The British-based security firm BAE Systems has identified 14 instances of Uroburos in Ukraine in 2014, the earliest instances of which were before the Euromaidan protests even heated up. Experts haven’t identified specific victims of Uroburos attacks, but its sophisticated nature suggests it was designed to attack high-value targets like government networks and telecom systems.
The malware expertly bypasses sophisticated Windows security measures and can steal data and capture network traffic, according to Hacker News. Experts say Uroburos could have been active up to three years ago and gone undetected since then, which would be a testament to how sophisticated it is.
More specifically, Uroburos is a rootkit, a type of software whose primary function is to hide functions and processes in a system. It acts like a stealth cloak that allows someone to basically do whatever they please on a system without being detected.
G Data Software, a German-American cybersecurity firm that has researched Uroburos extensively, coined the named Uroburos after finding several instances of the world embedded in the malware’s code. There’s even a line of code that reads “Uroburos got you,” stylized to suggest the programmers got the name from a webcomic called Homestuck, of all places.
There’s also several references to snakes found in the rootkit’s code, prompting the name Snake for the larger toolkit software Uroburos is a part of.
Can Uroburos Be Tracked To The Russian Government?
It’s incredibly sophisticated nature suggest to experts that it was developed not by cybercriminals, but by a state agency.
It’s likened in complexity to the Stuxnet malware used to sabotage a number of Iranian nuclear centrifuges, which is saying a lot. G Data calls it “one of the most advanced rootkits (G Data) has ever analyzed.”
G Data “believes that highly trained developers must have been involved,” and that “a secret service is behind Uroburos.”
Just which secret service? G Data believes it’s Russia’s. They found indications that suggest the developers of Uroburos speak Russian. They suspect the people behind Uroburos are the same who attacked U.S. systems with a malware called Agent.BTZ. The programming language is similar and Uroburos even checks to see if Agent.BTZ is already on a system, in which case it remains inactive.
Evidence also suggests the code was developed in a UTC+4:00 time zone, otherwise known as Moscow Time, which encompasses most of western Russia.
That would explain why Uroburos is either being rolled out or activated in Ukraine. Ukraine targets make up 57 percent of all instances of Uroburos infections identified by BAE Systems.
Granted, most occurred before former President Viktor Yanukovych was tossed out of power, but if we’ve learned anything about international security efforts since the NSA scandal broke, it’s that state governments are not afraid to stick their noses in their neighbors’ (and friends’) business.
See G Data’s full Red Paper report on Uroburos here.