The Snow Queen: A cybersecurity report in seven stories

[harlan4096]

Hans Christian Andersen’s report on the Kai infection incident, and the investigation by infosec expert Gerda.

What do you think the fairy tale The Snow Queen by Danish cybersecurity specialist Hans Christian Andersen is really about? A brave girl who defeats the personification of winter and death to save her beloved friend? Think again.

Let’s get real: It’s a fairly detailed account of an investigation by up-and-coming information security expert Gerda into how a certain Kai got infected with a nasty piece of sophisticated malware. This so-called fairy tale is written in the form of seven stories that clearly correspond to the investigation stages.

Story 1: A mirror and its fragments

If you’ve ever read our Securelist.com expert blog (or any other well-done infosec research, for that matter), you probably know that investigation reports often begin with an exploration of the history of incidents. Andersen’s is no different: Its first story delves into the very origins of the Kai case.

Once upon a time (according to Andersen’s data) a hobgoblin created a magic mirror that held the power to diminish people’s good and beautiful qualities and magnify their bad and ugly aspects. The mirror was broken by his apprentices into billions of fragments that penetrated people’s eyes and hearts yet retained the mirror’s original reality-distorting properties. Some people inserted fragments into their window frames, which warped their views. Others used them as lenses for their spectacles.

We already know from Snow White that storytellers often used mirrors as a metaphor for screens in a broad sense: TVs, computers, tablets, phones — you get the picture (literally).

So, translating Andersen’s words from the language of allegories into plain prose yields the following: A mighty hacker created a system with a built-in browser that distorted websites. Subsequently, his apprentices used pieces of source code to infect a huge number of Microsoft Windows devices and even augmented reality glasses.

In fact, the phenomenon was not at all uncommon. The EternalBlue exploit leak is the ur-example. It led to the WannaCry and NotPetya pandemics, as well as several other, less-devastating ransomware outbreaks. But we digress. Back to our fairy tale.

Story 2: A little boy and a little girl

In the second story, Andersen proceeds to a more detailed description of one of the victims and the initial infection vector. According to the available data, Kai and Gerda communicated through their adjacent attic windows (Windows-based communication!). One winter, Kai saw through his window a strange, beautiful woman wrapped in an ultrafine white tulle. This was Kai’s first meeting with the hacker (hereinafter referred to by her handle, “The Snow Queen”).

A short while later, Kai felt a stabbing sensation right in his heart, and something pricking his eye. This is how Andersen describes the moment of infection. Once the malicious code had entered his heart (OS kernel) and eye (data input device), Kai’s reaction to external stimuli changed radically, and all incoming information appeared distorted.

Sometime later, he left home entirely, roping his sled to the Snow Queen’s sleigh. Trusting her for some reason, Kai told the Snow Queen how he could do mental arithmetic even with fractions, and that he knew the size and population of every country. Minor details, it would seem. But as we shall see later, this is in fact precisely what the attacker was interested in.

Story 3: The flower garden of the woman skilled in magic

Gerda began her own investigation and happened to run into a woman who, for whatever reason, impeded her inquiry. To cut to the chase, we’re most interested in the moment when the sorceress combed Gerda’s curls, causing her to forget Kai.

In other words, the crone somehow corrupted the data regarding the investigation. Note that her cyberweapon of choice, a comb, is already known to us. In the Grimm brothers’ report on the Snow White incident, the stepmother used a similar tool to block her victim. Coincidence? Or are these incidents related?

In any event, as in the case of Snow White, the comb-induced block was not permanent — the data was restored and Gerda continued her investigation.

At the end of the third part of the report, Gerda asked the flowers in the witch’s garden if they had seen Kai. This is most likely a reference to the old ICQ messenger, which had a flower as its logo (and as a user status indicator). By communicating with the witch, Gerda was trying to get additional information about the incident using her contacts.

Story 4: The prince and the princess

The fourth stage of the investigation doesn’t seem entirely relevant. Gerda tried to run Kai through the government database. To do that, she got to know some ravens who gave her access to a government building (the royal palace).

Although that didn’t produce any results, Gerda dutifully informed the government about the vulnerability and the insecure ravens. The prince and the princess patched the vulnerability, telling the ravens that they weren’t angry with them, but not to do it again. Note that they didn’t punish the birds but simply asked them to change their behavior.

As a reward, the prince and the princess supplied Gerda with resources (a carriage, warm clothing, servants). This is a great example of how an organization should respond when researchers report a vulnerability — let’s hope the reward wasn’t a one-off but became a proper bug-bounty program.

Story 5: The little robber girl

In this story, Gerda seemingly fell into the clutches of bandits. Andersen actually uses another allegory to explain that, having reached a dead end at the previous stage of the investigation, Gerda was forced to engage the help of forces that were, shall we say, not entirely law-abiding.

The cybercriminals put Gerda in touch with some pigeon informants that knew exactly who was to blame for the Kai incident, as well as with a reindeer in possession of the addresses of some useful darknet contacts. The help wasn’t cheap; she lost most of the resources gained in the previous story.

So as not to undermine the young researcher’s integrity, Andersen tries to describe her dealings with the criminals as unavoidable — they robbed her first, he says, and only then, taking pity on their victim, provided information. That doesn’t sound too convincing. More likely, it was a mutually beneficial arrangement.
...

Continue Reading