A list of the most dangerous, effective, and most well-known malware strains that have been developed by the cyber-security units of various countries’ intelligence and military branches.
Regin, widely regarded as the most powerful malware family ever produced by a nation-state actor, was created by the NSA and shared with some of its Five Eyes allies (primarily with the GCHQ). Its existence was made public in 2014, however the first samples date back to 2011, with some suspecting that the virus was produced as early as 2003. Regin has been used in the wild in incidents involving Belgian telecom Belgacom, the German authorities, and, most recently, Russian search firm Yandex.
On a technological level, security researchers consider Regin to be the most complex malware framework to date, with modules covering tens of features, the majority of which are designed to perform surveillance activities and remain unnoticed on infected systems.
Flame was found in 2012, but security experts did not use the term “malware” to characterise it. Flame was so sophisticated at the time that the phrase “attack toolkit” was used to characterise its structure, which resembled that of its larger brother, Regin. Flame, as previously stated, is a collection of modules that function on top of the Flame architecture and are installed based on the capabilities that operators want. It was identified in 2012 by the MAHER Center of the Iranian National CERT in attacks on government entities in the nation. The finding emerged two years after the Stuxnet virus assaults and was instantly connected to the Equation Group, a codename for the US National Security Agency. It was eventually detected in attacks on other Middle Eastern governments as well. Flame’s Wikipedia page currently has the greatest summary of all Flame-related findings.
Stuxnet is the only malware on this list with its own documentary film. The malware was co-developed in the 2000s by a joint effort between the US NSA and Israel’s Unit 8200, the Israeli military’s cyber division. It was deployed in 2010 in Iran, as part of a joint effort between the two countries to sabotage Iran’s nuclear program.
Stuxnet, which is said to have used four different zero-days at the time it was unleashed, had been specifically coded to target industrial control systems. Its role was to modify the settings of centrifuges used for nuclear enrichment operations by raising and lowering rotor speeds, with the purpose of inducing vibrations and destroying the machines. The malware was successful, and is said to have infected over 200,000 computers, and eventually ended up destroying nearly 1,000 centrifuges at Iran’s Natanz nuclear facility.
The first non-US developed malware on this list is Shamoon, a malware strain developed by Iran’s state hackers. It was first deployed in 2012 on the network of Saudi Aramco, Saudi Arabia’s largest oil producer. The malware, a data wiper, destroyed over 30,000 computers in the 2012 attack. It was deployed in a second attack in 2016, against the same target. Most recently, it’s been deployed against Italian oil and gas contractor Saipem, allegedly destroying 10% of the company’s PC fleet.
A more recent addition to this list is Triton (also known as Trisis). This malware is believed to have been developed by a Russian research laboratory. It was deployed in 2017. It was specifically engineered to interact with Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers. According to technical reports from FireEye, Dragos, and Symantec, Triton was designed to either shut down a production process or allow TriconSIS-controlled machinery to work in an unsafe state. The malware’s code leaked and was eventually published on GitHub.
The Industroyer malware, also known as Crashoverride, is a malware framework developed by Russian state hackers and deployed in December 2016, in the cyber-attacks against Ukraine’s power grid.
The attack was successful and cut the power to a part of Kyiv, Ukraine’s capital, for an hour. The malware is considered an evolution of previous strains like Havex and BlackEnergy, which had also been used in attacks against Ukraine’s power grid. However, unlike Havex and BlackEnergy, which were more like generic Windows malware deployed against systems managing industrial systems, Industroyer contained components specifically designed to interact with Siemens power grid equipment.
Believed to be the creation of Israel’s infamous Unit 8200 military cyber-unit, Duqu was discovered by Hungarian security researchers in 2011. A second version was discovered in 2015, and was codenamed Duqu 2.0. The first version was deployed to aid Stuxnet attacks, while the second was used to compromise the network of Russian antivirus firm Kaspersky Lab. Duqu 2.0 was also found on computers in hotels in Austria and Switzerland where the international negotiations between the US/EU and Iran took place, over its nuclear program and economic sanctions.
PlugX is a remote access trojan (RAT) that was first seen in 2012, in attacks attributed to Chinese nation-state hackers. Since its discovery, Chinese hackers appear to have shared the malware with each other, and now it’s being widely used by most Chinese nation-state groups, making attribution to one group incredibly difficult. A good technical report on PlugX is available here.
Winnti is very similar to PlugX. It’s another Chinese-made APT malware strain that was initially used by one group but was then shared among all the Chinese APTs as time went by. The malware has been around since 2011 and is described as a modular backdoor trojan. Security researchers recently discovered a Linux variant.
