Categories: SecurityWorkspace

Russians Suspected In ‘Uroburos’ Digital Espionage Attacks

Russian government hackers are suspected of creating a highly-sophisticated piece of malware designed to steal files from nation states’ digital infrastructure.

The Uroburos malware, named after an ancient symbol depicting a serpent or dragon eating its own tail that recently appeared in the Broken Sword 5 video game, worked in in peer-to-peer mode, meaning it can move across machines even if they’re not connected to the public Internet.

G-Data said Uroburos was “one of the most advanced rootkits we have ever analysed in this environment”.

Russian intelligence involved?

It works on both 32-bit and 64-bit Microsoft Windows machines, again pointing to a well-funded effort. It’s likely the Uroburos attacks went undetected for at least three years, as a sample of a rootkit driver was dated back to 2011.

“The development of a framework like Uroburos is a huge investment. The development team behind this malware obviously comprises highly skilled computer experts, as you can infer from the structure and the advanced design of the rootkit,” G-Data said.

“The design is highly professional; the fact the attackers use a driver and a virtual file system in two separate files which can only work in combination, makes the analysis really complicated. One needs to have the two components to correctly analyze the framework. The driver contains all of the necessary functionality and the file system alone simply cannot be decrypted.

“The network design is extraordinarily efficient, too; for an incident response team, it is always complicated to deal with peer-to-peer infrastructure. It is also hard to handle passive nodes, because one cannot quickly identify the link between the different infected machines.”

The Russian connection was made after researchers from G-Data discovered plenty of Russian-language strings in the code. They also found the malware searching for the presence of Agent.BTZ, malware used in attacks on the US in 2008, which were said to have been carried out by Russian spies.

The Agent.BTZ attack was initiated when a USB stick was deliberately left in a parking area belonging to the United States Department of Defense.

“We believe that the team behind Uroburos has continued working on even more advanced variants, which are still to be discovered,” G-Data added.

“We are sure of the fact that attacks carried out with Uroburos are not targeting John Doe but high profile enterprises, nation states, intelligence agencies and similar targets.”

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago