Search
  • Videos
  • Windows 10
  • 5G
  • Best VPNs
  • Cloud
  • Security
  • AI
  • more
    • TR Premium
    • Working from Home
    • Innovation
    • Best Web Hosting
    • ZDNet Recommends
    • Tonya Hall Show
    • Executive Guides
    • ZDNet Academy
    • See All Topics
    • White Papers
    • Downloads
    • Reviews
    • Galleries
    • Videos
    • TechRepublic Forums
  • Newsletters
  • All Writers
    • Preferences
    • Community
    • Newsletters
    • Log Out
  • Menu
    • Videos
    • Windows 10
    • 5G
    • Best VPNs
    • Cloud
    • Security
    • AI
    • TR Premium
    • Working from Home
    • Innovation
    • Best Web Hosting
    • ZDNet Recommends
    • Tonya Hall Show
    • Executive Guides
    • ZDNet Academy
    • See All Topics
    • White Papers
    • Downloads
    • Reviews
    • Galleries
    • Videos
    • TechRepublic Forums
      • Preferences
      • Community
      • Newsletters
      • Log Out
  • us
    • Asia
    • Australia
    • Europe
    • India
    • United Kingdom
    • United States
    • ZDNet around the globe:
    • ZDNet France
    • ZDNet Germany
    • ZDNet Korea
    • ZDNet Japan

The world's most famous and dangerous APT (state-developed) malware

6 of 18 NEXT PREV
  • Regin

    Regin

    Considered the most advanced malware family ever developed by a nation-state actor, Regin has been developed by the NSA, and shared with some of its Five Eyes partners (primarily with the GCHQ). It's existence has been publicly disclosed in 2014, but the earliest samples date back to 2011, with some suspicions that the malware had been created as early as 2003.

    Known cases where Regin has been deployed in the wild include Belgian telco Belgacom, against the German government, and, the most recent case, Russian search giant Yandex.

    At the technical level, security researchers view Regin as the most advanced malware framework to date, with modules for tens of features, with most designed around surveillance operations and staying undetected on infected hosts.

    Published: July 8, 2019 -- 19:50 GMT (12:50 PDT)

    Caption by: Catalin Cimpanu

  • Flame

    Flame

    When it was discovered in 2012, security researchers didn't exactly use the term "malware" to describe Flame. At the time, Flame was so advanced that they used the term "attack toolkit" to describe its structure, which somewhat resembles its big brother, Regin.

    Just like the aforementioned, Flame is a collection of modules that work on top of the Flame framework, and are deployed based on what features operators need.

    It was discovered in 2012 by the MAHER Center of Iranian National CERT in attacks against the country's government agencies. The discovery came two years after the Stuxnet malware attacks, and were quickly linked to the Equation Group, a codename for the US NSA. It was later discovered in attacks against other Middle East government as well. Currently, Flame's Wikipedia page holds the best summary of all Flame-related discoveries.

    Published: July 8, 2019 -- 19:50 GMT (12:50 PDT)

    Caption by: Catalin Cimpanu

  • Stuxnet

    Stuxnet

    Stuxnet is the only malware on this list with its own documentary film.

    The malware was co-developed in the 2000s by a joint effort between the US NSA and Israel's Unit 8200, the Israeli military's cyber division. It was deployed in 2010 in Iran, as part of a joint effort between the two countries to sabotage Iran's nuclear program.

    Stuxnet, which is said to have used four different zero-days at the time it was unleashed, had been specifically coded to target industrial control systems. Its role was to modify the settings of centrifuges used for nuclear enrichment operations by raising and lowering rotor speeds, with the purpose of inducing vibrations and destroying the machines.

    The malware was successful, and is said to have infected over 200,000 computers, and eventually ended up destroying nearly 1,000 centrifuges at Iran's Natanz nuclear facility.

    Published: July 8, 2019 -- 19:50 GMT (12:50 PDT)

    Caption by: Catalin Cimpanu

  • Shamoon

    Shamoon

    The first non-US developed malware on this list is Shamoon, a malware strain developed by Iran's state hackers. It was first deployed in 2012 on the network of Saudi Aramco, Saudi Arabia's largest oil producer. The malware, a data wiper, destroyed over 30,000 computers in the 2012 attack.

    It was deployed in a second attack in 2016, against the same target. Most recently, it's been deployed against Italian oil and gas contractor Saipem, allegedly destroying 10% of the company's PC fleet.

