Stuxnet DuQu Flame Gauss
The cost of creating state-sponsored malware has dropped dramatically. Kaspersky

The cost of developing sophisticated malware like Stuxnet and Flame has dropped dramatically in recent years from $100 million to just $10,000 - dramatically lowering the barrier to entry to the global cyber-arms race.

These pieces of malware are typically created and financed by groups called advanced persistent threats (or APTs for short) which are usually governments, and they typically attack high-value targets such as critical national infrastructure, financial systems or other law enforcement agencies.

Traditionally these APTs need to be very well financed in order to create the sophisticated pieces of malware like Stuxnet, Duqu, Gauss and Flame which have been discovered in recent years.

Speaking at Kaspersky Lab's Industry Analyst Summit the company's head of global research and analysis, Costin Raiu estimated that Stuxnet, which was jointly created by the US and Israeli governments to disrupt an Iranian nuclear enrichment facility, cost somewhere in the region of $100 million to develop.

Cut-price malware

However, those huge costs have now fallen dramatically, and that the cost of the IceFog malware which was discovered last year would have been in the region of $10,000.

Related

IceFrog was designed to attack organisation and government agencies in South Korea and Japan. It is unknown who was behind IceFog, but researchers believe that unlike Stuxnet which was developed by large teams of engineers, IceFog was created by a small team of highly-skilled experts.

As reported by the Threatpost blog, Raiu said: "The cost of entry for APT is decreasing. We're going to see more surgical strikes and critical infrastructure attacks."

Mercenaries

He added: "Icefog is special because it indicates a new trend of cyber mercenaries, maybe five to ten people that are highly skilled. They knew what documents they wanted to steal from each machine and they spent only a few minutes on each machine."

While the huge $100 million price tag for Stuxnet may seem like an exorbitant amount of money, in military terms it is not, representing the cost of just a couple of missiles according to Raiu.

With the dramatic lowering of the costs associated with developing these cyber-weapons, we are likely to see many more created and deployed in the coming years, as the barrier to entry to the global cyber-arms race is lowered.

Related