Cyber Snake plagues Ukraine networks

Source:FT

An aggressive cyber weapon called Snake has infected dozens of Ukrainian computer networks including government systems in one of the most sophisticated attacks of recent years.

Also known as Ouroboros, after the serpent of Greek mythology that swallowed its own tail, experts say it is comparable in its complexity with Stuxnet, the malware that was found to have disrupted Iran’s uranium enrichment programme in 2010.

The cyber weapon has been deployed most aggressively since the start of last year ahead of protests that climaxed two weeks ago with the overthrow of Viktor Yanukovich’s government.

Ouroboros gives its operators unfettered access to networks for surveillance purposes. But it can also act as a highly advanced “digital beachhead” that could destroy computer networks with wide-ranging repercussions for the public.

Cyber warfare experts have long warned that digital weapons could shut off civilian power or water supplies, cripple banks or even blow up industrial sites that depend on computer-controlled safety programmes.

The origins of Ouroboros remain unclear, but its programmers appear to have developed it in a GMT+4 timezone – which encompasses Moscow – according to clues left in the code, parts of which also contain fragments of Russian text.
It is believed to be an upgrade of the Agent.BTZ attack that penetrated US military systems in 2008.

The malware has infected networks run by the Kiev government and systemically important organisations. Lithuanian systems have also been disproportionately hit by it.

Ouroboros has been in development for nearly a decade and is too sophisticated to have been programmed by an individual or a non-state organisation, according to the applied intelligence unit at BAE Systems, which was the first to identify and analyse the malware.

The Financial Times has corroborated the existence of Snake with security and military analysts.

BAE has identified 56 apparent infections by Snake globally since 2010, almost all in the past 14 months. Ukraine is the primary target, with 32 recorded instances, 22 of which have occurred since January 2013.

“Ukraine is top of the list [of infections] and increasing,” said Dave Garfield, managing director for cyber security at BAE, who added that the instances were almost certainly “the tip of the iceberg”.

“Whoever made it really is a very professional outfit,” Mr Garfield added. “It has a very high level of sophistication. It is a complex architecture with 50 sub-modules designed to give it extreme flexibility and the ability to evolve. It has neat and novel technical features.”

“You never get beyond reasonable doubt levels of proof in this area but if you look at it in probabilistic terms – who benefits and who has the resources – then the list of suspects boils down to one,” said Nigel Inkster, until 2006 director of operations and intelligence for MI6 and now director of transnational threats at the think tank IISS.

“Until recently the Russians have kept a low profile, but there’s no doubt in my mind that they can do the full scope of cyber attacks, from denial of service to the very, very sophisticated.”