    Published: July 8, 2019 -- 19:50 GMT (12:50 PDT)

    Caption by: Catalin Cimpanu

  • Triton

    Triton

    A more recent addition to this list is Triton (also known as Trisis). This malware is believed to have been developed by a Russian research laboratory.

    It was deployed in 2017. It was specifically engineered to interact with Schneider Electric's Triconex Safety Instrumented System (SIS) controllers. According to technical reports from FireEye, Dragos, and Symantec, Triton was designed to either shut down a production process or allow TriconSIS-controlled machinery to work in an unsafe state. The malware's code leaked and was eventually published on GitHub.

    Published: July 8, 2019 -- 19:50 GMT (12:50 PDT)

    Caption by: Catalin Cimpanu

  • Industroyer

    Industroyer

    The Industroyer malware, also known as Crashoverride, is a malware framework developed by Russian state hackers and deployed in December 2016, in the cyber-attacks against Ukraine's power grid.

    The attack was successful and cut the power to a part of Kyiv, Ukraine's capital, for an hour. The malware is considered an evolution of previous strains like Havex and BlackEnergy, which had also been used in attacks against Ukraine's power grid. However, unlike Havex and BlackEnergy, which were more like generic Windows malware deployed against systems managing industrial systems, Industroyer contained components specifically designed to interact with Siemens power grid equipment.

    Published: July 8, 2019 -- 19:50 GMT (12:50 PDT)

    Caption by: Catalin Cimpanu

  • Duqu

    Duqu

    Believed to be the creation of Israel's infamous Unit 8200 military cyber-unit, Duqu was discovered by Hungarian security researchers in 2011. A second version was discovered in 2015, and was codenamed Duqu 2.0.

    The first version was deployed to aid Stuxnet attacks, while the second was used to compromise the network of Russian antivirus firm Kaspersky Lab. Duqu 2.0 was also found on computers in hotels in Austria and Switzerland where the international negotiations between the US/EU and Iran took place, over its nuclear program and economical sanctions.

    Published: July 8, 2019 -- 19:50 GMT (12:50 PDT)

    Caption by: Catalin Cimpanu

  • PlugX

    PlugX

    PlugX is a remote access trojan (RAT) that was first seen in 2012, in attacks attributed to Chinese nation-state hackers. Since its discovery, Chinese hackers appears to have shared the malware with each other, and now it's being widely used by most Chinese nation-state groups, making attribution to one group incredibly difficult. A good technical report on PlugX is available here.

    Published: July 8, 2019 -- 19:50 GMT (12:50 PDT)

    Caption by: Catalin Cimpanu

  • Winnti

    Winnti

    Winnti is very similar to PlugX. It's another Chinese-made APT malware strain that was initially used by one group but was then shared among all the Chinese APTs as time went by.

    The malware has been around since 2011 and is described as a modular backdoor trojan. Security researchers recently discovered a Linux variant.

    Published: July 8, 2019 -- 19:50 GMT (12:50 PDT)

    Caption by: Catalin Cimpanu

  • Uroburos

    Uroburos

    Uroburos was the rootkit developed by the infamous Turla group, one of the world's most advanced nation-state hacker groups, linked to the Russian government.

    According to a G DATA report, "the rootkit is able to take control of an infected machine, execute arbitrary commands and hide system activities."

    Uroburos (also referred to as the Turla or Snake rootkit) was widely deployed and was very efficient for the limited purpose it was being used for -- to gain boot persistence and download other malware strains.

    It was the central piece of Turla APT attacks and had been seen on infected computers in Europe, the US, and the Middle East, as early as 2008. Targets usually included government entities. It was seen in 45 countries. A Linux variant was also discovered in 2014.

    Published: July 8, 2019 -- 19:50 GMT (12:50 PDT)

    Caption by: Catalin Cimpanu

  • ICEFOG

    ICEFOG

    Yet another piece of Chinese malware that was once used by one group, but was later shared and re-used by others.

    ICEFOG, first spotted in 2013, made a comeback in the last two years, with new variants, and even a Mac version. More on this in our recent coverage.

    Published: July 8, 2019 -- 19:50 GMT (12:50 PDT)

    Caption by: Catalin Cimpanu

  • WARRIOR PRIDE

    WARRIOR PRIDE

    The only mobile malware on this list, WARRIOR PRIDE is a tool jointly developed by the US' NSA and the UK's GCHQ. It works both on Android and iPhones and news of its existence came to be in 2014, during the Snowden leaks.

