Researchers with BAE Systems Applied Intelligence have determined that a possibly Russian-fueled malware campaign known as Snake, or Uroburos, may actually date back as far as 2006, instead of 2011 as initially presented by a German security company last week.
Germany-based G Data SecurityLabs released a “Red Paper” last week explaining that Uroburos is a rootkit, composed of two files, that is able to take control of infected machines, execute arbitrary commands, hide system activities, and, ultimately, steal information and capture network traffic.
“Our research builds on this and looks across dozens of samples going back to 2006 and provides context around the wider campaign associated with this toolkit,” David Garfield, managing director of cyber security with BAE Systems Applied Intelligence, told SCMagazine.com in a Friday email correspondence. The groupreleased a report on Friday.
Part of the BAE research involves the inclusion of various appendixes that detail technical indicators for tipping off an organization that it is being compromised by the malware, Garfield said, adding that these should be deployed as soon as possible.
The German researchers suggested a Russian agency is behind the highly sophisticated malware. A number of technical details led them to believe that the group behind Uroburos is also behind a 2008 attack against the U.S. using a piece of malware known as Agent.BTZ, with the use of the Russian language being one connecting factor.
“Our report shows that a technically sophisticated and well organized group has been developing and using these tools for the last eight years,” Garfield said. “There is some evidence that links these tools to previous breaches connected to Russian threat actors, but it is not possible to say exactly who is behind this campaign.”
BAE is not in a position to reveal specific victims of the Snake campaign, but analyzed malware samples were discovered around Eastern Europe, Garfield said, adding that attackers targeted groups around the globe that maintain sensitive information.
Garfield could not say specifically how the targeted networks are being infected by Snake, but explained that similar malware has previously been delivered via phishing attacks, drive-by attacks, and even USB sticks.
“The reality is that there are a range of techniques available to attack groups to infiltrate organizations and the attackers will evolve their techniques over time to maintain access,” Garfield said. “Organizations need to have a range of defenses in place to defend themselves.”
Helpful Webroot Links:
Dozens of computer networks in Ukraine have been infected by an aggressive new cyber weapon called Snake, according to expert analysis.
The cyber weapon has been increasingly used since the start of this year, even before protests that led to the overthrow of president Viktor Yanukovych, British-based BAE Systems said in a report published on Friday.
The complex composition of Snake bears similarities with Stuxnet, the malware that disrupted Iran's nuclear facilities in 2010.
Snake - also known as Ouroboros after the serpent in Greek mythology - gives remote attackers "full remote access to the compromised system", BAE said.
Because it can stay inactive for a number of days, it is extremely hard to detect.
Microsoft® Windows Insider MVP - Windows Security