Is this Russia’s Stuxnet? Experts analyze Snake, Uroburos, Turla malware samples dating back to 2005

n13-iconTechworld reports: The mysterious ‘Uroburos’ cyberweapon named last week in Germany has been stalking its victims since as far back as 2005 and large enterprises and governments need to pay urgent attention to the threat it poses, UK security firm BAE Systems has urged.

German firm G Data’s recent analysis dubbed it ‘Uroburos’ while it is also known to some security firms as ‘Turla’. BAE Systems’ Applied Intelligence division, which today published its own research, prefers the catchier ‘Snake’ but under any name the picture is alarming.

According to BAE Systems, It now transpires that Snake has been slithering silently around networks in the US and its NATO allies and former Soviet states for almost a decade, stealing data, getting ever more complex and modular and remaining almost invisible.

To be clear, this isn’t any old malware. Snake is just too long-lived, too targeted, too sophisticated, too evasive, too innovative. It appears to be on par with any of the complex cyberweapons attributed to the US such as Flame, first analysed by Kaspersky Lab in 2012.

After several months of research, the UK firm takes what we know a lot further, offering for the first time some objective data on targets. Culling data from malware research sites (i.e. those to which suspected malware samples are submitted for inspection), it has been spotted 32 times in the Ukraine since 2010, 11 times in Lithuania, 4 times in the UK, and a handful of times altogether from the US, Belgium, Georgia, Romania, Hungary and Italy.

These are very small numbers but BAE Systems believes that on past experience they are highly indicative. While they represent a tiny fraction of the number of infections that will have occurred in these countries and beyond, they can be used to reliably infer that Snake has been aimed at Western and Western-aligned countries pretty much exclusively.

In a week Russia planted boots on the ground in the Crimean region of the Ukraine, this is an unfortunate coincidence because while BAE Systems refused to name the state as the culprit, G Data and others are convinced that the links are suspicious.

Hints of the malware’s provenance have surfaced from time to time. In 2008, the US Department of Defense (DoD) reported that something called, Agent.btz had attacked its systems, an incident later attributed on more than one occasion to the Russian state without further elaboration. [Continue reading...]

The 2008 attack targeted U.S. Central Command. A few days ago, threats coming from the Syrian Electronic Army via Twitter were also directed at #CENTCOM, an indication perhaps that this group, linked to the Assad regime, has its roots in Russia.

Softpedia reports: “SEA advises the terrorist Obama to think very hard before attempting ‘cyberattacks’ on Syria,” the hackers wrote on Twitter. “We know what Obama is planning and we will soon make him understand that we can respond.”

So far, the Syrian hacktivists have mainly targeted media organizations whose reporting they don’t like. Social media accounts have been compromised, and websites have been defaced. However, they claim that their attacks against the US government will not be of “the same kind.”

“The next attack will prove that the entire US command structure was a house of cards from the start. #SEA #CENTCOM,” reads the last tweet they posted.

The #CENTCOM hashtag suggests that the hackers’ next target is the US Central Command (

The Syrian Electronic Army’s announcement comes shortly after the New York Times published an article about the United States’ intention to develop a battle plan against Syria. The use of cyber weapons is being taken into consideration.


Cyberattacks rise as Ukraine crisis spills to internet

n13-iconThe New York Times reports: The crisis in Ukraine has spread to the Internet, where hackers from both sides are launching large cyberattacks against opposing news organizations.

Security experts say that they are currently witnessing unusually large denial-of-service attacks, also called DDoS attacks, in which hackers flood a website with traffic to knock it offline. The attacks have been directed at both pro-Western and pro-Russian Ukrainian news sites.

In at least one case, hackers successfully defaced the website of the Kremlin-financed news network Russia Today, replacing headlines and articles containing the word “Russia” with the word “nazi.”

Experts say the attacks on pro-Western Ukrainian news sites closely resemble the attacks on Chechnyan news sites, which security experts say are under almost constant siege.

Matthew Prince, the chief executive and a co-founder of Cloudflare, a San Francisco company that helps websites speed up performance and mitigate DDoS attacks, said in an interview Tuesday that while this week’s attacks were similar to the attacks on Chechnyan news sites that use Cloudflare, it was not clear who was responsible for the attacks. [Continue reading...]


Inside ‘Unit 61398’: Portrait of accused Chinese cyberspying group emerges

n13-iconThe Associated Press reports: Unit 61398 of the People’s Liberation Army has been recruiting computer experts for at least a decade. It has made no secret of details of community life such as badminton matches and kindergarten, but its apparent purpose became clear only when a U.S. Internet security firm accused it of conducting a massive hacking campaign against North American targets.

Hackers with the Chinese unit have been active for years, using online handles such as “UglyGorilla,” Virginia-based firm Mandiant said in a report released Tuesday as the U.S. prepared to crack down on countries responsible for cyber espionage. The Mandiant report plus details collected by The Associated Press depict a highly specialized community of Internet warriors working from a blocky white building in Shanghai:

—RECRUITING THE SPIES: Unit 61398, alleged to be one of several hacking operations run by China’s military, recruits directly from universities. It favors high computer expertise and English language skills. A notice dated 2003 on the Chinese Internet said the unit was seeking master’s degree students from Zhejiang University’s College of Computer Science and Technology. It offered a scholarship, conditional on the student reporting for work at Unit 61398 after graduation.

—CYBERSPY WORKPLACE: Mandiant says it traced scores of cyberattacks on U.S. defense and infrastructure companies to a neighborhood in Shanghai’s Pudong district that includes the 12-story building where Unit 61398 is known to be housed. The building has office space for up to 2,000 people. Mandiant estimates the number of personnel in the unit to be anywhere from hundreds to several thousand. [Continue reading...]


DARPA’s plan to mainstream cyberwarfare

FeatureNoah Shachtman reports: The target computer is picked. The order to strike has been given. All it takes is a finger swipe and a few taps of the touchscreen, and the cyberattack is prepped to begin.

For the last year, the Pentagon’s top technologists have been working on a program that will make cyberwarfare relatively easy. It’s called Plan X. And if this demo looks like a videogame or sci-fi movie or a sleek Silicon Valley production, that’s no accident. It was built by the designers behind some of Apple’s most famous computers — with assistance from the illustrators who helped bring Transformers to the silver screen.

Today, destructive cyberattacks — ones that cause servers to fry, radars to go dark, or centrifuges to spin out of control — have been assembled by relatively small teams of hackers. They’re ordered at the highest levels of government. They take months to plan. Their effects can be uncertain, despite all the preparation. (Insiders believe, for example, that the biggest network intrusion in the Pentagon’s history may have been an accidental infection, not a deliberate hack.)

With Plan X, the Defense Advanced Research Projects Agency (DARPA) is looking to change all that. It wants munitions made of 1s and 0s to be as simple to launch as ones made of metal and explosives. It wants cyberattack stratagems to be as predictable as any war plan can be. It wants to move past the artisanal era of hacking, and turn cyberwarfare into an industrial effort. [Continue reading...]


NSA devises radio pathway into computers

The New York Times reports: The National Security Agency has implanted software in nearly 100,000 computers around the world that allows the United States to conduct surveillance on those machines and can also create a digital highway for launching cyberattacks.

While most of the software is inserted by gaining access to computer networks, the N.S.A. has increasingly made use of a secret technology that enables it to enter and alter data in computers even if they are not connected to the Internet, according to N.S.A. documents, computer experts and American officials.

The technology, which the agency has used since at least 2008, relies on a covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards inserted surreptitiously into the computers. In some cases, they are sent to a briefcase-size relay station that intelligence agencies can set up miles away from the target.

The radio frequency technology has helped solve one of the biggest problems facing American intelligence agencies for years: getting into computers that adversaries, and some American partners, have tried to make impervious to spying or cyberattack. In most cases, the radio frequency hardware must be physically inserted by a spy, a manufacturer or an unwitting user.

The N.S.A. calls its efforts more an act of “active defense” against foreign cyberattacks than a tool to go on the offensive. But when Chinese attackers place similar software on the computer systems of American companies or government agencies, American officials have protested, often at the presidential level. [Continue reading...]


U.S. nears decision to split leadership of NSA, Cyber Command

Reuters reports: The White House is nearing a decision on splitting up the eavesdropping National Security Agency and U.S. Cyber Command, which conducts cyber warfare, a proposed reform prompted in part by revelations of NSA’s widespread snooping, individuals briefed on the matter said on Wednesday.

As part of the emerging plan, the NSA likely would get a civilian director for the first time in its 61-year history, the individuals said.

Both agencies are now headed by the same person, Army General Keith Alexander, who is retiring in March as NSA’s longest-serving director.

