The Dutch and the Dorifel

Unless you happen to live in the Netherlands, chances are that you missed the outbreak of a ‘new’ piece of malware a few weeks ago called Dorifel, also known as XDocCrypt. With over 3000 infections in a matter of hours, of which 90% were systems in the Netherlands, this triggered the Dutch National Cyber Security Center almost instantly. XDocCrypt/Dorifel is a new trojan that encrypts executables, Excel- and Word files that it finds on USB drives and network disks, causing companies to come to a grinding halt almost immediately after infection. Later investigation by Digital Investigations turned up that it also distributes phishing banking websites for ING Bank, ABN AMRO and SNS Bank (all banks with a strong presence in the Netherlands). With such distinctive traits, you would expect that it would be ransomware, but it’s not. It doesn’t ask for money, and there are no real clues what the point is of encrypting those files. It may simply have been a trial run just to find out how good this technique works, but it’s all conjecture at this point.

As an aside, it should be mentioned that the malware’s efforts in encryption did uncover something I found interesting: it exploits the RTLO Unicode Hole, which uses a Windows standard Unicode “Right-to-left override” that are more commonly used in Arabic and Hebrew texts (meaning it’s a Feature, not a Bug). Through this use of the RTLO Unicode Hole, they make filenames such as testU+202Ecod.scr appear in the Windows Explorer as testrcs.doc, and effectively make a harmful executable look like a simple Word doc.

What worries me most, and this is the reason for this article, is the delivery vehicle used by this new piece of malware. You see, it doesn’t exploit some new weakness. Instead, it’s being delivered by systems previously infected with the Citadel/Zeus trojan. This means that over 3000 systems in the Netherlands –systems belonging mostly to ministries, local government and hospitals- already had active botnets inside their networks before getting infected with this new malware! Mind you, virtually all of these systems and networks had active antivirus and IDS systems, and NONE detected either the Citadel/Zeus botnet already in place, nor the new XDocCrypt/Dorifel malware. If anything should be a severe wake-up call for Dutch firms who still half-ass their security, this is it.

Major AV vendors such as Kaspersky and McAfee now address this piece of malware, but it does make you wonder: If this Trojan hadn’t gone through the trouble of encrypting all those files, would it ever have been caught? Clearly, with only a couple of thousand infections, it is not that big of an outbreak. Chances are good that Dorifel would have stayed below the “economic feasibility to fix” line that most antivirus corporations adhere to. With malware code mutation getting increasingly easier and more mature, will this be our future? No more large infections, but a lot more small ones to stay below the collective AV radar? It seems plausible. It certainly makes the dim future of the current AV Modus Operandi that much dimmer. When will we finally see a paradigm shift in our approach to defeating malware?

Dutch MoD releases Defense Cyber Strategy

At long last, the Dutch Ministry of Defense has published a crucial piece of Cyber Doctrine by publishing its Cyber Strategy [PDF Alert – Dutch]. It was given quite a nice introduction by the Dutch Minister of Defense Hans Hillen, who introduced it during the MoD’s Cyber Symposium in Breda on the 27th of june. During this introduction it was also asserted that over 90% of all attacks to Dutch military systems and networks was of Chinese origin, which made me wonder why we haven’t heard any political outcry yet, but I digress as this is not the topic I had in mind of treating today. Let’s get to the document in question: It’s a total of 18 pages long and the introduction of the Dutch Cyber Defense Strategy is, as is often the case in such documents, very telling. The language used should be looked at as defining terms by which the rest of the document can be interpreted.

In the introduction the Dutch MoD acknowledges that they use the digital domain for (satellite-)communications, information-, sensor-, navigation-, logistical- and weapons systems, that are dependent on secure internal and external networks of digital technology and that  this makes them vulnerable to cyber attacks.

They also acknowledge that other countries are developing offensive cyber capabilities and that non-state actors are also capable of forming a threat to Defense forces by attacking digital systems and networks. What’s interesting is that this strategy also acknowledges the blur of the lines between the combatant and the non-combatant, and also the blurring of the borders of any operational areas. Both are key components of the “Fourth Generation Warfare” principle and it seems that the Dutch MoD has at least partially accepted this principle. What makes this so interesting is that they are declaring that non-combatants may also be actively targeted. In essence, they are putting the world on notice that walking around without a uniform is no longer an automatic safe haven, and that if you’re involved with any kind of cyber attack, part of a militia or a terrorist, you have a bull’s-eye on your head. No matter where you are. Plain and simple.

