June 25, 2012, 2:07 PM — The world of malware has, over the last couple of decades, morphed to become not just a mechanism with which to subvert people's computers and steal money, but also a way for corporations and sovereign states to conduct cyber espionage.
An example of malware being used for industrial cyber espionage emerged two months ago with a worm, which had previously been quite rare, breaking out suddenly in Peru and neighboring countries.
This worm, specific to the electronic drafting software AutoCAD, is called ACAD/Medre.A and is written in AutoLISP, the language that is used to script operations in AutoCAD. ACAD/Medre.A has a very devious agenda: It emails copies of the drawings the user opens to over 40 mail boxes hosted at two different Chinese ISPs.
The antivirus firm ESET in San Diego was the first to detect the outbreak in Peru and noted that they could "see detections at specific URLs, which made it clear that a specific website supplied [an infected] AutoCAD template that appears to be the basis for this localized spike ... If it is assumed that companies which want to do business with [the company at the URL] have to use this template, it seems logical that the malware mainly shows up in Peru and neighboring countries. The same is true for larger companies with affiliated offices outside this area that have been asked to assist or to verify the - by then - infected project and then [infect] their own environment."
In other words, someone or some organization -- not necessarily in China -- planted the infected template. As a result they were able to swipe the drawings of all of the companies competing for some project, presumably to gain an edge in securing business.
ESET estimates that something like 100,000 drawings were stolen before ESET, with the help of Autodesk, the Chinese National Computer Virus Emergency Response Center, and the Chinese ISPs involved, were able to contain the problem. For a detailed look at the technology behind the attack, see the posting "ACAD/Medre.A Technical Analysis" in the ESET Threat Blog.
ESET now offers a free, stand-alone cleaner which will search for and remove ACAD/Medre.A infections.
So industrial cyber espionage is a big deal, but even more impressive and much more worrying is military cyber espionage because the stakes and consequences are much higher.