State-sponsored attacks: open season on online journalists

The last few weeks have offered the strongest indications yet that nation-states are using customized software to exploit security flaws on personal computers and consumer Internet services to spy on their users. The countries suspected include the United States, Israel, and China. Journalists should pay attention–not only because this is a growing story, but because if anyone is a vulnerable target, it’s reporters.

Last week, The New York Times‘ David Sanger quoted several U.S. government contacts who said Stuxnet, the virus suspected of targeting Iranian nuclear centrifuges, was in fact part of a secret U.S. government project. This week Google placed warnings on a number of Gmail accounts that they had been targeted by what Google indicated was a “state-sponsored attack” (Google would not indicate why it thought this was the case). And a new piece of malware, over 20 megabytes in size, coined “Flame” by its discoverers at Kasperky Lab, has been tracked as being concentrated in the Middle East, and bears the hallmarks of a state-directed operation.

Flame’s design exploits a combination of flaws in a Microsoft product, including one that used a mathematical attack on a standard cryptographic technique that was previously unknown to security researchers. As with Stuxnet, the sophistication of this attack suggested to investigators that it was created by a nation-state. As the investigators state:

Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states. Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group. In addition, the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it.

But who were the targets? Stuxnet was aimed at Iran’s uranium refinement facilities, but accidentally spread to the rest of the world. Flame appears to have been aimed at a much broader group. Kaspersky says the victims “range from individuals to certain state-related organizations or educational institutions.”

Google won’t reveal names either, but some receiving its warning on their Gmail accounts have already come forward, and many of them are journalists working in or on China. Shanghaiist notes that Xander Yang of France 24’s Beijing bureau reported receiving the warning, as did Caijing magazine’s Tan Yifei and Venus Cao of the Southern Weekly. Daniel Drezner, an academic and blogger for Foreign Policy, reported the same warning.

That shouldn’t be surprising. Journalists make the perfect target for such snooping software. They frequently carry a lot of politically sensitive, confidential information, and use vulnerable technology. They are often working without the backing of large organizations with good IT support. Even major media organizations do not expect to face sophisticated technological espionage attacks.

The lesson of all of this activity is that many governments see these attacks as an effective, unregulated, and deniable way to target groups that would otherwise be too politically sensitive or independent to publically challenge or co-opt. That puts reporters, bloggers, and media companies high on the hit list.

And while the notoriety of these incidents is because we now see state actors entering the malware market, the two other categories of “players”–criminals and hacktivists–also have their reasons to attack journalists. One of the most damning aspects of both Stuxnet and Flame was that techniques developed at great expense were placed in code that was spread on the Internet. That code is now available for other criminals to examine and learn from. Microsoft worked quickly to patch its systems, partly because the detection of Flame showed attack strategies that it knew other cyber-criminals would quickly adopt.

Technologists can help bloggers and reporters who don’t have institutional support protect themselves by being open and responsive. That means more pro-active investigations like the Kaspersky project, more transparency like Google’s specific warnings, and swift reactions like Microsoft’s.

But for now the best way that journalists and other victims can defend themselves from these attacks is for them to take them seriously. Run anti-virus software. Follow our advice on info security in our journalist security guide. And if you see or hear anything suspicious, let us know.