The Middle East is home to the world’s oldest nations – and some of the world’s oldest conflicts. And while the Great Powers, especially the U.S., Russia, and China, have dominated the “cyber war” headlines, the truth is that every country on Earth is now defending its sovereignty, and projecting power, in cyberspace. In 2004, at DEF CON in Las Vegas, Duke University Professor Peter Feaver and I discussed the digital dimension of the Arab-Israeli conflict. Even thirteen years ago, we found dozens of examples of computer network operations, the majority of which were pro-Israeli hackers hitting political and military targets throughout the Middle East, and pro-Palestinian hackers retaliating against the Israeli economy.
Cyberspace is simply a reflection of traditional human affairs, both good and bad, ranging from groundbreaking science to bone-breaking terrorism. I study malware, in particular its use in the international political arena. In the graph below, it is easy to see that all countries in the Middle East (and by extension throughout the world) are infected with many different types of malware, from secret backdoors, to versatile trojan horses, file-changing viruses, autonomous worms, and malware that is packed or hidden within seemingly innocuous streams of data.[1]
The ultimate purpose of many malware infections, including the coders behind them, is often hard to know. At a minimum, a better understanding of a nation’s “cyber threat” requires tactical and strategic analysis, on both the technical and geopolitical levels.
Let’s start by repainting a traditional map of the Middle East according to each country’s most-frequently detected malware type in Q2 2017. Immediately, we see an interesting pattern: a subset of Middle Eastern nations (Egypt, Israel, and Jordan) have recently suffered more from computer viruses than they have computer worms. And these three anomalous nations are adjacent to one another, which mirrors a pattern that I have recently seen in South America, Southeast Europe, and Southeast Asia, where anomalous malware outbreaks are likely related to political, linguistic, or infrastructure commonalities.
Now let’s dig a bit deeper, and look at the ratio of these five malware types within each country. When organizing data in this way, I have noticed that malware has its own socioeconomic hierarchy. Often, a prevalence of backdoors, packed malware, and trojans means that the victim nation is wealthy, and frequently on the receiving end of targeted attacks. At the other end of the malware spectrum, too many viruses and worms suggests that the victim nation is poorer, and likely runs a lot of older, unlicensed, unpatched, or pirated software. For cyber spies and criminals, these relative levels of vulnerability and potential return-on-investment likely entail exhaustive market research, before investing too much in any given malware campaign.
In the Middle East during Q2 2017, the highest ratio of backdoors was found in Saudi Arabia, Lebanon, Egypt, Cyprus, and Bahrain. For packed malware, it was nearly the same, with Israel joining the group. With trojans, Oman, Iraq, and Bahrain figured prominently in our data. As seen in the political map above, Jordan, Israel, and Egypt were tops in viruses. And finally, the highest ratio for computer worms was in Yemen, Palestine, Kuwait, and Cyprus.
To get an even better sense of what is afflicting national networks, let’s go a layer deeper, and examine specific malware families. The treemap below expands the malware types for the United Arab Emirates,[2] where RSA will hold its next conference on November 7-8, 2017. This perspective takes us a step closer to the tactical level of cyber defense, and it can help system administrators and security personnel address specific malware threats – and potentially threat actors – targeting their networks.
A decade-old Windows threat called Starter has been the most common trojan; Brontok, originally born in Indonesia, has led in worms; Ramnit, which harvests banking credentials, has been the top virus; MUPX, or the “Modified Ultimate Packer for Executables,” has been the most common malware packer; and NetWiredRC is currently the top backdoor. However, these are only the most common malware families: in the lower right-hand corner of each malware type, there are dozens of more obscure families that may quietly be doing far more damage to UAE networks. To evaluate all of them would require more than a short blog!
The final graph, below, relates to time, which is often an analyst’s best friend. Close proximity does not imply a cause-and-effect relationship, but it does suggest a correlative one. One of the most vexing challenges in cybersecurity is attribution. But by placing network security incidents on a timeline, and by superimposing other, often non-cyber events over them, it is often possible to see why you have found hostile packets on your network. This timeline, which runs from November 2016 to January 2017, shows malware detection rates for six Middle Eastern countries. For each of the top spikes, it was easy to find a national security-related event in the news which may have been its catalyst.
For each country, the national security incident and malware spike may simply have been coincidental. But in the Internet era, there is a strong correlation between national security and network security. When important political, military, intelligence, law enforcement, business, or social events take place, there is always a reflection in cyberspace, by various parties (some domestic, some foreign) to collect, deny access to, or manipulate data for some state or non-state goal.
So, the takeaway from this short blog on Middle East malware is that malicious code is now ubiquitous, it may be used for myriad purposes, and network defenders can expect to see spikes during national security crises.