Uroburos was the rootkit developed by the Turla group, one of the world’s most advanced nation-state hacker groups, linked to the Russian government. According to a G DATA report, “the rootkit is able to take control of an infected machine, execute arbitrary commands and hide system activities.”
Uroburos (also referred to as the Turla or Snake rootkit) was widely deployed and was very efficient for the limited purpose it was being used for — to gain boot persistence and download other malware strains. It was the central piece of Turla APT attacks and had been seen on infected computers in Europe, the US, and the Middle East, as early as 2008. Targets usually included government entities. It was seen in 45 countries. A Linux variant was also discovered in 2014.
Yet another piece of Chinese malware that was once used by one group, but was later shared and re-used by others. ICEFOG, first spotted in 2013, made a comeback in the last two years, with new variants, and even a Mac version.
The only mobile malware on this list, WARRIOR PRIDE is a tool jointly developed by the US’ NSA and the UK’s GCHQ. It works both on Android and iPhones and news of its existence came to be in 2014, during the Snowden leaks. As for capabilities, the iPhone variant was far more advanced than the Android one. It could retrieve any content from infected hosts, listen to nearby conversations by silently enabling the microphone, and could work even when the phone was in sleep mode.
The Olympic Destroyer malware was deployed in an attack that crippled internet connections during the Pyeongchang 2018 Winter Olympics opening ceremony. TV stations and journalists were the ones mostly impacted by the attack. The malware was supposedly created by Russian hackers and deployed as payback for the International Olympic Committee banning Russian athletes from the Winter Olympics on doping charges or prohibiting someone from competing under the Russian flag.
The malware itself was an information stealer that dumped app passwords on infected systems, which hackers later used to escalate their access to other systems, from where they later triggered a data-wiping attack that brought down some servers and routers. New Olympic Destroyer versions were spotted in June 2018, months after the initial attacks.
The only APT-developed malware on this list created to infect routers is VPNFilter. Developed by Russian state-hackers, the malware had been deployed in advance of the 2018 Champions League final that was being held in Kyiv, Ukraine. Supposed plans were to deploy the malware and damage routers during the live final’s live transmissions, similar to how the Olympic Destroyer malware was used to cripple internet connections during the opening ceremony at the Pyeongchang 2018 Winter Olympics.
Fortunately, security researchers from Cisco Talos saw the VPNFilter botnet being assembled, and took it down with the help of the FBI. The malware was supposedly created by the Fancy Bear APT, according to the FBI.
All the three ransomware outbreaks of 2017 were malware strains developed by nation-state hackers, albeit for different reasons.
The first of these, the WannaCry ransomware, was developed by North Korean state hackers, for the sole purpose of infecting victims and collecting ransoms for the Pyongyang regime, which at the time, was under heavy economic sanctions. To lighten the impact of these sanctions, the regime was using state hackers to rob banks, mine cryptocurrency, or run ransomware operations to collect funds. However, errors in the WannaCry code made it so that instead of spreading to local networks only, the ransomware’s internal self-replicating (worm) component went haywire and infected everything in sight, causing a global outbreak.
Two months after WannaCry, a second ransomware outbreak hit the world. Called NotPetya, this ransomware was coded by Russia’s Fancy Bear (APT28) group, and was initially deployed only in Ukraine. However, due to shared networks and enterprise VPNs, the ransomware spread globally, akin to WannaCry, causing billions in damages. Just like WannaCry, NotPetya used the EternalBlue exploit as the centerpiece of its worm component. (see the last slide for more info on EternalBlue)
The last global ransomware outbreak of 2017, was the work of state hackers. Just like NotPetya, Bad Rabbit was the work of Russian hackers, who similarly deployed it in Ukraine, but the ransomware spread worldwide, albeit with a smaller impact when compared to the first two, WannaCry and NotPetya. Unlike NotPetya, it didn’t use EternalBlue as its primary spreading mechanism, and also included lots of Game of Thrones references.
EternalBlue may not be malware per-se, in the classical meaning of the word, being more of an exploit, but it was still developed by a nation-state entity and should fit on this list. It was created by the NSA and became public in April 2017, when a group of mysterious hackers known as The Shadow Brokers published the code online.
After its release, it was first used in cryptocurrency mining campaigns, but it truly became a widely-known and recognizable term after it was embedded in the code of the three ransomware outbreaks of 2017, namely WannaCry, NetPetya, and Bad Rabbit. Since then, EternalBlue has refused to die and has been widely used by all sorts of cyber-criminal operations, all of whom use it as a mechanism for spreading to other systems inside compromised networks, by exploiting misconfigured SMBv1 clients on Windows computers.