USHack2020: The Risk of a Quick Shallow Recovery, leaving Spyware behind
The sophisticated cyber attackers have anticipated the current exposure, and its hurried recovery efforts, and they likely rely on deep buried spyware to keep spying.
The Russians perfected the method: double buried spyware. When the victim digs out the shallow buried spyware they are jubilee for spotting it, mindless of the fact that a deeper buried spyware is still lurking. Case in point: the attacker stealthily installs a randomness filter at the output of a random number generator used for all major ciphers. The filter guarantees that only low grade random sequences are used, and then the respective ciphertext is relatively easily cracked. This filter is the 'shallow buried' spyware, and is readily detected upon careful inspection. Deeper the attacker replaced the regular crypto module with a hacked module that is adding to the ciphertext an encrypted version of the used key. When the ciphertext is released to the Internet it is captured by the attacker, who decrypts the section that identifies the key used for the encryption of the secret message, and then uses the same to crack the message. The deep and the shallow spyware work together without cross interruption. But each can work unilaterally. The victim of the attack is never sure whether all the spyware has been flushed out. This is especially true for a long lasting attack, which has been built up over time. This case illustrates the need for robust cyber recovery programs. The mission is so big that every qualified player should be on call.