{"id":21302,"date":"2020-05-15T15:43:56","date_gmt":"2020-05-15T10:13:56","guid":{"rendered":"https:\/\/www.kaspersky.co.in\/blog\/snow-queen-cybersecurity\/21302\/"},"modified":"2020-05-15T15:43:56","modified_gmt":"2020-05-15T10:13:56","slug":"snow-queen-cybersecurity","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/snow-queen-cybersecurity\/21302\/","title":{"rendered":"The Snow Queen: A cybersecurity report in seven stories"},"content":{"rendered":"

What do you think the fairy tale The Snow Queen<\/em> by Danish cybersecurity specialist Hans Christian Andersen is really about? A brave girl who defeats the personification of winter and death to save her beloved friend? Think again.<\/p>\n

Let\u2019s get real: It\u2019s a fairly detailed account of an investigation by up-and-coming information security expert Gerda into how a certain Kai got infected with a nasty piece of sophisticated malware. This so-called fairy tale is written in the form of seven stories that clearly correspond to the investigation stages.<\/p>\n

Story 1: A mirror and its fragments<\/h2>\n

If you\u2019ve ever read our Securelist.com<\/a> expert blog (or any other well-done infosec research, for that matter), you probably know that investigation reports often begin with an exploration of the history of incidents. Andersen\u2019s is no different: Its first story delves into the very origins of the Kai case.<\/p>\n

Once upon a time (according to Andersen\u2019s data<\/a>) a hobgoblin created a magic mirror that held the power to diminish people\u2019s good and beautiful qualities and magnify their bad and ugly aspects. The mirror was broken by his apprentices into billions of fragments that penetrated people\u2019s eyes and hearts yet retained the mirror\u2019s original reality-distorting properties. Some people inserted fragments into their window frames, which warped their views. Others used them as lenses for their spectacles.<\/p>\n

We already know from Snow White<\/a><\/em> that storytellers often used mirrors as a metaphor for screens in a broad sense: TVs, computers, tablets, phones \u2014 you get the picture (literally).<\/p>\n

So, translating Andersen\u2019s words from the language of allegories into plain prose yields the following: A mighty hacker created a system with a built-in browser that distorted websites. Subsequently, his apprentices used pieces of source code to infect a huge number of Microsoft Windows devices and even augmented reality glasses.<\/p>\n

In fact, the phenomenon was not at all uncommon. The EternalBlue exploit leak is the ur-example. It led to the WannaCry and NotPetya<\/a> pandemics, as well as several other, less-devastating ransomware outbreaks. But we digress. Back to our fairy tale.<\/p>\n

Story 2: A little boy and a little girl<\/h2>\n

In the second story, Andersen proceeds to a more detailed description of one of the victims and the initial infection vector. According to the available data, Kai and Gerda communicated through their adjacent attic windows (Windows-based communication!). One winter, Kai saw through his window a strange, beautiful woman wrapped in an ultrafine white tulle. This was Kai\u2019s first meeting with the hacker (hereinafter referred to by her handle, \u201cThe Snow Queen\u201d).<\/p>\n

A short while later, Kai felt a stabbing sensation right in his heart, and something pricking his eye. This is how Andersen describes the moment of infection. Once the malicious code had entered his heart (OS kernel) and eye (data input device), Kai\u2019s reaction to external stimuli changed radically, and all incoming information appeared distorted.<\/p>\n

Sometime later, he left home entirely, roping his sled to the Snow Queen\u2019s sleigh. Trusting her for some reason, Kai told the Snow Queen how he could do mental arithmetic even with fractions, and that he knew the size and population of every country. Minor details, it would seem. But as we shall see later, this is in fact precisely what the attacker was interested in.<\/p>\n

Story 3: The flower garden of the woman skilled in magic<\/h2>\n

Gerda began her own investigation and happened to run into a woman who, for whatever reason, impeded her inquiry. To cut to the chase, we\u2019re most interested in the moment when the sorceress combed Gerda\u2019s curls, causing her to forget Kai.<\/p>\n

In other words, the crone somehow corrupted the data regarding the investigation. Note that her cyberweapon of choice, a comb, is already known to us. In the Grimm brothers\u2019 report on the Snow White<\/em> incident<\/a>, the stepmother used a similar tool to block her victim. Coincidence? Or are these incidents related?<\/p>\n

In any event, as in the case of Snow White, the comb-induced block was not permanent\u00a0\u2014 the data was restored and Gerda continued her investigation.<\/p>\n