The last paragraph of the introduction specifically mentions that the Military Industrial complex is already a major and consistent target of cyber attacks because they develop and produce high-grade military technology. The strategic and economic value of their digital assets is high and as such these need to be very well guarded, also in the Cyber aspect. This ties in nicely with my earlier articlebased on the MIVD’s yearly report.

For those interested in what official Dutch political documents and official questions this document ties into, here’s the official answer:

The Defense Cyber Strategy was created in answer to:

  • The publication ‘Defensie na de kredietcrisis’ of April 8th, 2011 (“Kamerstuk 32 733, nr. 1”);
  • The piece to be covered by the MoD in the National Cyber Security Strategy as I covered earlier (“Kamerstuk 26643, nr. 174”);
  • The advice given on Digital Warfare by the Advisory Council on International Questions (AIV);
  • The Advice Commission’s (CAVV) answer to the questions posed in “Kamerstuk 33 000-X, nr. 79”;

 Right, so we have that covered. Now let’s get to the meat of the document. From the onset it looks pretty promising. The strategy has six driving points and they are very broad (but relevant): 

  1. Creating an integral and integrated approach;
  2. Increasing digital resillience of the entire MoD (Cyber Defense);
  3. Developing the capability to carry out cyber operations (Cyber Offense);
  4. Reinforcing intelligence gathering in the digital domain (Cyber Intelligence);
  5. Increasing knowledge and innovative power of the MoD in the digital domain, including recruiting and keeping qualified personnel (“adaptive and innovative”);
  6. Intensifying collaboration nationally and internationally. 

(more…)

Dutch Military Intelligence dives into Cyber

The Dutch Military Intelligence agency (MIVD) recently released its 2011 yearly report (in Dutch). As is usual, they covered the events of 2011, but also did some forecasting for 2012. Its especially this last bit I was interested in, and im writing this in the hope that you feel the same way.

One of the most interesting facts I extracted from the report is that the MIVD will be focusing the majority of its Cyber Warfare efforts in countering Cyber Espionage. Given that this is probably the most tangible and widely represented cyber activity currently employed, I think this is a wise choice. Add that to the fact that the Netherlands is, by far, the most connected country in Europe (highest internet penetration in Europe with 83%; highest broadband internet penetration in the world with 68% of its connections at 5mbs or faster) it would probably be a safe assumption to say that our economy is critically interwoven with the Internet. Now, I know that there’s a lot to be said about the military defending a mostly commercial and/or civil commodity, but personally I’m happy with this direction. If anything, it’s *a* direction and from what I’ve seen this has not always been the case in the past.

Three other interesting tidbits that were published in the report involved the MIVD’s future collaborative efforts. One of these is a rather obvious and expected one, but it involves their supporting the Dutch Ministry of Defense with their Cyber Operations through involvement with Taskforce Cyber. A less obvious one is their intention to support in ‘cyber-aspects’ of the Dutch military industrial complex. They don’t really go into how they intend to assist, other than that it will involve working with Dutch domestic intelligence agency AIVD. This is too bad because it sounds interesting. Considering the major cyber security breaches in the past at American defense contractors such as Booz-Allen Hamilton, Lockheed Martin, L3 Communications or Northrop Grumman, it certainly sounds pertinent. They don’t mention it specifically, but odds are good that this (and only this) is what the MIVD has in mind when they mention countering cyber intelligence. Lastly, and to me this was the most interesting, they reveal their intentions to collaborate with the AIVD to set up a special SIGINT Cyber Unit (or command – this wasn’t mentioned) to generate shared cyber intelligence. Their goals for this unit are straightforward: Assisting in cyber operations in support of regular military operations, chart threats, provide excellent cyber intelligence at all times, and to assist in attributing cyber attacks.

The report also tickled my interest in ‘cyber semantics’ when the MIVD asserted that offensive cyber operations usually include the same activities as cyber intelligence and/or cyber espionage. They also mention that cyber is increasingly important in counterintelligence, and mentioned that they would be increasingly exploiting social media such as Facebook, Hyves, Twitter et cetera. An interesting side note here is that due to severe upcoming Defense budget cuts and related contract terminations, it’s been observed that everyone in the Dutch armed forces is now suddenly absolutely perfect in every way (article in Dutch), because apparently it’s gotten to the point that calling in sick is now a bad career move. Our troops should be warned that venting their frustrations through social media is probably a bad idea at this time, however much it may be valid criticism.