The Agent.btz worm that hit the US military and others in 2008 was probably the inspiration for a new generation of cyber-espionage weapons including the recently-documented Turla (aka ‘Snake’ or ‘Uroburos’), Kaspersky Lab has speculated.
German firm G Data and Britain’s BAE Systems have come up with the theory that the Turla cyberweapon is most likely a Russian development connected to the earlier Agent.btz (aka ‘Orbina’), but Kaspersky’s analysis is less certain about that connection.
What the firm does suggest is that a number of other mysterious cyberweapons, including Red October from 2013 and Flame/Gauss from 2012 (both publicised by Kaspersky Lab), seemed to be aware of Agent.btz in some way.
Does this mean they came from the same developer or was it more a case of emulating its techniques because they had been shown to work? More extraordinarily, might they even have been opportunistically attempting to steal its files?
First, the enigmatic Red October, which Kaspersky Lab does not believe is directly connected to Agent.btz but did include a module that looked for any files it had already stolen and hidden on USB sticks.
“It is not impossible that the developers of Red October, who must have been aware of the large number of infections caused by Agent.btz and of the fact that the worm had infected US military networks, simply tried to take advantage of other people’s work to collect additional data,” said Kaspersky Lab chief security expert, Aleks Gostev.
A similar picture emerges when plotting the connections between Agent.btz and a complex cyberweapon called Flame and its close relations Gauss and MiniFlame, all three of which were brought to light by Kaspersky between 2011 and 2012. Again, these seemed to have been created with an awareness of what Agent.btz had been up to; MiniFlame also searched for data files written by it.
Now for the interesting bit. Can any of those more recent programmes – Turla, Red October and Flame – be connected to one another? After all, they all manipulated Agent.btz to some degree.
Probably not. Red October and Turla were not connected to one another, said Gostev, and Flame was likewise a cyberweapon standing on its own.
What is still intriguing about is that other security firms still believe Turla and Agent.btz are probably directly connected to one another. Kaspersky’s Gostev attributes this to the Turla’s developers being aware of Agent.btz and probably nothing more. The two had Russian programmers but again Turla might simply have been trying to capitalise on Agent.btz’s success.
“It is possible to regard Agent.btz as a certain starting point in the chain of creation of several different cyber-espionage projects. The well-publicized story of how US military networks were infected could have served as the model for new espionage programs having similar objectives, while its technologies were clearly studied in great detail by all interested parties,” said Gostev.
Under this kind of scrutiny, the whole affair can start to dissolve into something that sounds more like a sub-plot from a John le Carré spy novel than a map of global cyberwarfare activity. What we have to go on is a web of complex malware but with little substantial evidence to work out whether they come from the same source.
What is clear is that researchers now need to do more than simply analyse standalone cyberweapons. The age of innocence is over.