March 13, 2014
A Digital Wilderness Of Mirrors; Stand Alone Cyber Weapons That Interact And “Talk” To Each Other
John Dunn has an online article in this afternoon’s TechWorld.com, “Turla, Red October, And Flame Cyber Weapons Preyed On Earlier Agent.btz Worm.” He notes that the “Agent.btz worm that hit the U.S. military and others in 2008 was probably the inspiration for a new generation of cyber-espionage weapons — including the recently documented Turla (aka ‘Snake’ or ‘Uroburos’), the cyber security firm Kapersky Lab speculates.
Mr. Dunn notes that the German cyber security firm G Data and Britain’s BAE System’s have come up with the theory that the Turla cyber weapon is most likely a Russian development connected to the earlier Agent.btz (aka ‘Orbina’), but Kapersky’s analysis is less certain about that connection.
Mr. Dunn adds that what Kapersky Lab suggests “is that a number of other mysterious cyber weapons, including Red October from 2013 and Flame/Gauss from 2012 (both publicized by Kapersky Labs), seemed to be aware of Agent.btz in some way.
Mr. Dunn asks, “does this mean they came from the same developer or, was it more a case of emulating its techniques because they had been shown to work? More extraordinarily, might they even have been opportunistically attempting to steal files? First, the enigmatic Red October, which Kapersky Lab does not believe is directly connected to Agent.btz — but did include a module that looked for any files it had already stolen and hidden on UBS sticks.
“It is not impossible that the developers of Red October, who must have been aware of the large numbers of infections caused by Agent.btz, and of the fact that the worm had infected U.S. military networks, simply tried to take advantage of other people’s work to collect additional data,” said Kapersky Lab Chief Security expert, Aleks Gostev.
“A similar picture emerges,” says Mr. Dunn, “when plotting connections between Agent.btz and a complex cyber weapon called Flame, and its close relations to Gauss and MiniFlame, all three of which were brought to light by Kapersky Lab between 2011 and 2012. Again, these seemed to have been created with an awareness of what Agent.btz had been up to; MiniFlame also searched for data files written by it.”
“Now for the interesting bit,” says Mr. Dunn. “Can any of those more recent programmes — Turla, Red October, and Flame — be connected to one another? After all, they all manipulated Agent.btz to some degree.” “Probably not,” he says. “Red October and Turla were not connected to one another, said Gostev, and Flame was likewise a cyber weapon standing on its own.”
“What is still intriguing,” say Mr. Dunn, “is that other security firms still believe Turla and Agent.btz are probably directly connected to one another.” Kapersky’s Gostev attributes this to Turla’s developers being aware Agent.btz and probably nothing more. The two had Russian programmers, but again Turla might simply have been trying to capitalize on Agent.btz’s success.
“It’s possible to regard Agent.btz as a certain starting point in the chain of creation of several different cyber-espionage projects. The well-publicized story of how U.S. networks were infected could have served as the model for new espionage programs having similar objectives, while its technologies were clearly studied in great detail by all interested parties,” said Gostev.
Mr. Dunn concludes, “under this kind of scrutiny, the whole affair can start to dissolve into something that sounds more like a John le Carre spy novel — than a map of global cyber warfare activity. What we have to go on is a web of complex malware — but, with little substantial evidence to work out whether they come from the same source.” “What is clear,” he says, “is that researchers now need to do more than simply analyze stand-alone cyber weapons. The age of digital innocence is over.” V/R, RCP
No comments:
Post a Comment