Burned malware returns, says Cylance report: Is Hacking Team responsible?

Burning malware is like Hercules fighting the nine-headed Hydra. For every head he cuts off, two more grow back in its place. That’s the lesson from a new report by Cylance today, and one both enterprise network defenders—and the public at large—should pay attention to.

Cyber mercenaries sell malware to oppressive regimes in the Middle East, which then use that malware to attack their own citizens, research from the Citizen Lab suggested earlier this year. The current regimes in Turkey and Egypt compel local ISPs to run Canadian-made Sandvine/Procera deep packet inspection middleboxes that inject the malware into unencrypted HTTP downloads of popular software like Avast, VLC Player and WinRAR. Large numbers of users in Egypt, Turkey and Syria (near the border with Turkey) are affected.

For the last six months, Cylance has been studying how the malware, known as Promethium or StrongPity, has changed as a result of the Citizen Lab report. “Even though the indicators of compromise seem to disappear off your radar screen [it] doesn’t mean they’re gone,” Kevin Livelli, director of threat intelligence at Cylance, tells CSO.

Instead, the malware group, widely believed to be developed by a cyber mercenary group, tweaks a little code to fly under the radar again and continues to sell to oppressive regimes.

Assigning attribution?

Oppressive regimes without the resources to develop their own malware instead turn to the grey market, where any number of cyber mercenary groups provide the software and hardware needed to identify, hack, stalk, harass, disappear, torture and murder dissidents, journalists, political opponents and anyone else the regime of the day doesn’t like.

Explosive reporting from Israel’s Haaretz newspaper exposed the dark underbelly of the cyber mercenary business in that country. Israel is far from the only country that permits cyber mercenaries to operate. Countries like Canada, Germany and Italy tolerate such activity as well.