* Virus raises level of cyber danger
* experts see state-backed operation, probably Russian
* Infection widespread, some exprts say
By Peter Apps and Jim Finkle
LONDON/BOSTON, March 7 A sophisticated piece of
spyware has been quietly infecting hundreds of government
computers across Europe and the United States in one of the most
complex cyber espionage programs uncovered to date.
Several security researchers and Western intelligence
officers say they believe the malware, widely known as Turla, is
the work of the Russian government and linked to the same
software used to launch a massive breach on the U.S. military
uncovered in 2008. Those assessments were based on analysis of
tactics employed by hackers, along with technical indicators and
the victims they targeted.
"It is sophisticated malware that's linked to other Russian
exploits, uses encryption and targets western governments. It
has Russian paw prints all over it," said Jim Lewis, a former
U.S. foreign service officer, now senior fellow at the Center
for Strategic and International Studies in Washington.
However, security experts caution that while the case for
saying Turla looks Russian may be strong, it is impossible to
confirm those suspicions unless Moscow claims responsibility.
Developers often use techniques to cloud their identity.
Public talk of the threat surfaced this week after a little
known German anti-virus firm, G Data, published a report on the
virus, which it called Uroburos. The name is from a string of
text in the code that may be a reference to a Greek symbol
depicting a serpent eating its own tail.
Experts in state-sponsored cyber attacks say that Russian
government-backed hackers are known for being highly
disciplined, adept at hiding their tracks, extremely effective
at maintaining control of infected networks and more selective
in choosing targets than their Chinese counterparts.
"They know that most people don't have either the technical
knowledge or the fortitude to win a battle with them. When they
recognize that someone is onto them, they just go dormant," said
one security expert who has helped victims of state-sponsored
A former Western intelligence official commented: "They can
draw on some very high grade programmers and engineers,
including the many who work for organized criminal groups, but
also function as privateers."
Russia's Federal Security Bureau declined comment as did
officials at the Pentagon and U.S. Department of Homeland
On Friday, Britain's BAE Systems Applied Intelligence - the
cyber arm of Britain's premier defence contractor - published
its own research on the spyware, which it called "snake".
The sheer sophistication of the software, it said, went well
beyond that previously encountered - although it did not
attribute blame for the attack.
"The threat... really does raise the bar in terms of what
potential targets, and the security community in general, have
to do to keep ahead of cyber attacks," said Martin Sutherland,
managing director of BAE Systems Applied Intelligence.
NATO NATIONS TARGETED
Researchers with established security companies have been
monitoring Turla for several years.
Symantec Corp estimates up to 1,000 networks have
been infected by Turla and a related virus, Agent.BTZ. It named
no victims, saying only that most were government computers.
Hackers use the Turla spyware to establish a hidden foothold
in infected networks from which they can search other computers
for data, store information that is of interest and eventually
transmit it back to their servers.
F-Secure, a Helsinki-based maker of security software, first
encountered Turla last year while investigating organizations
attacked, according to chief research officer Mikko Hypponen. He
also declined to name victims.
"While it seems to be Russian, there is no way to know for
sure," said Hypponen.
Security firms that are monitoring the threat have said the
operation's sophistication suggests it was likely backed by a
nation state and that technical indicators make them believe it
is the work of Russian developers.
European governments have long welcomed U.S. help against
Kremlin spying, but were infuriated last year to discover the
scale of surveillance by America's National Security Agency that
stretched also to their own territory.
Security experts say the stealthy Turla belongs to the same
family as one of the most notorious pieces of spyware uncovered
to date: Agent.BTZ. It was used in a massive cyber espionage
operation on U.S. Central Command that surfaced in 2008 and is
one of the most serious U.S. breaches to date. While Washington
never formally attributed blame, several U.S. officials have
told Reuters they believed it was the work of Russia.
Hypponen said Agent.BTZ was initially found in a military
network of a European NATO state in 2008, but gave no details.
F-Secure is credited with naming that piece of malware in 2008,
though researchers believe it was created already in 2006.
Eric Chien, technical director with Symantec Security
Response, described Turla as "the evolution" of Agent.BTZ. "They
are a very active development group," Chien said.
Finland said its Foreign Ministry computer systems had been
penetrated by an attack last year but would not describe the
method or say if it was related to Agent.BTZ and Turla.
Sweden's signals intelligence agency, the National Defence
Radio Establishment, said attacks to gain information were "more
common than people think", adding that the agency had discovered
multiple attacks against authorities, governments and
universities, some only detected only after several years
Government sources in the Czech Republic, Estonia, Poland
and Romania said Turla had not affected them directly. Other
European governments contacted by Reuters declined comment.
Although computer security researchers have been quietly
studying Turla for more than two years, public discussions of
the threat only began after G Data published its report.
G Data spokesman Eddy Willems said his firm had obtained
more than 10 samples of Turla. He declined to name any victims
or identify the author of the report, saying the firm was
concerned the group behind Turla might attempt to harm him.
Researchers say that the creators of Turla have regularly
updated its code, making changes to avoid detection as
anti-virus companies detect new strains.
Jaime Blasco, director of AlienVault Labs, said that Turla
was more of a "framework" for espionage than simply malware.
The malware is a "root kit" that hides the presence of the
spying operation and also creates a hidden, encrypted file
system to store stolen data and tools used by the attackers, he
said. Those tools include password stealers, tiny programs for
gathering information about the system and document stealers.
The operators can download specialized tools onto an
infected system, adding any functionality they want by including
it in the encrypted file system, Blasco said.
They have used dozens of different "command and control"
servers located in countries around the world to control
infected systems, according to Symantec, whose researchers have
helped identify and shut down some of those systems.
Chien said that in some cases Turla's operators team have
responded quickly when one of their servers were taken offline,
quickly releasing new versions of the malware that direct
infected computers to new command and control servers.
"They have a super active development team," he said.