While Alexander is highly regarded in the intelligence community, critics have questioned the current arrangement. They say it concentrates too much power in one individual and that the two agencies have different missions. [Continue reading...]


Did Stuxnet become America’s cyberwarfare Manhattan Project?

Cyberdefense consultant, Ralph Langner, following a three-year investigation on Stuxnet, suggests that what was originally conceived as a stealth weapon designed to cause chronic instability in Iran’s nuclear enrichment process, may have undergone a strategic reconfiguration. The project took on an objective much wider in scope than its physical target: demonstrating the United State’s preeminent position in engaging in cyberwarfare.

Looking at the two major versions of Stuxnet in context leaves a final clue — a suggestion that during the operation, something big was going on behind the scenes. Operation Olympic Games — the multiyear online espionage and sabotage campaign against the Iranian nuclear program — obviously involved much more than developing and deploying a piece of malware, however sophisticated that malware was. It was a campaign rather than an attack, and it appears that the priorities of that campaign shifted significantly during its execution.

When my colleagues and I first analyzed both attacks in 2010, we first assumed that they were executed simultaneously, maybe with the idea to disable the cascade protection system during the rotor-speed attack. That turned out to be wrong; no coordination between the two attacks can be found in the code. Then we assumed that the attack against the centrifuge drive system was the simple and basic predecessor after which the big one was launched, the attack against the cascade protection system. The cascade protection system attack is a display of absolute cyberpower. It appeared logical to assume a development from simple to complex. Several years later, it turned out that the opposite was the case. Why would the attackers go back to basics?

The dramatic differences between both versions point to changing priorities that most likely were accompanied by a change in stakeholders. Technical analysis shows that the risk of discovery no longer was the attackers’ primary concern when starting to experiment with new ways to mess up operations at Natanz. The shift of attention may have been fueled by a simple insight: Nuclear proliferators come and go, but cyberwarfare is here to stay. Operation Olympic Games started as an experiment with an unpredictable outcome. Along the road, one result became clear: Digital weapons work. And different from their analog counterparts, they don’t put military forces in harm’s way, they produce less collateral damage, they can be deployed stealthily, and they are dirt cheap. The contents of this Pandora’s box have implications much beyond Iran; they have made analog warfare look low-tech, brutal, and so 20th century.

In other words, blowing the cover of this online sabotage campaign came with benefits. Uncovering Stuxnet was the end of the operation, but not necessarily the end of its utility. Unlike traditional Pentagon hardware, one cannot display USB drives at a military parade. The Stuxnet revelation showed the world what cyberweapons could do in the hands of a superpower. It also saved America from embarrassment. If another country — maybe even an adversary — had been first in demonstrating proficiency in the digital domain, it would have been nothing short of another Sputnik moment in U.S. history.


Stuxnet infected Russian nuke power plant, says Kaspersky

The Register reports: The infamous Stuxnet malware thought to have been developed by the US and Israel to disrupt Iran’s nuclear facilities, also managed to cause chaos at a Russian nuclear plant, according to Eugene Kaspersky.

The Kaspersky Lab founder claimed that a “friend” of his, working at the unnamed power plant, sent him a message that its internal network, which was disconnected from the internet, had been “badly infected by Stuxnet”.

Kaspersky didn’t reveal when exactly this happened, saying only that it was during the “Stuxnet time”.

The revelation came during a Q&A session after a speech at Australia’s National Press Club last week, in which he argued that those spooks responsible for “offensive technologies” don’t realise the unintended consequences of releasing malware into the wild.

“Everything you do is a boomerang,” he added. “It will get back to you.”

The allegation is mentioned just after the 27 minute mark in this video. Kaspersky indicates that Russian nuclear plants are not connected to the internet and appears to suggest they have an air gap between their networks and any outside source of data.

Although Stuxnet is widely understood to have infected various enterprises in the US and elsewhere, this is the first time a major nuclear facility outside Iran has been mentioned.


Cyber spying risks the future of the internet, says Eugene Kaspersky

The Sydney Morning Herald reports: Cyber espionage between nations has reached such damaging levels it risks not only the trust between friendly countries, but the future of the internet itself.

That is the view of Eugene Kaspersky, the ebullient chief executive of Russian security firm Kaspersky Labs, who is in Canberra this week to deliver the message to politicians and business leaders.

Speaking ahead of his speech to the National Press Club on Thursday, Mr Kaspersky told Fairfax Media he was “very surprised” and concerned about the extent of espionage currently undertaken by Western countries. He also warned Australia to invest in educating a new generation of security engineers to future-proof its critical systems.

