Is this Russia’s Stuxnet? Experts analyze Snake, Uroburos, Turla malware samples dating back to 2005

n13-iconTechworld reports: The mysterious ‘Uroburos’ cyberweapon named last week in Germany has been stalking its victims since as far back as 2005 and large enterprises and governments need to pay urgent attention to the threat it poses, UK security firm BAE Systems has urged.

German firm G Data’s recent analysis dubbed it ‘Uroburos’ while it is also known to some security firms as ‘Turla’. BAE Systems’ Applied Intelligence division, which today published its own research, prefers the catchier ‘Snake’ but under any name the picture is alarming.

According to BAE Systems, It now transpires that Snake has been slithering silently around networks in the US and its NATO allies and former Soviet states for almost a decade, stealing data, getting ever more complex and modular and remaining almost invisible.

To be clear, this isn’t any old malware. Snake is just too long-lived, too targeted, too sophisticated, too evasive, too innovative. It appears to be on par with any of the complex cyberweapons attributed to the US such as Flame, first analysed by Kaspersky Lab in 2012.

After several months of research, the UK firm takes what we know a lot further, offering for the first time some objective data on targets. Culling data from malware research sites (i.e. those to which suspected malware samples are submitted for inspection), it has been spotted 32 times in the Ukraine since 2010, 11 times in Lithuania, 4 times in the UK, and a handful of times altogether from the US, Belgium, Georgia, Romania, Hungary and Italy.

These are very small numbers but BAE Systems believes that on past experience they are highly indicative. While they represent a tiny fraction of the number of infections that will have occurred in these countries and beyond, they can be used to reliably infer that Snake has been aimed at Western and Western-aligned countries pretty much exclusively.

In a week Russia planted boots on the ground in the Crimean region of the Ukraine, this is an unfortunate coincidence because while BAE Systems refused to name the state as the culprit, G Data and others are convinced that the links are suspicious.

Hints of the malware’s provenance have surfaced from time to time. In 2008, the US Department of Defense (DoD) reported that something called, Agent.btz had attacked its systems, an incident later attributed on more than one occasion to the Russian state without further elaboration. [Continue reading…]

The 2008 attack targeted U.S. Central Command. A few days ago, threats coming from the Syrian Electronic Army via Twitter were also directed at #CENTCOM, an indication perhaps that this group, linked to the Assad regime, has its roots in Russia.

Softpedia reports: “SEA advises the terrorist Obama to think very hard before attempting ‘cyberattacks’ on Syria,” the hackers wrote on Twitter. “We know what Obama is planning and we will soon make him understand that we can respond.”

So far, the Syrian hacktivists have mainly targeted media organizations whose reporting they don’t like. Social media accounts have been compromised, and websites have been defaced. However, they claim that their attacks against the US government will not be of “the same kind.”

“The next attack will prove that the entire US command structure was a house of cards from the start. #SEA #CENTCOM,” reads the last tweet they posted.

The #CENTCOM hashtag suggests that the hackers’ next target is the US Central Command (centcom.mil).

The Syrian Electronic Army’s announcement comes shortly after the New York Times published an article about the United States’ intention to develop a battle plan against Syria. The use of cyber weapons is being taken into consideration.

Print Friendly
Facebooktwittermail