Agent.BTZ spyware hit Europe hard after U.S. military attack: security firm

BOSTON (Reuters) - A mysterious computer virus believed to be from Russia infected hundreds of thousands of PCs around the globe after attacking the U.S. military’s Central Command in an unprecedented breach uncovered in 2008, according to the details of new research released on Wednesday.

Costin Raiu, director of research at Moscow-based Kaspersky Lab, told Reuters on Wednesday that at least 400,000 computers across Russia and Europe were infected with the virus, dubbed Agent.BTZ, based on the number of infections detected by his firm’s anti-virus software.

He said he believes the operators of Agent.BTZ have since stopped communicating with the virus after infections peaked around 2011.

Not much data has been previously released on the virus, so the research from Kaspersky Lab may shed new light on how sophisticated cyber espionage operations are conducted.

Still, Raiu said Kaspersky published its analysis on the attacks because it believes they are likely linked to a sophisticated ongoing operation known as Turla, which is targeting hundreds of government computers across Europe and the United States.

The largest number of infections by Agent.BTZ was in the Russian Federation, followed by Spain and Italy, Raiu said. Other victims were found in Kazakhstan, Germany, Poland, Latvia, Lithuania, the United Kingdom and Ukraine.

Details on the attack on the U.S. Central Command, which in 2008 was in charge of the conflicts in both Iraq and Afghanistan, have been deemed as classified by the Pentagon, so very little has been reported to date.

U.S. officials have said a foreign spy agency was responsible for the 2008 attack, which occurred when an infected flash drive was inserted into a U.S. military laptop at a base in the Middle East. But they have never publicly singled out a particular country.

Experts inside and outside of the U.S. government have told Reuters they strongly suspect that Agent.BTZ was the work of Russian intelligence. Moscow has never confirmed those suspicions and Russia’s Federal Security Bureau last week declined to comment when asked about their cyber espionage programs.

Agent.BTZ has been widely described as a software worm used for espionage, yet Raiu said his firm’s analysis shows that it is “not optimized for data stealing.”

He told Reuters it was programmed to infect large numbers of computers via USB drives, then create profiles describing the systems it had infected to be sent back to its creators.

When its operators identify targets of interest, such as a military network, they would use Agent.BTZ to gain remote control of the system and install other tools, such as software for identifying and stealing data, according to Raiu.

“It’s like a cannon. You fire it everywhere and maybe you get lucky,” he said. “When you do, you deploy some more advanced levels on top of that.”

He said that he believes the group behind Agent.BTZ was also behind Turla, spyware that has infected hundreds of government computers across Europe and the United States in one of the most complex espionage programs uncovered to date.

Kaspersky Lab has identified cases where a common server was used to control computers infected with Agent.BTZ and Turla. It is also aware of cases where Turla has identified computers infected with Agent.BTZ, then removed Agent.BTZ and replaced it with Turla, Raiu added.

Cybersecurity researchers around the globe are closely studying Turla and potential links to the conflict in Ukraine.

BAE Systems’ Applied Intelligence, the cyber arm of Britain’s premier defense contractor, said on Friday that it had obtained the largest number of Turla samples from Ukraine.

Reporting by Jim Finkle; editing by Richard Valdmanis and G Crosse