    As for capabilities, the iPhone variant was far more advanced than the Android one. It could retrieve any content from infected hosts, listen on nearby conversations by silently enabling the microphone, and could work even when the phone was in sleep mode.

    Published: July 8, 2019 -- 19:50 GMT (12:50 PDT)

    Caption by: Catalin Cimpanu

  • Olympic Destroyer

    Olympic Destroyer

    The Olympic Destroyer malware was deployed in an attack that crippled internet connections during the Pyeongchang 2018 Winter Olympics opening ceremony. TV stations and journalists were the ones mostly impacted by the attack.

    The malware was supposedly created by Russian hackers and deployed as payback for the International Olympic Committee banning Russian athletes from the Winter Olympics on doping charges or prohibiting some from competing under the Russian flag.

    The malware itself was an information stealer that dumped app passwords on infected systems, which hackers later used to escalate their access to other systems, from where they later triggered a data-wiping attack that brought down some servers and routers. New Olympic Destroyer versions were spotted in June 2018, months after the initial attacks.

    Published: July 8, 2019 -- 19:50 GMT (12:50 PDT)

    Caption by: Catalin Cimpanu

  • VPNFilter

    VPNFilter

    The only APT-developed malware on this list created to infect routers is VPNFilter. Developed by Russian state-hackers, the malware had been deployed in advance of the 2018 Champions League final that was being held in Kyiv, Ukraine.

    Supposed plans were to deploy the malware and damage routers during the live final's live transmissions, similar to how the Olympic Destroyer malware was used to cripple internet connections during the opening ceremony at the Pyeongchang 2018 Winter Olympics.

    Fortunately, security researchers from Cisco Talos saw the VPNFilter botnet being assembled, and took it down with the help of the FBI. The malware was supposedly created by the Fancy Bear APT, according to the FBI.

    Published: July 8, 2019 -- 19:50 GMT (12:50 PDT)

    Caption by: Catalin Cimpanu

  • WannaCry

    WannaCry

    All the three ransomware outbreaks of 2017 were malware strains developed by nation-state hackers, albeit for different reasons.

    The first of these, the WannaCry ransomware, was developed by North Korean state hackers, for the sole purpose of infecting victims and collecting ransoms for the Pyongyang regime, which at the time, was under heavy economical sanctions. To lighten the impact of these sanctions, the regime was using state hackers to rob banks, mine cryptocurrency, or run ransomware operations to collect funds.

    However, errors in the WannaCry code made it so that instead of spreading to local networks only, the ransomware's internal self-replicating (worm) component went haywire and infected everything in sight, causing a global outbreak.

    Published: July 8, 2019 -- 19:50 GMT (12:50 PDT)

    Caption by: Catalin Cimpanu

  • NotPetya

    NotPetya

    Two months after WannaCry, a second ransomware outbreak hit the world. Called NotPetya, this ransomware was coded by Russia's Fancy Bear (APT28) group, and was initially deployed only in Ukraine.

    However, due to shared networks and enterprise VPNs, the ransomware spread globally, akin to WannaCry, causing billions in damages. Just like WannaCry, NotPetya used the EternalBlue exploit as the central piece of its worm component. (see the last slide for more info on EternalBlue)

    Published: July 8, 2019 -- 19:50 GMT (12:50 PDT)

    Caption by: Catalin Cimpanu

  • Bad Rabbit

    Bad Rabbit

    The last global ransomware outbreak of 2017, was too the work of state hackers. Just like NotPetya, Bad Rabbit was the work of Russian hackers, who similarly deployed it in Ukraine, but the ransomware spread worldwide, albeit with a smaller impact when compared to the first two, WannaCry and NotPetya.

    Unlike NotPetya, it didn't use EternalBlue as its primary spreading mechanism, and also included lots of Game of Thrones references.

    Published: July 8, 2019 -- 19:50 GMT (12:50 PDT)

    Caption by: Catalin Cimpanu

  • EternalBlue

    EternalBlue

    EnternalBlue may not be malware per-se, in the classical meaning of the word, being more of an exploit, but it was still developed by a nation-state entity and should fit on this list. It was created by the NSA and became public in April 2017, when a group of mysterious hackers known as The Shadow Brokers published the code online.

