Earlier this month German anti-malware firm G-Data released details of an espionage tool it called Uroburos. G-Data noted a connection with an earlier malware called Agent.BTZ which the US government had tied to Russia. Now BAE Systems has released further details, tying both BTZ and Uroburos to an ongoing and long-standing campaign and malware family that it calls the Snake Campaign. This campaign has been in existence since 2005.
BAE Systems appears to implicate Russia without specifically doing so. Taking known samples submitted to online malware analysis websites and analyzing compile times, it concludes that the group behind the malware operates within a standard working week within the UTC+4 timezone – which includes Russia. 56 of these samples have been found since 2010; and 32 of those were found in Ukraine. 14, exactly 25% of all known Snake samples have been submitted from Ukraine in this first quarter of 2014 alone.
Clearly, in everything other than direct accusation, this is Russian state espionage currently being directed in what amounts to a cyberwar against Ukraine. But BAE Systems declines to make that final link. "Our report shows that a technically sophisticated and well-organized group has been developing and using these tools for the last eight years," said David Garfield, the managing director of cyber security at BAE Systems Applied Intelligence. "There is some evidence that links these tools to previous breaches connected to Russian threat actors but it is not possible to say exactly who is behind this campaign."
Security expert Graham Cluley is not surprised: "It is frustratingly extremely difficult to attribute beyond doubt a particular country or state-sponsored agency to a malware attack.," he writes in his own blog. For its part, the US seems to be playing down state-sponsored cyberwar. "American intelligence officials said that it was unclear if the use of the malware was state-sponsored, and that Snake was just one of many types of malware that Ukraine is battling every day," reports the New York Times.
But whoever is behind the Snake campaign, the malware used is sophisticated and persistent. It is a rootkit that can operate in either usermode or kernel mode. BAE Systems describes the usermode approach as similar to the Rustock rootkit, "an old well-polished technology that evolved over the years and demonstrated its resilience and survivability under the stress of security countermeasures."
The complexity of the kernel-centric architecture is unique, "designed to grant Snake as much flexibility as possible. When most of the infected hosts are cut off from the outside world, it only needs one host to be connected online. The traffic is then routed through that host to make external control and data exfiltration still possible."
BAE Systems also believes that the Snake operators have "an arsenal of infiltration tools, designed to compromise a system, then find a way to replicate into other hosts, infect them, and spread the infection even further." Once a system is infected, the attackers have full remote access to the compromised system; but that infection is heavily disguised. For example, it hides its own malicious traffic by waiting until the victim goes online so that malicious traffic blends in with the user's legitimate communications.
BAE Systems also warns that the threat from the Snake group will continue, and that it is now a permanent part of the threat landscape.