It shouldn't be easy to shut down a European ministry for days, depriving bureaucrats of access to e-mail and the web. Someone, however, has managed to do just that to Belgium's foreign ministry, which had to quarantine its entire computer system last Saturday and only managed to restore the work of the passport and visa processing systems on Thursday. Similar attacks seem to be taking place elsewhere in Europe, as Belgian Foreign Minister Didier Reynders told the Belga news agency after meeting with a senior French diplomat that "everyone (on the European level) notes at this moment a very powerful pickup in hacking activity probably coming from the east and in any case having to do with Ukraine."
The local press reports that a Russian program called Snake caused the disruption in Brussels. If that is true, the Belgians have made the acquaintance of one remarkable serpent. Under the name Agent.BTZ -- a generic one, automatically generated to classify a then-unknown piece of malicious code – it hit the U.S. Department of Defense back in 2008. The attack became public knowledge two years later, after Deputy Defense Secretary William J. Lynn III described it in a Foreign Affairs article as a "significant compromise" of the DoD's classified computer networks. Someone had coupled a flash drive to a military laptop at a Middle Eastern base, and the malware spread from there, prompting ahuge policy response that culminated in the creation of the United States Cyber Command.
Given the attack target's clout and resources, one would have expected the U.S. and its NATO allies to thoroughly study and block the malware. That didn't happen. Defense conglomerate BAE Systems wrote in a recent report that "the operation behind the attacks has continued with little modification to the tools and techniques, in spite of the widespread attention a few years ago."
Agent.BTZ is now also known as Snake (the name Belgians use for it), Uroburos, Sengoku and Snark -- names the malware's creators have used for its versions. It is highly sophisticated, flexible software that, after infiltrating a Windows computer, can operate both from "userland" -- where a user runs her programs -- or the system kernel, where device drivers run. According to the BAE report, "it is designed to covertly install a backdoor on a compromised system, hide the presence of its components, provide a communication mechanism" and then send out stolen information, including files and captured network traffic. In other words, nothing on your computer is safe from Snake.
German cybersecurity firm GData analyzed the Uroburos version of the malware earlier this year and found evidence that its developers spoke Russian. Department of Defense officials also strongly suspected Russian hackers of being involved in the Agent.BTZ attack. Uroboros, developed in 2011, checks for the presence of good old Agent.BTZ on a computer and remains inactive if it finds it.
"Due to the complexity of the Uroburos rootkit, we estimate that it was designed to target government institutions, research institutions or companies dealing with sensitive information," GData wrote in its report. It added: "The development of a framework like Uroburos is a huge investment."
Snake and its variants have been extensively deployed by whoever made that investment. BAE Systems collected a total of 32 samples of the malicious code from Ukraine, where most of them appear to have been installed since the Maidan protests started in Kiev last year; 11 from Lithuania; four from the U.K.; two from the U.S. and another six from other countries.
Based on the fact that the earliest known version of Snake was compiled in January 2006, BAE says that "the cyber-espionage operation behind the Snake rootkit is well-established." Indeed, in more than eight years the malware must have stolen much more sensitive information than the confidential diplomatic report on Ukraine that the Belgians believe it intercepted. In fact, security experts cannot find the next infected computer on the network from the first one because of the clever way Snake is designed. The only way to clean up a network is to take it down from the internet and examine each computer, the way the Belgian foreign ministry has done.
There must be entire agencies in NATO countries that need the same procedure. All it takes is for one ignorant bureaucrat to click on an enticing link in an e-mail or plug in an unverified thumb drive, and the entire computer network becomes a giant hydrant blowing information to some server in Moscow, or wherever Snake's control center is.
Some experts have wondered why the Ukraine conflict has not produced much of a cyberwar beyond a few site defacements, distributed denial of service attacks and pro-Russian trolling on new sites. Perhaps Russia doesn't need one, given its military ascendancy. It is more likely, however, that Moscow's war is a quiet one, and the fat, eight-year-old snake may one of its most effective weapons, giving President Vladimir Putin a much better understanding of the West's thinking and specific plans than EU and U.S. policymakers are willing to admit.
To contact the author on this story:
Leonid Bershidsky at firstname.lastname@example.org