Hacking in the name of the law

A couple of days ago the Suddeutsche Zeitung (a German newspaper) reported on a new type of search tool which the German Federal Office of Criminal Investigation would like to make use of it in the future. Instead of having to go through the tedious formalities of requesting access to a suspect’s house and confiscating any computers there, a law enforcement agency will be able to remotely access and monitor a suspect’s machine.

Of course, there aren’t any details given about how this will be done. How exactly access to data will be realized hasn’t been detailed. But regular readers of this blog might remember my post about its Swiss counterpart: spyware written for use by the authorities to track suspects. There wasn’t any further information given about how this software would be installed, either. Two possible methods would either be installation via unpatched vulnerabilities in operating systems or other software; or using the classic method of sending the program as an attachment to email, and banking on the user opening and launching the program.

So the Suddeutsche Zeitung article isn’t the first report we’ve seen about malware financed by the authorities, and it certainly won’t be the last. If we assume that every country of a reasonable size is currently developing (or using) its own Trojan program, then it’s only a matter of time before we get a sample of one of these things. And who knows – it could be that we’ve already got one without knowing exactly what it is. After all, a Trojan used by the authorities is hardly likely to send data it harvests to an easily identifiable police server…

Hacking in the name of the law

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox