Experts say the campaign has been in development since 2005

Mar 8, 2014 20:41 GMT  ·  By

BAE Systems has published a white paper detailing “Snake,” a complex cyber espionage campaign that has been in development since at least 2005. The report details the sophisticated tools and techniques used by the attackers.

Last week, German security company G Data published a report on Uroburos, an espionage rootkit allegedly created and utilized by a Russian intelligence agency. BAE says Uroburos is only one component of a major project.

The 2008 attacks against US networks, the ones that involved a piece of malware dubbed Agent.BTZ, are said to be part of this campaign. The latest variants of Agent.BTZ are much more complex, but they still share many similarities with the original threat.

Last year, the malware was spotted 8 times in Ukraine, 9 times in Lithuania, 4 times in the UK, 2 times in the US and once in Romania.

Two of the samples analyzed by researchers were compiled in late January, which suggests that the campaign is still active. In fact, a large number of infections (14) were observed this year in Ukraine.

The malware authors have used various names to identify different components of the project. In addition to “snake” and “uroburos,” experts have also seen “snark” and “sengoku.”

While this latest research paper doesn’t mention anything about a Russian intelligence agency being behind the cyber espionage operation, experts do note the fact that the malware developers work just like any other professional, from Monday to Friday, from around 9 AM to 6 PM.

“What this research once more demonstrates, is how organised and well-funded adversaries are using highly sophisticated tools and techniques to target legitimate organisations on a massive scale,” said Martin Sutherland, managing director at BAE Systems Applied Intelligence.

“Although there has been some awareness of the Snake malware for some years, until now the full scale of its capabilities could not be revealed, and the threat it presents is clearly something that needs to be taken much more seriously,” Sutherland added.

“As the Snake research clearly illustrates, the challenge of keeping confidential information safe will continue for many years to come.”

The complete report on the Snake campaign is available on BAE Systems’ website. It includes information on how the malware communicates, the evolution of the architectures used in the operation, the tricks employed to evade Windows security and other details.

BAE believes the information they’re making available can help organizations determine if their systems have been compromised and help security firms in developing improved defense mechanisms.