Thursday 4 October 09:30 - 10:00, Green room
Benoît Ancel (CSIS)
Aleksejs Kuprins (CSIS)
Despite the breach of both Hacking Team and FinFisher, the government malware industry remains a shady market. Due to the amount of secrecy involved, it becomes increasingly more complicated to follow the technologies utilized by these companies and their modus operandi. The lack of transparency can be beneficial when one works with government-related operations. However, it can also be of benefit to any profit-driven actor, who will notice the potential for easy income in such conditions of the market. During our daily monitoring, we have managed to find a fake 'Google Chrome Update' landing page, which we believe is used by a company in its spyware campaigns. The page was designed for infection of Windows, iOS and Android devices. Soon, we were surprised to find a publicly open control panel server. This open C&C has given us the opportunity to collect a variety of precious data: details about the malware, photos and audio recordings from the testing phones, victims' data, and a storage of database backups of the control server. After analysis of the findings, we have figured out that this company appears to be reselling commercial spyware as government espionage spyware. Despite the surprisingly poor quality of the products, we have seen the company do business with serious companies of the legal malware market and even with a government-related institution. While oblivious to the state of its operational security, the company relies simply on making a good impression on potential customers. We propose to present to you some of the work and the achievements of a peculiar German company that 'develops advanced big data systems, cybersecurity & AI, and data extraction solutions for the government and homeland security sectors'.
Benoît Ancel is a malware analyst who has worked for six years in France and now with CSIS in Denmark. His research interests include malware hunting, reversing and botnet tracking. He spends his free time monitoring honeypots and providing IOCs.
Aleksejs Kuprins is a computer security researcher, living in Denmark and employed by CSIS. He initially started out as a software developer in Latvia and moved to Denmark for education, now specializing in Android malware reversing and threat analysis. Aleksejs dedicates his free time to the quadcopter building hobby, sports and malware hunting.
Lotem Finkelstein (Check Point)
Aseel Kayal (Check Point)
Rowland Yu (Sophos)
Masashi Nishihata (Citizen Lab)
John Scott Railton (Citizen Lab)