary cyber activities, and enabling cyber effects when authorized and directed. National Support Teams are analytic elements providing planning, development, and technical support to National CPTs and Mission Teams. The creation of teams with distinct, mutually reinforcing missions presents commanders with forces capable of confronting and defeating a growing and creative series of threats.

[. . .]

The CNMF plans, directs, and synchronizes full-spectrum cyberspace operations to be prepared to defend the U.S. homeland and vital interests from disruptive or destructive cyber attacks of significant consequence. Headquartered at Fort Meade, Maryland, it has forces in Georgia, Texas, and Hawaii, and engages with partners around the world. It synchronizes efforts across disparate time zones and optimizes the balance between on-site and remote operations to achieve lasting effects. The success of the CNMF mission relies on establishing and nurturing partnerships, including relationships with the NSA, DOD, and Intelligence Community, to widen its awareness and capacity to deliver effects. The CNMF is strengthening partnerships with DHS and FBI to enable future operational success and expanding its partnerships to include other Federal agencies, industry, academia, and the international sphere.



Somewhat off-topic, but for clarity of definition, context, etc., e.g., "cyber effects" and "domaine réservé", see also, respectively:

Sancho_PNovember 10, 2018 5:49 PM

To praise the move one has to believe in sample-based antivirus software.
But as we know from TV, fingerprints are interesting only after the crime.
This is a marketing gag from the AV industry: Buy me or die.

Having spent years investigating malfunction to prevent further harm I’d prefer a strategical approach.
Not the existence of a certain malware, but the structure, the mechanism and the used loopholes, together with appropriate countermeasures, will improve systems.
Same goes for data breaches. We learn they happen, but never exactly how and what could be improved to prevent the same at other premises.

Don’t use bandaids.
Find the structure, stop it.

However, that would hamper “the good ones” and benefit us, the (criminal) public.

mrpuckNovember 10, 2018 6:22 PM

This sounds great that the USG is opening the kimono (a little). Hopefully AV/Malware detection engines will get better and software vendors might even fix their products. None of this really matter unless the end users actually patch their systems. I'm not holding my breath.

Men in BlackNovember 10, 2018 7:02 PM

By making their malware public, the US is forcing them to continually find and use new vulnerabilities.

The U.S. team is simply upping the ante. We're playing for bigger stakes now. It's Kristallnacht, those flimsy glass-and-steel commercial doors are broken in pieces, there is shrapnel everywhere, and all the inventory has been looted.

Clive RobinsonNovember 11, 2018 2:26 AM

@ gordo, ALL,

Some background on the malware:

What the article does not say is that the history of the mechanism being used goes back atleast as far as the Apple ][ which is over four decades ago...

Back then Flash memory was not a known quantity let alone in commercial use. It was Diode PROMs early UV erasable ROMS and early DRAM...

Thus the Apple ][ with it's multiple I/O slots had a problem of running driver code from early power up. The solution was to put code in the BIOS that looked for "Device ROMs" which it then included in the BIOS untill power down or other full reset. Thus loading the Apple Disk OS or Pcode file system was "on top", giving the Device ROM a high level of permanence.

IBM filched the idea for it's "Skunk works desktop computer" project. Which has given us the basic hardware structure we still have. Thus BIOS code even today still supports the Device ROM as does most OS's. Thus UEFI still supports the mechanism giving the potential of a significant backdoor into any PC... I have the design of a serial port card with device ROM that supports a protocol similar but slightly different to the Hayes AT modem that switches you in to a hardware monitor, I designed it to be used as a hardware debugging device. But if you take a moment to think about it, it makes an ultimate ROOT kit. That amongst other things allows you with a bit of skill to bypass code signing protections etc. I designed it what feels like an eternity ago and it uses the ISA bus so is not of much use these days but moving it to PCI would not be that difficult. Alternatively you can look up how to do the same sort of thing with JTAG.

This Device ROM protocol would not be an external security risk if it was not for the use of Flash ROM without physical "write protect" mechanisms...

Now any F-ROM in the memory map range the BIOS/OS expects Device ROM code to be, is a potential "harbinger of doom" of near totally persistent malware...

Various of the older "Usuall Suspects" have been waving a big red flag about it for years. I pointed out that it was the best mechanism to do a BadBIOS with, then surprise surprise it started to be used for malware. The Lenovo persistant crapware it put in it's consumer grade laptops used the Device ROM mechanism.

The mechanism has also been used by "Security Software" as the article notes. Thus with just a few "bit flips" good is reversed to bad, proving the point about technology is agnostic to use, and that it's the intent of the directing mind that makes the choice...

Which on "Remembrance Day" 100 years after the World War One Armistice, brings me back ironically to the point that in the tech industry we appear to forget in just a handfull of years, and well within living memory... Thus we are like generals that use the same old strategy over and over, not realising it's now a loosing proposition which has high needless costs.

GrauhutNovember 11, 2018 4:38 AM

@Clive "Thus we are like generals that use the same old strategy over and over, not realising it's now a loosing proposition which has high needless costs."

The biggest problem is that all our real time supply chain management systems are based on these broken designs. A reform without risking to break these is nearly impossible to plan and manage because of the complexity.

debug g=c800:5 is not an option. ;)

Bauke Jan DoumaNovember 11, 2018 7:47 AM

Oh -- and this can only have some semblance of 'completeness' if the source code to all the foreign software I use would be published.

Foreign in my case among them being the US.

Not gonna happen. This is just PR folks.

Nombre No Importane'November 12, 2018 7:23 AM

Lets assume the US Government can't prove Shadow Brokers are a specific government or government related sock puppet.

They are pissed. So since they can't finger one actor. They dox all actors apt's.

Seems like typical "F ALL of you" mentality the agencies share.

C U AnonNovember 12, 2018 8:32 AM

@Nombre No Importane':

Seems like typical "F ALL of you" mentality the agencies share.
Kind of what you expect from a bully when they are held up as being impotent. Kinda goes with the times these days in thr land of Uncle Sam.

RG-2November 13, 2018 5:56 AM

OK Google, why was your web traffic hijacked and routed through China, Russia today?[0]

Google Defenseless Against Massive China and Russia Cyber War-Games[1]

Phase One: Doris Gets Her Oats

2025 Goal
Using 9-9-6 Developed AI, Become Acquainted with Your Opponents Infrastructure Data Flows

Work collaboratively, press the RECORD button and slurp up all opponent data sample. Send first to Russia then China.
Work furiously (9-9-6) to gain insight on your advisories real-time cloud dependencies and data-flows
Preform data-reduction, create selectors, AI analysis and refine social and infrastructure control algorithms

Compare AI Results
Compare notes and findings
Collaborative working groups including standardizing data sharing interfaces
compare notes and make Phase 2 recommendations

Long- term Cyber Goals
Seize Control of Unprotected Cloud Facilities and Open Internet to gain control of the economy, government and military
Continue tariffs to fund effort

[0] Not reported in American Press. Why? (just another simple mistake guys)
[1] Alternate Title: Googles Dream to Enter the Chinese Market Fulfilled[2]
[2] AI is already being used to gain control of all enemies foreign and domestic[3]
[3] Why is American big-data being excluded from China/Russia AI Weapons Development?[4]
[4] Putin stated Those with the best AI Will Control the World[5]
[5] A house divided against itself, cannot stand[6]
[7] Don’t forget to Take Your Drugs
[8] Good Night!

Clive RobinsonNovember 13, 2018 6:21 AM

@ DSF,

Published nation-state malware is just as useful as a burnt spy.

If only that were true...

But sadly very many people neither patch or update AV software. So in fact releasing such exploits could give attackers short windows of opportunity they might not have had.

We saw this with the US IC leaked hacking tools, where the UK's NHS amongst others got badly hit by what appeared to be inept ransomware...

vas pupNovember 16, 2018 12:06 PM

Harassment as universal tool, but Russians did not get plea bargain in their tool set yet:

Russia 'sought access to UK visa issuing system':

"While working for the company in China, Vadim got married and when he was posted back to Moscow in late 2015 he encountered problems in getting his family back with him.

He believes that along with the harassment of other members of his family in Russia, this was part of a ploy by the Russian Security Service - the FSB - to try to get him to collaborate with them.

In April 2016 he said he was approached by someone who offered to make the problems go away. He was asked to co-operate with the FSB and signed a document indicating that. He says the individual said they wanted information on the operations and IT network of TLScontact including a "network map".

Vadim claims he complied with requests and soon after noticed intrusions into the IT system. Further meetings and requests followed. Vadim claims he then made a series of attempts to leave Russia but was stopped and warned."

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.