Russians Suspected In ‘Uroburos’ Digital Espionage Attacks

Thomas Brewster,
ouroboro uroburos malware russian dragon eating tail © Eugene Ivanov Shutterstock

Russian intelligence linked to super-sophisticated rootkit targeting high-profile organisations and nation states

Russian government hackers are suspected of creating a highly-sophisticated piece of malware designed to steal files from nation states’ digital infrastructure.

The Uroburos malware, named after an ancient symbol depicting a serpent or dragon eating its own tail that recently appeared in the Broken Sword 5 video game, worked in in peer-to-peer mode, meaning it can move across machines even if they’re not connected to the public Internet.

G-Data said Uroburos was “one of the most advanced rootkits we have ever analysed in this environment”.

ouroboro uroburos malware russian dragon eating tail © Eugene Ivanov ShutterstockRussian intelligence involved?

It works on both 32-bit and 64-bit Microsoft Windows machines, again pointing to a well-funded effort. It’s likely the Uroburos attacks went undetected for at least three years, as a sample of a rootkit driver was dated back to 2011.

“The development of a framework like Uroburos is a huge investment. The development team behind this malware obviously comprises highly skilled computer experts, as you can infer from the structure and the advanced design of the rootkit,” G-Data said.

“The design is highly professional; the fact the attackers use a driver and a virtual file system in two separate files which can only work in combination, makes the analysis really complicated. One needs to have the two components to correctly analyze the framework. The driver contains all of the necessary functionality and the file system alone simply cannot be decrypted.

“The network design is extraordinarily efficient, too; for an incident response team, it is always complicated to deal with peer-to-peer infrastructure. It is also hard to handle passive nodes, because one cannot quickly identify the link between the different infected machines.”

The Russian connection was made after researchers from G-Data discovered plenty of Russian-language strings in the code. They also found the malware searching for the presence of Agent.BTZ, malware used in attacks on the US in 2008, which were said to have been carried out by Russian spies.

The Agent.BTZ attack was initiated when a USB stick was deliberately left in a parking area belonging to the United States Department of Defense.

“We believe that the team behind Uroburos has continued working on even more advanced variants, which are still to be discovered,” G-Data added.

“We are sure of the fact that attacks carried out with Uroburos are not targeting John Doe but high profile enterprises, nation states, intelligence agencies and similar targets.”

What do you know about Internet security? Find out with our quiz!