Believe it or not, a rootkit virus almost caused WW3 in 2010. Stuxnet—a malware allegedly developed by intelligence agencies in Israel and the United States—was found infecting 14 industrial plants in the Republic of Iran. One of these 14 plants included a uranium enrichment facility. It is now commonly believed that the malware’s purpose was to sabotage Iran’s nuclear development program and destroy its infrastructure. It was, in short, an act of war. One that had taken five years to develop and implement.
With the discovery of Stuxnet, the world opened its eyes to cybersecurity concerns and how a simple virus or rootkit could bring an entire country to its knees. Since then, computer security engineers have been on the front lines against an onslaught of similar cyber weapons. However, rootkits continue to have widespread use, even today. Positive Technologies, a cybersecurity firm, reviewed and analyzed known rootkit families from the past ten years. They found that 44% of all known rootkits specifically attacked government agencies and extracted data due to the valuable nature of such data.
To prevent rootkit attacks, governments need to update and add security patches regularly and install programs only from trusted sources. Using employee surveillance software to track phone activity can also be useful in reducing gaps in the security system. Any cybersecurity network’s weakest link is always the human factor.
A rootkit is a stealth computer program designed to provide continuous unauthorized access to privileged information on a computer system. The program accomplishes this goal while remaining completely undetected. The first rootkits worked only on Unix systems, but in 1999, the first rootkit developed for Windows OS appeared. Today, rootkits are packaged along with other forms of malware, such as viruses, worms and, trojans. The rootkit’s main purpose is to disguise the malicious software and avoid detection.
Rootkits can be divided into categories, depending on the level of privileges they have in a system. There are five known types of rootkits, starting from the lowest level at firmware (with the highest level of privileges) and going all the way up to the highest level (user-mode).
- User-mode rootkits enjoy the same privileges as most applications. They are much easier to write and develop, and as a result, are more commonly used in mass attacks. They made up 31% of the rootkits tested in the sample by Positive Technologies.
- Kernel-mode rootkits work at the kernel level, meaning they have the same privileges as the operating system. Such rootkits are difficult to develop and may cause the system to become unstable if incorrectly written. Therefore, they are prone to easy detection. According to the report, only 38% of the total number of rootkits operate at the kernel level.
- Hybrid rootkits are designed to work at both levels by combining both levels of operation. They also made up 31% of the sample.
- Bootkits are a version of kernel-level rootkits. They operate by replacing the legitimate boot loader with one that they can control. The subverted bootloader can then be used to intercept encrypted passwords and keys.
- Firmware and hardware rootkits are designed to hide under a malware image in hardware such as routers or hard drives. Since cybersecurity officials rarely check firmware for code integrity, it makes for a good hiding place.
Given that the development of rootkits requires a deep knowledge of programming and is often time-consuming, the question arises as to why so many of them are available in the market today. The answer is simple: APT groups and the dark web. Advanced Persistent Threat (APT) groups are usually state-sponsored groups created to carry out cyberattacks to steal data and destroy infrastructure. These groups are generally created for cyber espionage purposes, but sometimes, they can also be financially motivated. With the amount of time and expertise required to develop rootkits, it is mostly these groups who have the resources to successfully create and sell rootkits.
In addition, there is a ton of information on how to create and deploy rootkits, especially on the dark web. Not only can you get access to reference data, but you can also purchase ready-made rootkits. Rootkits on the dark web can fetch anywhere from $45,000 to $100,000, making them an attractive project for developers. The cost usually depends on the target operating system, conditions of use, and any extra features. Most rootkits target Windows systems but some have multi-system support as well.
Information contained within the systems in government agencies is particularly valuable to hackers and APT groups. In the report published by Positive Technologies, 44% of all rootkit attacks were targeted at government agencies. There is also the possibility of cyber espionage by a foreign state-sponsored group. All these factors make government agencies a prime target.
In the aforementioned case of the Stuxnet worm rootkit, findings by the Kaspersky Lab researchers showed that the malware was designed specifically to target operating systems in industrial machines. It even could cause centrifuges to spin out of control, damaging and destroying Iran’s nuclear plants.
Stuxnet first showed up on the radar when a Belarusian company contacted Kaspersky Labs to find out why a customer’s computers were rebooting over and over again. Their discovery shocked the cybersecurity world. The malware was signed digitally with a forged signature that made it appear legitimate. A feat that worried cybersecurity officials to the point that they began to share information on forums.
What was most impressive about Stuxnet was its use of zero-day exploits. A zero-day exploit is a weakness or gap in a security system that the developer is either unaware of or has not fixed yet. These gaps can allow hackers to find a way into the system. Stuxnet not only took advantage of an unprecedented number of such exploits, but it also did so in a beautifully complementary way. The exceptionally written code and overall sophistication of the rootkit led researchers to believe it had to come only from a government-funded group. Officially, no one took responsibility for the attack but, leaks within the US and Israeli governments indicated that the two countries may have had a hand in it.
While on the lookout for a variation of Stuxnet back in 2011, researchers found another rootkit-based malware named Flame. Flame was at least forty times larger than Stuxnet, leading the researchers to believe it had also been created by the same nation-state. However, where Stuxnet acted as a destructive tool, Flame had specific spying applications. The two most impressive features in Flame were the great lengths the developers went to avoid detection, and the ability to transmit data over Bluetooth. Using a Bluetooth “rifle,” data could be accessed over a distance of two kilometers. Flame infects many computer systems in Iran and the Middle East, even to this day.
Governments around the world are waking up to the need for cybersecurity. National cybersecurity initiatives are being developed and put into practice. These initiatives need continuous updating to adapt to the ever-changing cyber landscape. Some measures to be taken are:
- Information Sharing: Collaboration and information sharing even in cross-country cases is a necessary step to ensuring the detection and prevention of malware attacks. A global threat intelligence database only serves to help those fighting against cyberattacks.
- Intrusion Detection: Intrusion detection involves using advanced software solutions to detect malware attacks. The detection software may even be AI-based.
- Raising Cybersecurity Awareness: Cybersecurity programs and drills can be developed and implemented. Employees and government officials need to be brought up to speed on the latest cybersecurity practices.
- Using Monitoring Software: While the business world has already started such practices, the government sector still lags behind. There is a multitude of apps and software available that allow you to keep a close watch on everyone with access to your system, such as Xnspy. Xnspy is a consensual employee surveillance software to track phone activity and works on most mobile platforms. It allows you to review and record all forms of communication on official mobile devices. The information is available in the form of summarized analysis reports online at any time. Using Xnspy or similar software can prevent employees from leaking critical information. It can also help stop cyber espionage through social engineering means.
Xnspy is easy to install and use. For iOS devices, all you need are the iCloud credentials to gain access to an iPhone. After installation, you will need to wait a day or two for the app to upload all the data onto a cloud server. There it will display calls, text messages, and location data. You can also see multimedia and browser history. Using employee monitoring tools has become a necessity for many businesses. In the modern world of computers and data, governments have no choice but to follow their example. Click here to check out the list of employee monitoring apps available on the market today.