Recently the G DATA SecurityLabs published the outcome of a long and detailed analysis of three different malware variants: Agent.BTZ, Uroburos and Cobra. For the first one, you might need to dig deep into your memory. Agent.BTZ first popped up in the news in 2008, when the US Pentagon was infected with this piece of spyware. Analysis back then pointed in the direction of Russia, even though no formal allegations were ever made. Fast forward to February 2014, when the malware researchers of G DATA published an article about a new, highly sophisticated, modular spyware they dubbed Uroburos. Later in the year, it turned out that both the Foreign Ministry of Belgian and that of Finland had actually fallen victim to Uroburos. Recently, yet another piece of malware was found by the experts of the G DATA SecurityLab: Cobra. This, again, is a very sophisticated, modular piece of coding that is clearly the side branch of Agent.BTZ. The suspicion with all of these pieces of malware was directed towards Russia, for different small and seemingly insignificant clues.
The researchers at G DATA always suspected a connection between these three pieces of malware. There were certain similarities within the code and the reoccurring use of some specific techniques made them believe there was a large framework to which all these three branches belonged. The researchers made a large effort to locate as many samples from this framework as possible. They ended up with a total of 46 Agent.BTZ samples, that had been compiled over a period of seven years. When looking at all these files, it was possible to connect the dots. Over the years, the malware had evolved slowly but considerably. Most of the updates were about fixing bugs and implementing new features. It was also about maintaining the functionality for new versions of Windows. In 2012 a redesign of the software took place. Many components were rebuilt. But it was still the same malware framework. The changes indicate a customer or user putting in a request for features, updates, and small changes.
As you can imagine, malware researchers are not in any position to speculate on attribution and place blame. What the team is certain of however, is that it costs a lot of time, money and some very qualified programmers to write this type of sophisticated code, and keep on developing it over the course of more than seven years. Either this business is very profitable, or it is covered by funding. These kinds of funds are normally only found in nation-state espionage.
Should that shock us? Do we consider creating elusive spyware ‘fair play' when it comes to trying to get information from another state? Whether we like it or not, there is no way around the truth. This particular project seems to be Russian, the project Regin, which came to light late 2014, seems to be an American project. And most likely there are many more state sponsored spyware projects out there. Spying is most likely in places where classified and precious information is. And information is stored on computers. A good spying programme in the 21st century cannot exist without good covert spyware. It feels different, because no one spy needs to risk his life, breaking into some building and taking candid photos of secret documents. But that doesn't necessarily make it ‘worse' or ‘better'.
Does this mean countries are secretly engaging in a cyber war? No. Spying on a government is not the same as attacking that country. However, I do feel governments need to make a serious priority out of defending themselves better against the spying eyes of others. Too often we encounter situations, even within ministries and other governmental institutions, in which simple security mistakes are made and disasters are not proactively prevented. Simple passwords, lingering software updates and gullible workers that easily walk into spear-phishing traps. It is time to put a military discipline behind defending our state IT infrastructure, just as you would try to keep wandering spies out of rooms with filing cabinets. The same goes for companies that are involved in vital industrial processes, like energy plants, water companies, telecommunication companies, etc. In these last cases, espionage is a big concern, but the possibility of an attack is an even greater risk, considering the possible effect on the entire population of a country. Recent discoveries in the Snowden documents just reminded us of the fact that these infrastructural companies have already been under attack for a while.
Contributed by Ralf Benzmüller, head of G DATA SecurityLabs