Researchers looking into the recently uncovered Turla, or Snake, cyber espionage campaign have discovered some similarities connecting it to older pieces of malware such as Agent.btz, the worm that several years ago infected U.S. military networks and eventually caused the Department of Defense to ban the use of USB drives. However, there is not enough evidence to suggest that the two pieces of malware were created by the same authors, researchers say.
Reports last week detailed the Turla malware’s infection of networks belonging to U.S. government agencies as well as some targets in Ukraine, the U.K. and some other European countries. The malware hides on infected systems, steals data and sends it off to a remote server, much like other cyber espionage tools. Turla seems to have been written by Russian-speaking authors, like Agent.btz and the Red October cyber espionage malware. Turla also uses the same XOR key and log file names as Agent.btz, suggesting a strong link between the two.
However, the details of the Agent.btz attack have been known publicly for six years now, including the specific log file names, and even the XOR key, which was published in 2008 when the attack was discovered. Agent.btz, unlike Turla, was a self-replicating worm and it infected U.S. military networks and had the ability to jump to USB drives connected to compromised machines. After the attack was discovered and remediated, the Department of Defense prohibited the use of USB drives on its networks. Both Turla and and Agent.btz have files with identical names, and Red October and Turla both use a file called “thumb.dd”.
With all of that detail known publicly, researchers say that there is not enough evidence to say conclusively that Turla is directly connected to Agent.btz or Red October.
“We cannot make such a conclusion based only on the listed facts”, said Aleks Gostev, Chief Security Expert at Kaspersky Lab. “All the information used by developers was publicly known – at least by the time of Red October and Gauss/Flame creation. First of all, it wasn’t a secret that Agent.btz used ‘thumb.dd’ as a container file to collect information about infected systems.
“Secondly, the XOR key used by developers of Turla and Agent.btz to encrypt their log files was also published in 2008. It’s unknown since when this key was first used in Turla, but we see it for sure in the latest samples of the malware (created in 2013-2014). At the same time, there is some data that Turla’s development started in 2006 – before any known sample of Agent.btz. Which leaves the question open.”
Researchers at Kaspersky Lab, who uncovered the Red October cyber espionage campaign, said that it’s possible that malware was programmed to scan for the “thumb.dd” file on infected machines in order to steal whatever data the file contained. Red October was a highly specialized tool designed to infect specific systems and steal data. Gostev said that there also are some similarities between the Flame and Gauss malware and Agent.btz, including some similar naming conventions. A possible explanation, he said, is that the authors of Flame and Gauss were familiar with the analysis of Agent.btz and adopted some of the same techniques.
“Summarizing all the above, it is possible to regard Agent.btz as a certain starting point in the chain of creation of several different cyber-espionage projects. The well-publicized story of how US military networks were infected could have served as the model for new espionage programs having similar objectives, while its technologies were clearly studied in great detail by all interested parties. Were the people behind all these programs all the same? It’s possible, but the facts can’t prove it,” Gostev said in his analysis of the Turla connection to other malware.
