Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Invisible Russian cyberweapon stalked US and Ukraine since 2005, new research reveals

John E Dunn | March 11, 2014
The mysterious ‘Uroburos' cyberweapon named last week in Germany has been stalking its victims since as far back as 2005 and large enterprises and governments need to pay urgent attention to the threat it poses, UK security firm BAE Systems has urged.

"The element of attribution is always difficult," BAE Systems Applied Intelligence cybersecurity managing director David Garfield told Techworld. "It turns into conjecture and it would be dangerous to make too many guesses."

"But this is a call to arms. [This malware] is high complex. It has all the elements of an espionage toolkit. It is highly serious."

Interestingly - perhaps uniquely that we know of - the firm has already informed governments, policy makers and national CERTs of its findings in advance of publishing its research, he said.

He expected that there had been, indeed still were, numerous variants inside target networks, something that would make remediation complex and time-consuming.

Whether called Uroburos, Snake or Turla (the latter being the 32-bit rootkit), it is also possible that what security firms have been seeing since 2010 is actually several inter-related cyber-weapons from the same program, hence the confusion over variants. In that interpretation, Snake isn't a cyberweapon so much as a stable of espionage tools in the same way that Stuxnet was part of a larger arsenal.

BAE Systems does reveal one or two interesting snippets about the people who made Snake; compile times show they work Monday-Friday, only rarely putting out a variant at the weekend. That sounds mildly reassuring; professional cybercriminals are not mindless robots and are paid to do the job just like the rest of us.

"What this research once more demonstrates is how organised and well-funded adversaries are using highly sophisticated tools and techniques to target legitimate organisations on a massive scale," said BAE Systems Applied Intelligence managing director, Martin Sutherland.

"Although there has been some awareness of the Snake malware for some years, until now the full scale of its capabilities could not be revealed, and the threat it presents is clearly something that needs to be taken much more seriously."

Separately, G Data has updated its earlier analysis of Snake/Uroburos, noting the rootkit module's use of a vulnerability (CVE-2008-3431) to bypass Microsoft's Driver Signature Enforcement systems on 64-bit versions of Windows from Vista onwards, basically a way to fool the OS into thinking it is running in developer mode. This bypass is not brand new but it still unusual.


Previous Page  1  2 

Sign up for Computerworld eNewsletters.