Turla, Red October and Flame cyberweapons preyed on earlier Agent.btz worm

Later programs aware of successful malware, says Kaspersky Lab

The Agent.btz worm that hit the US military and others in 2008 was probably an inspiration for a new generation of cyber-espionage weapons including the recently-documented Turla (aka 'Snake' or 'Uroburos'), Kaspersky Lab has speculated.

German firm G Data and Britain's BAE Systems have come up with the theory that the Turla cyberweapon is most likely a Russian development connected to the earlier Agent.btz (aka 'Orbina'), but Kaspersky's analysis is less certain about that connection.

What the firm does suggest is that a number of other mysterious cyberweapons, including Red October from 2013 and Flame/Gauss from 2012 (both publicised by Kaspersky Lab), seemed to be aware of Agent.btz in some way.

Does this mean they came from the same developer or was it more a case of emulating its techniques because they had been shown to work? More extraordinarily, might they even have been opportunistically attempting to steal its files?

First, the enigmatic Red October, which Kaspersky Lab does not believe is directly connected to Agent.btz but did include a module that looked for any files it had already stolen and hidden on USB sticks.

"It is not impossible that the developers of Red October, who must have been aware of the large number of infections caused by Agent.btz and of the fact that the worm had infected US military networks, simply tried to take advantage of other people's work to collect additional data," said Kaspersky Lab chief security expert, Aleks Gostev.

A similar picture emerges when plotting the connections between Agent.btz and a complex cyberweapon called Flame and its close relations Gauss and MiniFlame, all three of which were brought to light by Kaspersky between 2011 and 2012. Again, these seemed to have been created with an awareness of what Agent.btz had been up to; MiniFlame also searched for data files written by it.

Now for the interesting bit. Can any of those more recent programmes - Turla, Red October and Flame - be connected to one another? After all, they all manipulated Agent.btz to some degree.

Probably not. Red October and Turla were not connected to one another, said Gostev, and Flame was likewise a cyberweapon standing on its own.

What is still intriguing about is that other security firms still believe Turla and Agent.btz are probably directly connected to one another. Kaspersky's Gostev attributes this to the Turla's developers being aware of Agent.btz and probably nothing more. The two had Russian programmers but again Turla might simply have been trying to capitalise on Agent.btz's success.

"It is possible to regard Agent.btz as a certain starting point in the chain of creation of several different cyber-espionage projects. The well-publicized story of how US military networks were infected could have served as the model for new espionage programs having similar objectives, while its technologies were clearly studied in great detail by all interested parties," said Gostev.

Under this kind of scrutiny, the whole affair can start to dissolve into something that sounds more like a sub-plot from a John le Carr spy novel than a map of global cyberwarfare activity. What we have to go on is a web of complex malware but with little substantial evidence to work out whether they come from the same source.

What is clear is that researchers now need to do more than simply analyse standalone cyberweapons. The age of innocence is over.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal TechsecurityBAE Systemskaspersky lab

More about BAE Systems AustraliaKasperskyKaspersky

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts