Nation-states are always in one way or another involved in cyber attacks. This is simply the reality of a 21st century global cyber war that we all seem to be a part of. The newest development is a form of malware dubbed SFG, which is considered by security researchers to be the “derivative” of the covert Furtim malware. In an extensive report by SentinelOne, SFG is reported to be able to evade all intrusion detection methods. This means firewalls, antivirus scanners, and even sandbox environments used by security professionals.
Any time SFG perceives it is close to being detected, it can re-encrypt its payload until it is no longer being actively searched for. The SentinelOne team were able to uncover the malware’s code, and in the process discovered that “a large chunk of the .data region is encrypted using RC4… creating another problem for static analysis and static detection… before the process is terminated, this region is re-encrypted.”
It appears that at least one power grid in Europe has already come under attack from SFG and more are likely to come. Malware of this complexity is never a one-time-use item; there simply is too much effort involved in its creation. The creation and attacks appear to originate in various eastern European locations, but this does not answer the question of motives and the attackers’ identities. There are a few guesses: cyber-terrorists? Hackers-for-hire? Maybe the nation-states themselves?
The researchers behind the SFG report seem to point to the nation-state angle. SentinelOne’s chief security officer Udi Shamir states that “the malware has all the hallmarks of a nation-state attack due to its extremely high level of sophistication and the cost associated with creating software of this advanced nature.” If in fact there are governments behind the creation and deployment of the SFG malware, the implications are severe. The government (or governments) are directly attacking key infrastructure vital to civilian survival.
This is a clear declaration of war as far as I am concerned (assuming it is a nation-state), and the international community should take note. If the attack is not from a governmental source, it still should be paid close attention to globally. Malware of this nature, especially targeting power grids, can spread quickly and shut down vital resources. Undoubtedly, SFG will continue to be studied, and eventually there should be certain deterrents put in place.
No malware is perfect; it simply requires the right team to stop it.
