At the same time many MikroTik models are for ISP/micro-ISP setups, that have hundreds of people behind a router. An administrator machine being compromised could potentially expose many other network devices and allow tens of thousands of people to be compromised.

Of all infections, this is the type an administrator should be most worried about. Its rare, but exceptionally damaging. Most A/V tools aren't going to catch it, so unless you are monitoring all IP activity from your computer and doing offline filesystem checks, a virus like this could compromise your systems for years.

Not being sarcastic but sometimes it's about quality, not quantity.

Usually something this sophisticated is used to target specific individuals/organizations as they aren't generic botnet/bitcoin mining operations.

They might be after specific info and after they get it, they might even wipe their tracks as it's better to have a tool that nobody knows to look for than one that can get on as many computers as possible.

Reminded me of this book I very much enjoyed about Stuxnet - "Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon". Stuxnet was a targeted attack directed at Iran's nuclear program. Quality, not quantity indeed. Super interesting to learn about these things!

Stuxnet was highly targeted malware and certainly extremely sogisticated. That said, it infected probably >200,000 computer systems. To the parents point, it makes it easy to get a sample due to the volume of breaches. 100 targets with a highly covert mission objective is a different type of threat model compared to stux

Yeah, that bugs me a bit about this story. The (known) targets seem unimpressive for an attack tool this sophisticated. (Unless the targeted individuals were not just "individuals", but individuals who were prominent in certain organizations...)

> Unless the targeted individuals were not just "individuals", but individuals who were prominent in certain organizations...

I have to assume that's absolutely the case here. I didn't read this as "100 random individuals" being infected.

I didn't either. I read it as "activists", and on re-reading, I can't see where I got that. The actual targets could be a lot more important than that...

Yeah this kind of APT work seems like it would be targeted at high-value individuals, for either political or economic espionage..

So leaders of industry or government, etc..

If no known target thus far is high-profile, it could very well be that the current targets are guinea-pig-targets that test the malware for future applications.

There's a big difference between an indiscriminate worm and a targeted attack. Those 100 computers are high-value targets and would have been carefully guarded. Hiding in an environment like that is pretty impressive.

Come on, we're not talking about countries with any impressive capabilities here. https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/upl...

There's nothing impressive about hiding on these governments networks for years.