Snow White, the Seven Cryptominers, and the targeted attacks

The Brothers Grimm fairy tales are deep source of object lessons in information security — not just for children, but also for adults.

The Brothers Grimm fairy tales are deep source of object lessons in information security — not just for children, but also for adults.

Children know how to ask uncomfortable questions. Does Santa Claus exist? Where does the tooth fairy take the teeth it collects? Is it even possible to track any person you want to? Is it true that governments are often behind targeted attacks?

Fortunately, answers to the last two questions can be found in Snow White and the Seven Dwarfs, which describes a number of interesting technologies (in allegorical form, of course). Once you know where to look, everything falls into place. Let’s investigate the subtext of the famous Grimm Brothers fairy tale.

Mirror, mirror on the wall

The tale begins with a king who is widowed at the birth of his daughter. He soon finds himself a new queen, who comes with a magic wall-mounted mirror that answers her questions. She asks it:

Mirror, mirror on the wall,

Who is the fairest of them all?

Readers in the past probably thought that sounded stranger than it does now. These days, “Mirror, mirror on the wall” sounds no odder than the wake phrases we speak to our digital assistants (“OK, Google” or “Hey, Siri”). This mirror is not so different from your everyday smart TV with a built-in voice assistant.

However, the mirror’s answers indicate that it has direct access to a database of all of the inhabitants of the kingdom. We’re talking documents, biometrics, you name it. Moreover, this voice assistant can use the data to make judgments about such a subjective concept as beauty. The magic mirror must be powered by advanced machine learning technologies.

The Stepmother APT group: Operations “Stay-Laces” and “Comb”

Let’s move on to a discussion of the main plot. Don’t forget, the premise of the story is that the stepmother wants to get rid of her competition. Government agents start pursuing Snow White, forcing her to take refuge in the forest, where she encounters the dwarfs.

The dwarfs shelter the fugitive girl. However, they are busy with work, and every day they leave home to go to their important jobs. They are miners. Naturally, the Brothers Grimm do not fill in all of the details, such as where they keep their equipment, which cryptocurrency they are mining, and where they get their electricity. But judging from the fact that they choose to mine in a secluded spot in the forest, it appears that their activity is not entirely legal.

Does Snow White manage to go undetected in her hiding place? No. The all-knowing mirror not only tells the queen that Snow White is alive, but also fairly accurately points to her location (“beyond the mountains with the seven dwarfs”). Once the stepmother has collected enough information, she decides to organize a targeted attack on her own stepdaughter. She assumes the visage of an old merchant woman to sell staylaces to Snow White, and using them, she laces Snow White’s bodice so tight that the girl falls dead to the ground.

Fortunately, the dwarfs unlace the bodice to revive Snow White. This is a metaphorical description of how blocker malware works. Blocker malware locks a device, preventing user access (usually to extract a ransom, but sometimes for purposes of sabotage). However, among the dwarfs must have been a competent expert who managed to neutralize the attack almost instantly.

Does the stepmother learn her lesson and give up? No. On finding out that her attack failed, she makes another modification to the same malware. This time, she decides to use a comb. Lucky for her, Snow White hasn’t learned anything from her experience, either, and she displays the same blind trust in downloading from torrents buying a comb from an unknown seller and installing it placing it in her hair. The dwarfs once again clean the blocker infection.

An infected “Apple”

The stepmother prepares the third wave of her targeted attack more carefully. She assembles a device that will permanently disable Snow White when it is connected to her. This time, it’s an apple.

(It is not for nothing that the Brothers Grimm chose an apple. Perhaps what they were really trying to say is that there are no full-fledged security solutions for iOS devices, although we’re not sure they were that prescient. Or maybe they simply didn’t want to confuse their readers; a peasant woman back in the Middle Ages trying to sell an android would have looked rather strange.)

At this point, the dwarfs must have conducted some cybersecurity training with Snow White; the next time her stepmother cruises by in disguise, the girl says that the dwarfs have forbidden her to let anyone in or to take anything. However, the training wasn’t sufficient, and when Snow White sees the peasant woman biting into the apple, she believes the fruit is safe to eat. Snow White bites into her part of the fruit and consequently falls dead to the ground.

This time, the dwarfs are unable to defeat the malware, and they concede that Snow White is really lost to them. This clearly demonstrates how cryptomalware works. It makes data inaccessible, and in many cases, the data’s owners cannot reverse the malware’s actions.

However, following best practices, the dwarfs do not bury Snow White but instead put her inside a glass coffin in the hope that someday a decryption utility will appear. And indeed, after some time, a wandering information security expert known as “Prince” drops by. After some manipulations with the coffin, he finds the piece of poisoned apple (obviously, the Brothers Grimm meant to say the prince found the decryption key), and Snow White is revived again.

A happy ending follows.

Takeaways from Snow White

What can this fairy tale teach children? Here are our takeaways:

  • Yes, there are technologies that are used to collect information about users, often without their consent, and these tools can be used for illegal purposes.
  • Yes, government agencies may be behind cyberattacks.
  • People tend to make the same mistake twice, and cybersecurity training does not always foil attacks. You shouldn’t just give lectures as a way of helping users. Rather, you should teach them necessary skills. For example, Kaspersky Automated Security Awareness Platform can help with effective training.
  • Sometimes even individuals and employees of small companies can become the target of APT attacks. Thus, any device that is connected to the Internet must be equipped with a reliable security solution.