Invisible Russian cyberweapon stalked US and Ukraine since 2005, new research reveals

Sophisticated 'Snake' malware discovered

The mysterious 'Uroburos' cyberweapon named last week in Germany has been stalking its victims since as far back as 2005 and large enterprises and governments need to pay urgent attention to the threat it poses, UK security firm BAE Systems has urged.

German firm G Data's recent analysis dubbed it 'Uroburos' while it is also known to some security firms as 'Turla'. BAE Systems' Applied Intelligence division, which today published its own research, prefers the catchier 'Snake' but under any name the picture is alarming.

According to BAE Systems, It now transpires that Snake has been slithering silently around networks in the US and its NATO allies and former Soviet states for almost a decade, stealing data, getting ever more complex and modular and remaining almost invisible.

To be clear, this isn't any old malware. Snake is just too long-lived, too targeted, too sophisticated, too evasive, too innovative. It appears to be on par with any of the complex cyberweapons attributed to the US such as Flame, first analysed by Kaspersky Lab in 2012.

After several months of research, the UK firm takes what we know a lot further, offering for the first time some objective data on targets. Culling data from malware research sites (i.e. those to which suspected malware samples are submitted for inspection), it has been spotted 32 times in the Ukraine since 2010, 11 times in Lithuania, 4 times in the UK, and a handful of times altogether from the US, Belgium, Georgia, Romania, Hungary and Italy.

These are very small numbers but BAE Systems believes that on past experience they are highly indicative. While they represent a tiny fraction of the number of infections that will have occurred in these countries and beyond, they can be used to reliably infer that Snake has been aimed at Western and Western-aligned countries pretty much exclusively.

In a week Russia planted boots on the ground in the Crimean region of the Ukraine, this is an unfortunate coincidence because while BAE Systems refused to name the state as the culprit, G Data and others are convinced that the links are suspicious.

Hints of the malware's provenance have surfaced from time to time. In 2008, the US Department of Defense (DoD) reported that something called, Agent.btz had attacked its systems, an incident later attributed on more than one occasion to the Russian state without further elaboration.

Beyond that the evidence becomes circumstantial. If we assume that Agent.btz was probably an early variant of Snake, the malware also contains other clues; compile times show a time offset of UTC+4 hours while Russian references have been found in the code. Ergo, because this is clearly not commercial malware and would have required large development resources, Snake was made by a government beginning with 'R'.

"The element of attribution is always difficult," BAE Systems Applied Intelligence cybersecurity managing director David Garfield told Techworld. "It turns into conjecture and it would be dangerous to make too many guesses."

"But this is a call to arms. [This malware] is high complex. It has all the elements of an espionage toolkit. It is highly serious."

Interestingly - perhaps uniquely that we know of - the firm has already informed governments, policy makers and national CERTs of its findings in advance of publishing its research, he said.

He expected that there had been, indeed still were, numerous variants inside target networks, something that would make remediation complex and time-consuming.

Whether called Uroburos, Snake or Turla (the latter being the 32-bit rootkit), it is also possible that what security firms have been seeing since 2010 is actually several inter-related cyber-weapons from the same program, hence the confusion over variants. In that interpretation, Snake isn't a cyberweapon so much as a stable of espionage tools in the same way that Stuxnet was part of a larger arsenal.

BAE Systems does reveal one or two interesting snippets about the people who made Snake; compile times show they work Monday-Friday, only rarely putting out a variant at the weekend. That sounds mildly reassuring; professional cybercriminals are not mindless robots and are paid to do the job just like the rest of us.

"What this research once more demonstrates is how organised and well-funded adversaries are using highly sophisticated tools and techniques to target legitimate organisations on a massive scale," said BAE Systems Applied Intelligence managing director, Martin Sutherland.

"Although there has been some awareness of the Snake malware for some years, until now the full scale of its capabilities could not be revealed, and the threat it presents is clearly something that needs to be taken much more seriously."

Separately, G Data has updated its earlier analysis of Snake/Uroburos, noting the rootkit module's use of a vulnerability (CVE-2008-3431) to bypass Microsoft's Driver Signature Enforcement systems on 64-bit versions of Windows from Vista onwards, basically a way to fool the OS into thinking it is running in developer mode. This bypass is not brand new but it still unusual.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityNATOATOBAE Systemsintelkaspersky lab

More about BAE Systems AustraliaErgoindeedKasperskyKasperskyMicrosoftNATO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place