“Cyber espionage is not new,” he said. “We knew that from years ago, but I did not expect it in such a huge scale and coming from so many different nations.”

Mr Kaspersky said he feared governments would withdraw to their own parallel networks away from the prying eyes of others, and would cease investing in the development of the public internet, products and services.

“If governments and enterprises exit the public internet, there will be a lot less investment. If they emigrate to a separate zone, I’m afraid the internet will have a crisis”. [Continue reading...]


NSA chief likely to be stripped of cyber war powers

The Hill reports: Senior military officials are leaning toward removing the National Security Agency director’s authority over U.S. Cyber Command, according to a former high-ranking administration official familiar with internal discussions.

Keith Alexander, a four star general who leads both the NSA and Cyber Command, plans to step down in the spring.

No formal decision has been made yet, but the Pentagon has already drawn up a list of possible civilian candidates for the next NSA director, the former official told The Hill. A separate military officer would head up Cyber Command, a team of military hackers that trains for offensive cyberattacks and protects U.S. computer systems.

The administration might also decide to have two military officers lead the two agencies.


Syrian Electronic Army attacks linked to Obama’s mentions of Syria

Mashable reports: The frequency of attacks that the infamous Syrian Electronic Army carries out may correlate with the number of President Obama’s public statements about Syria and its civil war.

Researchers at Recorded Future, a firm that analyzes publicly available data to assess and predict cyberattacks, call the link a “remarkable correlation.”

To put it simply, the more Obama talks about Syria, the more the Syrian hackers strike American media targets. It’s a full-blown propaganda war.

In fact, when Obama discussed military action in retaliation against the alleged chemical attack in Damascus, the SEA ramped up its campaign against American media, hitting the New York Times, Twitter and others.

After the United States and Russia agreed on a diplomatic solution to the crisis, which requires Syria to destroy its chemical arsenal, the SEA backed off and remained relatively quiet. [Continue reading...]


As war in Afghanistan winds down, Pentagon defends itself by promoting borderless cyberwarfare

Aviation Week (via Matthew Aid) reports: As it winds down its role in Afghanistan, where strategic rivalry in another era was called “The Great Game,” the U.S. Defense Department has been suiting up for the next big round of conflict: cyberwarfare.

The Pentagon has been racheting up the rhetoric gradually, with former Defense Secretary Leon Panetta warning of a cyber-Pearl Harbor and more and more officials publicly acknowledging cyberwarfare.

This year, the Pentagon has firmed up plans to skim approximately 4,000 operational and intelligence experts from the uniformed services to field the now more than 100 teams that will play both digital offense and defense against enemies seeking to attack the U.S. and its vital computer networks.

Some teams are already being fielded, although officials will not say exactly how many or where they are located. A Pentagon press officer said a number of teams are “prioritized” to be operational by the end of September. More will be added in the next few years.

In all, 13 National Mission Teams will conduct “full-spectrum cyber operations” to defend against threats to the nation and its critical infrastructure; 27 Combat Mission Teams will provide support to the nine combatant commands, “and when authorized,” will offer cyber options and capabilities to consider. Commanders then will determine how best to integrate them into contingency plans as targets are assessed and determinations made on how to best defeat or neutralize, said Air Force Lt. Col. Damien Pickart.

Additionally, 68 Cyber Protection Teams will focus on safeguarding Defense Department information networks, Pickart told Aviation Week in an e-mail. When directed, the Cyber Protection Teams, which officials had not previously discussed in public forums, may also support other U.S. government networks and the nation’s critical infrastructure, he added. [Continue reading...]


Stuxnet helped heat up cyberarms race

NBC News reports: Cybersecurity experts tell NBC News that the [Stuxnet] attack may not have done as much damage to the Iranian nuclear effort — which Tehran insists is geared toward developing nuclear energy, not weapons — as was initially reported in some media accounts.

And it has raised the stakes in the race to create online weaponry.

Iranian Ambassador Hossein Moussavian, in a Feb. 21 appearance at the Center for National Security at Fordham Law School, said the attack prompted Tehran to make development of its own cyberwar capability a priority.

“The U.S., or Israel, or the Europeans, or all of them together, started war against Iran,” he said. “Iran decided to have…to establish a cyberarmy, and today, after four or five years, Iran has one of the most powerful cyberarmies in the world.”