At the end of the third part of the report, Gerda asked the flowers in the witch\u2019s garden if they had seen Kai. This is most likely a reference to the old ICQ messenger, which had a flower as its logo (and as a user status indicator). By communicating with the witch, Gerda was trying to get additional information about the incident using her contacts.<\/p>\n

Story 4: The prince and the princess<\/h2>\n

The fourth stage of the investigation doesn\u2019t seem entirely relevant. Gerda tried to run Kai through the government database. To do that, she got to know some ravens who gave her access to a government building (the royal palace).<\/p>\n

Although that didn\u2019t produce any results, Gerda dutifully informed the government about the vulnerability and the insecure ravens. The prince and the princess patched the vulnerability, telling the ravens that they weren\u2019t angry with them, but not to do it again. Note that they didn\u2019t punish the birds but simply asked them to change their behavior.<\/p>\n

As a reward, the prince and the princess supplied Gerda with resources (a carriage, warm clothing, servants). This is a great example of how an organization should respond when researchers report a vulnerability\u00a0\u2014 let\u2019s hope the reward wasn\u2019t a one-off but became a proper bug-bounty program<\/a>.<\/p>\n

Story 5: The little robber girl<\/h2>\n

In this story, Gerda seemingly fell into the clutches of bandits. Andersen actually uses another allegory to explain that, having reached a dead end at the previous stage of the investigation, Gerda was forced to engage the help of forces that were, shall we say, not entirely law-abiding.<\/p>\n

The cybercriminals put Gerda in touch with some pigeon informants that knew exactly who was to blame for the Kai incident, as well as with a reindeer in possession of the addresses of some useful darknet contacts. The help wasn\u2019t cheap; she lost most of the resources gained in the previous story.<\/p>\n

So as not to undermine the young researcher\u2019s integrity, Andersen tries to describe her dealings with the criminals as unavoidable\u00a0\u2014 they robbed her first, he says, and only then, taking pity on their victim, provided information. That doesn\u2019t sound too convincing. More likely, it was a mutually beneficial arrangement.<\/p>\n

Story 6: The Lapland woman and the Finnish woman<\/h2>\n

Next comes the final stage of collecting information needed for the investigation through the darknet contacts supplied by the bandits. The reindeer acquainted Gerda with a certain Lapland woman, who wrote on a dried cod a letter of recommendation to the next informant, a certain Finnish woman.<\/p>\n

The Finn, in turn, provided the address of the \u201cSnow Queen\u2019s garden\u201d\u00a0\u2014 obviously the name of the command-and-control server. A nice touch here: Having read the message, she threw the cod into a bowl of soup. She understood the practical importance of not leaving unnecessary traces, so she carefully followed OPSEC<\/a> rules. The mark of an old pro.<\/p>\n

Story 7: What happened in the Snow Queen\u2019s palace, and what came of it<\/h2>\n

The seventh story finally explains why the Snow Queen needed Kai in the first place. He sat there rearranging the splinters of the ice, trying to spell the word \u201ceternity.\u201d Insane, right? Not at all. Read this post, a primer on cryptomining<\/a>. As it explains, cryptominers essentially work by rearranging a block of information to get not just any hash, but the most \u201cbeautiful\u201d one possible.<\/p>\n

That is, Kai tried to arrange the pieces of information so that its hash came out as the word \u201ceternity.\u201d At this stage, it becomes clear why in the second story Andersen focused on Kai\u2019s computing power. That is exactly what the Snow Queen was after, and Kai was infected solely for cryptomining purposes. It also explains the Snow Queen\u2019s apparent obsession with all things north and cold; a high-performance mining farm requires serious cooling.<\/p>\n

Gerda then melted Kai\u2019s ice-crusted heart with her tears (i.e., she deleted the malicious code using various tools and regained control of the system kernel). Kai then burst into tears, meaning that he activated his built-in antivirus (previously blocked by the infected module in his kernel), and removed the second piece of malicious code, from his eye.<\/p>\n

The end of the report is rather weird by today\u2019s standards. Instead of providing tips for potential victims, indicators of system compromise, and other useful tidbits, Andersen rambles on about the characters\u2019 journey back home. Perhaps in the nineteenth century, that\u2019s how infosec reports wrapped things up.<\/p>\n

As we\u2019ve said before, fairy-tale writers are in fact the oldest cybersecurity experts in the business. The case of the Snow Queen only bolsters our claim. As described above, the tale is a detailed account of an investigation of a complex incident. We also recommend that you check out our analysis of other popular fairy tales:<\/p>\n