Pages

11 March 2014

Investigators Find Dozens of Ukrainian Government Computers Infected With Cyber Espionage Virus Called “Snake”; Suspicion Falls on Russian Intelligence

March 9, 2014

Suspicion Falls on Russia as ‘Snake’ Cyberattacks Target Ukraine’s Government

David E. Sanger and Steven Erlanger
New York Times

WASHINGTON — Since the first major protests in Kiev that triggered the current crisis with Moscow, American intelligence agencies have been on high alert for cyberattacks aimed at the new government in Ukraine. They were a bit late: the attacks started long before President Viktor F. Yanukovych was forced from office, and as might be expected, no one can quite pinpoint who is behind them, although some suspicion is falling on Russia.

According to a report published by the British-based defense and security company BAE Systems, dozens of computer networks in Ukraine have been infected for years by a cyberespionage “tool kit” called Snake, which seems similar to a system that several years ago plagued the Pentagon, where it attacked classified systems.

The malware appeared many more times this year in Ukraine, as the protests in Kiev picked up their pace. The protesters were angered by Mr. Yanukovych’s decision not to pursue closer trade and political ties with Europe, which has been vying with Russia for influence in Ukraine.

Snake — also known as Ouroboros, for the serpent in Greek mythology — gives attackers “full remote access to the compromised system,” according to the BAE report released Friday. BAE cited circumstantial evidence that the attacks originated in Russia, saying that the malware developers operate in the Moscow time zone and that there is some Russian text in the code.

But American intelligence officials said that it was unclear if the use of the malware was state-sponsored, and that Snake was just one of many types of malware that Ukraine is battling every day.

Versions of Snake’s predecessor have been around since 2005, but the highly sophisticated one found in Ukraine appears to have been directed at government agencies. The attacks were aimed mostly at siphoning data from local computers to other servers, the report said. It identified 14 cases of Snake in Ukraine since the start of 2014, compared to eight cases in the whole of 2013. In all there have been 32 reported cases in Ukraine since 2010, out of 56 worldwide.

One mystery is whether Snake is now being turned to purposes that go beyond mere espionage: manipulating or alerting computer networks in some way. Russian hackers — both those employed by the state and those working on their own — are known for their abilities to design sophisticated “implants” that both suck data out of a system and create a pathway for other malicious software to be injected. Documents stolen from the National Security Agency by Edward J. Snowden, the former N.S.A. contractor now living in Moscow and interviews with intelligence officials indicate the United States also has extensive capability to do similar things.

“The usual Russian approach would be to design something that could both conduct surveillance and aid in an attack,” said one senior intelligence official, describing how the National Security Agency and the Pentagon’s Cyber Command were on the lookout for the kind of computer attacks that were unleashed on Estonia seven years ago. The precise origins of those attacks have never been completely understood.

While some early reports about Snake compared it to Stuxnet, the American- and Israeli-designed worm that attacked Iran’s nuclear program, the inner workings of Snake appear to be quite different. Stuxnet took over the computer controllers that ran Iran’s nuclear centrifuges, spinning those centrifuges out of control. So far, there is no evidence that Snake can do that.

American officials have never confirmed they were part of the operation against Iran, code-named “Olympic Games.” But what makes Snake particularly familiar to American officials is that they saw a version of it, then called “Agent.btz,” in the Pentagon’s own systems. The event was written in about 2010 by the deputy secretary of defense at the time, William J. Lynn, who raised the alarm about the military’s vulnerabilities to such attacks. In the four years since, however, the malware has become more powerful, and the BAE report described it as “one of the most sophisticated and persistent threats we track.”

Snake has also shown up in Lithuania, Britain and Georgia, among other places. But the United States has only seen two cases so far, the BAE report indicates. 

No comments:

Post a Comment