"It's likely that only national intelligence agencies have the resources to build software of this complexity and sophistication."
That's a notion that's coming up more often recently. I think there are good reasons to suspect that governments are behind it, but complexity and sophistication are not good enough reasons.
Yes, governments are large organizations that can throw a lot of resources at a problem, but software isn't built like the pyramids of Giza where using more slaves moves more stones in a given a amount of time. A handful of competent people can build very complex and sophisticated software.
It may also be underpaid and underappreciated hackers in a variety of countries who are contracted by criminal organizations.
If I was a senior exec with Hell's Angels, I would offer a few hundred dollars a day to Moscow cab drivers,e.g., who happen to have Ph.D.s in computer engineering, mathematics, or other equally interesting degrees - people who are more than qualified for this sort of work, but who cannot find work in their fields and have mouths to feed.
In fact, I would probably establish a JV with an appropriate organization, have them recruit, manage, and build, take the product for my criminal uses, then allow the JV to market it to others, and split the profits from that use with my JV partner.
Speaking of governments, why not large, rogue corporations, ones that are so large that they operate as unelected governments, unaffiliated with any particular country and above all law?
I'm amazed at how people are scared of corporations more than governments. Corporations are kept in check because all the money they spend on things are their own money. Now those could be evil things they spend their money on, indeed. But they are limited in resources. They can't print new money or order their customers to pay. Governments can do all of those things and they know that whatever sick shit they do, people will be forced to pay anyway.
I can tell you why people are scared of corporations. It's because they transcend nation states and hence democracy. They can pick and choose from different jurisdictions for different purposes. Pay taxes here, use good infrastructure there, conform to environmental standards or labor laws in one country whilst exploiting broken political funding rules in another one.
I can't say this is always bad. Sometimes it helps us avoid authoritarian ideas that various governments subject us to. Sometimes it leads to cheaper goods and services for all of us. But it is definitely scary how large entities controlled by a small wealthy minority wield such disproportionate power.
> It's because they transcend nation states and hence democracy. They can pick and choose from different jurisdictions for different purposes. Pay taxes here, use good infrastructure there, conform to environmental standards or labor laws in one country whilst exploiting broken political funding rules in another one.
None of that I consider to be inherently bad. Democratic states do much worse things, like mass murdering people in wars and imprisoning people for victimless crimes - and all of that states do using money they confiscate from its citizens. Call me when a corporation does anything close to such atrocities.
I merely explained why people are scared of corporations. I didn't say that there isn't anything more scary. But if you think that wars haven't been fought over corporate interests or that corporations, organized crime and governments are always completely seperate things you are very mistaken.
A careto is a costumed thief character from an ancient pagan ritual in Portugal.
"Caretos are masked young men dressed in suits made of yellow, red, black, blue and green fringe wool quilts, wearing brass, leather or wooden masks and rattles in their belts. ... They appear in groups from every corner of the village running and shouting excitedly, frightening the people and “robbing” all the wineries." [0]
The trojan referred to in this story is known by another name. [1]
Personally, I only think a malware is sophisticated based on how it infects (like stuxnet with 4 windows zero-days, and windows update hijacking with fake code signing certificate). Spear phishing seems to be pretty boring. I think Kaspersky is just embarrassed that the malware (they say unsuccessfully) originally exploited Kaspersky AV. Also, anyone can write "complicated" C&C software. There's a lot of bundles you can find online that does most of what's listed.
Apparently the malware used three backdoors, given the reporting that it was in the wild for 7 years I can't help but think they were zero day exploits.
"we don't know who created it" Umm yes catchy headline, but internet criminals usually don't have support help desks or leave contact details.
The Washington Post article reads as FUD written by somebody who has little or no idea what he is writing about.
As @yifanly mentions, most of the scary stuff mentioned is available as a premade kit for sale online.
That's a notion that's coming up more often recently. I think there are good reasons to suspect that governments are behind it, but complexity and sophistication are not good enough reasons.
Yes, governments are large organizations that can throw a lot of resources at a problem, but software isn't built like the pyramids of Giza where using more slaves moves more stones in a given a amount of time. A handful of competent people can build very complex and sophisticated software.