    After its release, it was first used in cryptocurrency mining campaigns, but it truly became a widely-known and recognizable term after it was embedded in the code of the three ransomware outbreaks of 2017, namely WannaCry, NetPetya, and Bad Rabbit.

    Since then, EternalBlue has refused to die and has been widely used by all sorts of cyber-criminal operations, all of who use it as a mechanism for spreading to other systems inside compromised networks, by exploiting misconfigured SMBv1 clients on Windows computers.

    Published: July 8, 2019 -- 19:50 GMT (12:50 PDT)

    Caption by: Catalin Cimpanu

6 of 18 NEXT PREV
Catalin Cimpanu

By Catalin Cimpanu for Zero Day | July 8, 2019 -- 19:50 GMT (12:50 PDT) | Topic: Security

  • Regin
  • Flame
  • Stuxnet
  • Shamoon
  • Triton
  • Industroyer
  • Duqu
  • PlugX
  • Winnti
  • Uroburos
  • ICEFOG
  • WARRIOR PRIDE
  • Olympic Destroyer
  • VPNFilter
  • WannaCry
  • NotPetya
  • Bad Rabbit
  • EternalBlue

A list of the most dangerous, effective, and most well-known malware strains that have been developed by the cyber-security units of various countries' intelligence and military branches.

Read More Read Less

Industroyer

The Industroyer malware, also known as Crashoverride, is a malware framework developed by Russian state hackers and deployed in December 2016, in the cyber-attacks against Ukraine's power grid.

The attack was successful and cut the power to a part of Kyiv, Ukraine's capital, for an hour. The malware is considered an evolution of previous strains like Havex and BlackEnergy, which had also been used in attacks against Ukraine's power grid. However, unlike Havex and BlackEnergy, which were more like generic Windows malware deployed against systems managing industrial systems, Industroyer contained components specifically designed to interact with Siemens power grid equipment.

Published: July 8, 2019 -- 19:50 GMT (12:50 PDT)

Caption by: Catalin Cimpanu

6 of 18 NEXT PREV

Related Topics:

Security TV Data Management CXO Data Centers
Catalin Cimpanu

By Catalin Cimpanu for Zero Day | July 8, 2019 -- 19:50 GMT (12:50 PDT) | Topic: Security

Show Comments
LOG IN TO COMMENT
  • My Profile
  • Log Out
| Community Guidelines

Join Discussion

Add Your Comment
Add Your Comment

Related Galleries

  • 1 of 3
  • OnlyKey hardware security key

    This is the ultimate security key for professionals.

  • SoloKeys Solo V2

    Durable, fully reversible connectors, encapsulated in epoxy resin, and with updatable firmware.

  • iVerify: Added security for iPhone and iPad users

    I'm usually wary of security apps, but iVerify by Trail of Bits is different. It comes highly recommended and offers a lot of features in a small download. ...

  • iStorage datAshur BT hardware encrypted flash drive

    FIPS 140-2 Level 3 compliant storage drive with wireless unlock feature and remote management. IP57 rated for dust and water resistance.

  • Netgear BR200 small-business router

    The Netgear BR200 Insight Managed Business Router has been designed to be easy to set up, and features a built-in firewall, VLAN management, and remote cloud monitoring, and can be ...

  • YubiKey 5C NFC: The world’s first security key to feature dual USB-C and NFC connections

    The YubiKey 5C NFC can be used across a broad range of platforms -- iOS, Android, Windows, macOS and Linux -- and on any mobile device, laptop, or desktop computer that supports USB-C ...

  • Apricorn Aegis Secure Key 3NXC

    The new Aegis Secure Key 3NXC builds on Apricorn's Secure Key 3z and Aegis Secure Key 3NX, taking the same proven form-factor and physical keypad, and adding something that users have ...

ZDNet
Connect with us

© 2021 ZDNET, A RED VENTURES COMPANY. ALL RIGHTS RESERVED. Privacy Policy | Cookie Settings | Advertise | Terms of Use

  • Topics
  • Galleries
  • Videos
  • Sponsored Narratives
  • Do Not Sell My Information
  • About ZDNet
  • Meet The Team
  • All Authors
  • RSS Feeds
  • Site Map
  • Reprint Policy
  • Manage | Log Out
  • Join | Log In
  • Membership
  • Newsletters
  • Site Assistance
  • ZDNet Academy
  • TechRepublic Forums