Scott Borg, a U.S.-based cybersecurity expert, said that while Iran may be exaggerating its offensive capabilities, there is no doubt that it has developed a “serious capability” to wage cyberwar.

“It’s exaggerating the present capabilities,” he said, “but it’s working toward the future.”

As an example, Borg and U.S. officials note that when the U.S. leveled new sanctions on Iranian banks last year, U.S. banks suddenly came under attack – apparently from Iran itself or its hired proxies.


Obama orders U.S. to draw up overseas target list for cyber-attacks

The Guardian reports: Barack Obama has ordered his senior national security and intelligence officials to draw up a list of potential overseas targets for US cyber-attacks, a top secret presidential directive obtained by the Guardian reveals.

The 18-page Presidential Policy Directive 20, issued in October last year but never published, states that what it calls Offensive Cyber Effects Operations (OCEO) “can offer unique and unconventional capabilities to advance US national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging”.

It says the government will “identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness and risk as compared with other instruments of national power”.

The directive also contemplates the possible use of cyber actions inside the US, though it specifies that no such domestic operations can be conducted without the prior order of the president, except in cases of emergency.

The aim of the document was “to put in place tools and a framework to enable government to make decisions” on cyber actions, a senior administration official told the Guardian.

The administration published some declassified talking points from the directive in January 2013, but those did not mention the stepping up of America’s offensive capability and the drawing up of a target list.

Obama’s move to establish a potentially aggressive cyber warfare doctrine will heighten fears over the increasing militarization of the internet.

The directive’s publication comes as the president plans to confront his Chinese counterpart Xi Jinping at a summit in California on Friday over alleged Chinese attacks on western targets.

Even before the publication of the directive, Beijing had hit back against US criticism, with a senior official claiming to have “mountains of data” on American cyber-attacks he claimed were every bit as serious as those China was accused of having carried out against the US. [Continue reading...]


The NSA has been planning cyber attacks since Clinton era

Jeffrey T Richelson and Malcom Byrne write: At a time when Chinese malware is targeting America’s computer infrastructure and U.S.-Israeli worms (e.g., Stuxnet) have reportedly attacked Iranian centrifuges, a recently declassified item from the National Security Agency (NSA) offers a little history on how at least one part of the U.S. government foresaw its role in the growing field of “Information Warfare.”

This short item from a classified NSA publication reveals that as far back as 1997 the super-secret agency was tasked with finding ways not just to listen in on our enemies (the NSA’s usual stock-in-trade), but actually to attack hostile computer networks. The document proclaimed that “the future of warfare is warfare in cyberspace,” and it sketched out how tomorrow’s “Information Warriors” would think, act, and fight on the new digital battlefield.

The NSA’s involvement in cybersecurity is an outgrowth of its longtime role in ensuring communications and information security for various components of the government and private sector, in addition to its need to guarantee the security of the computers it has relied on heavily for decades. Its role in computer-network exploitation — of gathering electronic “data at rest” — is a natural extension of its decades-old role of gathering “data in motion” via signals intelligence. [Continue reading...]


Spies and big business fight cyberattacks

International Herald Tribune: Britain’s intelligence services, working alongside security experts from private companies, are setting up a secret control center in London to combat what the head of the country’s domestic spy agency has described as “astonishing” levels of cyberattacks.

The existence of the so-called Fusion Cell was due to be confirmed on Wednesday in a statement on the government’s strategy to boost information sharing in an expanding cyberwar against online attackers.

A team of security analysts at an undisclosed location will monitor attacks on large screens and provide details in real-time of who is being targeted, according to the BBC.

The British initiative, which also includes the creation of a social network-style web portal to facilitate information exchange, is the latest in a series of international measures to combat what is seen as the growing threat of cyberattacks to both business and government networks.

President Obama last month signed an executive order to increase information sharing about cyberthreats between the government and private companies.

“We have seen a steady ramping up of cybersecurity threats,” Mr. Obama said in a recent interview. “Some are state sponsored, some are just sponsored by criminals.”

Jonathan Evans, the outgoing head of MI5, Britain’s domestic intelligence agency, made a similar point ahead of last year’s London Olympic Games.

“Vulnerabilities in the internet are being exploited aggressively not just by criminals but also by states,” he said in a rare interview. “The extent of what is going on is astonishing.”

The victims are said to include big companies. The BBC said one major London listed company had lost the equivalent of $1.2 billion as a result of a cyberattack from a hostile state. [Continue reading...]