Hacker Group Claims German Government Built Backdoor Malware, Spying on Citizens
The three-decade old German hacker group Chaos Computer Club (CCC) is claiming in a new report that that the German government has developed software to gather information from target computers. The software, which CCC refers to as Bundestrojaner or “government trojan,” can capture screenshots, record keystrokes, and record audio from sources like Skype calls. Most troulbing, CCC says that this piece of software has a built-in “backdoor” that allows for the installation and execution of additional software on infected computers.
In their post, CCC provides no direct evidence that German government developed the software. They say that the trojan was submitted to their group anonymously, and that they have found other iterations operating in the wild. The security research group F-Secure Labs has reviewed the software and confirmed that it functions as the CCC described, though they could find no evidence of its origins. F-Secure has dubbed it Backdoor:W32/R2D2.A, based off a string of code in the software used to initiate data transmission. If the software is in truth connected to the German government, CCC says that it would violate German law governing the use of electronic surveillance.
Information on the alleged government trojan was released by the CCC in a German-language report and an English-language blog post. The group has also released the binaries of the software they analyzed. The hacker group claims that the trojan in their possession can take control of infected computers in order to capture surveillance data. From their english-language post:
For the analysis, the CCC wrote it’s own control terminal software, that can be used to remotely control infected PCs over the internet. With its help it is possible to watch screenshots of the web browser on the infected PC – including private notices, emails or texts in web based cloud services.
CCC also says that the software has a built-in ability to upload additional code, making the trojan a foothold inside an infected computer for greater surveillance.
The trojan can, for example, receive uploads of arbitrary programs from the Internet and execute them remotely. This means, an “upgrade path” from Quellen-TKÜ to the full Bundestrojaner’s functionality is built-in right from the start. Activation of the computer’s hardware like microphone or camera can be used for room surveillance.
Beyond the intrusive nature of the software they analyzed, the CCC says that existing versions of the trojan are poorly secured. Again, from the CCC’s post:
The analysis also revealed serious security holes that the trojan is tearing into infected systems. The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the trojan are even completely unencrypted. Neither the commands to the trojan nor its replies are authenticated or have their integrity protected. Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan, and upload fake data. It is even conceivable that the law enforcement agencies’s IT infrastructure could be attacked through this channel. The CCC has not yet performed a penetration test on the server side of the trojan infrastructure.
In the announcement of their findings, the CCC says that they have already informed governmental agencies of their findings and their intention to release the information publicly. They say that the early warning would allow the alleged creators of the software to use the “existing self destruct function of the trojan” and prevent malicious use of infected computers by outside parties once the CCC released their analysis.
Though this is clearly a dangerous piece of software, its most troubling aspect is that the trojan’s creators remain unknown. While there is already a plethora of nasty software roaming the web, only a handful have been suspected to be part of government-run hacking operations. Should the German government be irrefutably connected with this software, it could lay bare a new chapter in cyber-espionage.