The Snow Queen: A cybersecurity report in seven stories

What do you think the fairy tale The Snow Queen by Danish cybersecurity specialist Hans Christian Andersen is really about? A brave girl who defeats the personification of winter and death to save her beloved friend? Think again.

Let’s get real: It’s a fairly detailed account of an investigation by up-and-coming information security expert Gerda into how a certain Kai got infected with a nasty piece of sophisticated malware. This so-called fairy tale is written in the form of seven stories that clearly correspond to the investigation stages.

Story 1: A mirror and its fragments

If you’ve ever read our Securelist.com expert blog (or any other well-done infosec research, for that matter), you probably know that investigation reports often begin with an exploration of the history of incidents. Andersen’s is no different: Its first story delves into the very origins of the Kai case.

Once upon a time (according to Andersen’s data) a hobgoblin created a magic mirror that held the power to diminish people’s good and beautiful qualities and magnify their bad and ugly aspects. The mirror was broken by his apprentices into billions of fragments that penetrated people’s eyes and hearts yet retained the mirror’s original reality-distorting properties. Some people inserted fragments into their window frames, which warped their views. Others used them as lenses for their spectacles.

We already know from Snow White that storytellers often used mirrors as a metaphor for screens in a broad sense: TVs, computers, tablets, phones — you get the picture (literally).

So, translating Andersen’s words from the language of allegories into plain prose yields the following: A mighty hacker created a system with a built-in browser that distorted websites. Subsequently, his apprentices used pieces of source code to infect a huge number of Microsoft Windows devices and even augmented reality glasses.

In fact, the phenomenon was not at all uncommon. The EternalBlue exploit leak is the ur-example. It led to the WannaCry and NotPetya pandemics, as well as several other, less-devastating ransomware outbreaks. But we digress. Back to our fairy tale.

Story 2: A little boy and a little girl

In the second story, Andersen proceeds to a more detailed description of one of the victims and the initial infection vector. According to the available data, Kai and Gerda communicated through their adjacent attic windows (Windows-based communication!). One winter, Kai saw through his window a strange, beautiful woman wrapped in an ultrafine white tulle. This was Kai’s first meeting with the hacker (hereinafter referred to by her handle, “The Snow Queen”).

A short while later, Kai felt a stabbing sensation right in his heart, and something pricking his eye. This is how Andersen describes the moment of infection. Once the malicious code had entered his heart (OS kernel) and eye (data input device), Kai’s reaction to external stimuli changed radically, and all incoming information appeared distorted.

Sometime later, he left home entirely, roping his sled to the Snow Queen’s sleigh. Trusting her for some reason, Kai told the Snow Queen how he could do mental arithmetic even with fractions, and that he knew the size and population of every country. Minor details, it would seem. But as we shall see later, this is in fact precisely what the attacker was interested in.

Story 3: The flower garden of the woman skilled in magic

Gerda began her own investigation and happened to run into a woman who, for whatever reason, impeded her inquiry. To cut to the chase, we’re most interested in the moment when the sorceress combed Gerda’s curls, causing her to forget Kai.

In other words, the crone somehow corrupted the data regarding the investigation. Note that her cyberweapon of choice, a comb, is already known to us. In the Grimm brothers’ report on the Snow White incident, the stepmother used a similar tool to block her victim. Coincidence? Or are these incidents related?

In any event, as in the case of Snow White, the comb-induced block was not permanent — the data was restored and Gerda continued her investigation.

At the end of the third part of the report, Gerda asked the flowers in the witch’s garden if they had seen Kai. This is most likely a reference to the old ICQ messenger, which had a flower as its logo (and as a user status indicator). By communicating with the witch, Gerda was trying to get additional information about the incident using her contacts.

Story 4: The prince and the princess

The fourth stage of the investigation doesn’t seem entirely relevant. Gerda tried to run Kai through the government database. To do that, she got to know some ravens who gave her access to a government building (the royal palace).

Although that didn’t produce any results, Gerda dutifully informed the government about the vulnerability and the insecure ravens. The prince and the princess patched the vulnerability, telling the ravens that they weren’t angry with them, but not to do it again. Note that they didn’t punish the birds but simply asked them to change their behavior.

As a reward, the prince and the princess supplied Gerda with resources (a carriage, warm clothing, servants). This is a great example of how an organization should respond when researchers report a vulnerability — let’s hope the reward wasn’t a one-off but became a proper bug-bounty program.

Story 5: The little robber girl

In this story, Gerda seemingly fell into the clutches of bandits. Andersen actually uses another allegory to explain that, having reached a dead end at the previous stage of the investigation, Gerda was forced to engage the help of forces that were, shall we say, not entirely law-abiding.

The cybercriminals put Gerda in touch with some pigeon informants that knew exactly who was to blame for the Kai incident, as well as with a reindeer in possession of the addresses of some useful darknet contacts. The help wasn’t cheap; she lost most of the resources gained in the previous story.

So as not to undermine the young researcher’s integrity, Andersen tries to describe her dealings with the criminals as unavoidable — they robbed her first, he says, and only then, taking pity on their victim, provided information. That doesn’t sound too convincing. More likely, it was a mutually beneficial arrangement.

Story 6: The Lapland woman and the Finnish woman

Next comes the final stage of collecting information needed for the investigation through the darknet contacts supplied by the bandits. The reindeer acquainted Gerda with a certain Lapland woman, who wrote on a dried cod a letter of recommendation to the next informant, a certain Finnish woman.

The Finn, in turn, provided the address of the “Snow Queen’s garden” — obviously the name of the command-and-control server. A nice touch here: Having read the message, she threw the cod into a bowl of soup. She understood the practical importance of not leaving unnecessary traces, so she carefully followed OPSEC rules. The mark of an old pro.

Story 7: What happened in the Snow Queen’s palace, and what came of it

The seventh story finally explains why the Snow Queen needed Kai in the first place. He sat there rearranging the splinters of the ice, trying to spell the word “eternity.” Insane, right? Not at all. Read this post, a primer on cryptomining. As it explains, cryptominers essentially work by rearranging a block of information to get not just any hash, but the most “beautiful” one possible.

That is, Kai tried to arrange the pieces of information so that its hash came out as the word “eternity.” At this stage, it becomes clear why in the second story Andersen focused on Kai’s computing power. That is exactly what the Snow Queen was after, and Kai was infected solely for cryptomining purposes. It also explains the Snow Queen’s apparent obsession with all things north and cold; a high-performance mining farm requires serious cooling.

Gerda then melted Kai’s ice-crusted heart with her tears (i.e., she deleted the malicious code using various tools and regained control of the system kernel). Kai then burst into tears, meaning that he activated his built-in antivirus (previously blocked by the infected module in his kernel), and removed the second piece of malicious code, from his eye.

The end of the report is rather weird by today’s standards. Instead of providing tips for potential victims, indicators of system compromise, and other useful tidbits, Andersen rambles on about the characters’ journey back home. Perhaps in the nineteenth century, that’s how infosec reports wrapped things up.

As we’ve said before, fairy-tale writers are in fact the oldest cybersecurity experts in the business. The case of the Snow Queen only bolsters our claim. As described above, the tale is a detailed account of an investigation of a complex incident. We also recommend that you check out our analysis of other popular fairy tales: