Research by Arbor Networks has alleged that a capable state actor has hijacked software that protects users if their computers are stolen.
The software, called LoJack, allows administrators to remotely lock, locate and remove files from stolen computers.
Its main customers are corporate IT-related firms that need to protect information from exploitation. It is often installed by default. However, the actor has re-configured the software for malicious use to maintain persistent access to targeted devices and communicate with command-and-control servers that the actor operates.
Most anti-virus packages cannot detect when LoJack has been hijacked, or do not recognise the hijacked version as malicious.
Previous research as far back as 2009 has publicised that Lojack could be exploited.
However, not all computers that use LoJack are vulnerable to compromise and data exfiltration – the attacker needs to gain initial access to the machine before they can deploy the hijacked version of LoJack to maintain persistence.