German security firm accuses Russian government of malware development

G Data, a German anti-Virus firm, has alleged that the Russian government is behind the development of Uroburos, a rootkit capable of capturing traffic and files.

According to G Data, Uroburos is modular, making it highly flexible with regard to abilities, and designed to be difficult to identify.

The development of the malware itself is a huge investment, and G Data says the team behind it are highly skilled and working on more advanced versions that have yet to be identified.

"Due to many technical details (file name, encryption keys, behavior and more details mentioned in this report), we assume that the group behind Uroburos is the same group that performed a cyberattack against the United States of America in 2008 with a malware called Agent.BTZ…

"According to all indications we gathered from the malware analyses and the research, we are sure of the fact that attacks carried out with Uroburos are not targeting John Doe but high profile enterprises, nation states, intelligence agencies and similar targets."

When it infects a system, Uroburos looks for Agent.BTZ installations. If they're discovered, it will remain inactive. These markers, as well as the fact the authors of the code used Cyrillic (suggesting that they speak Russian), have led G Data to claim the malware has created by the Russian government.

It's tempting to just dismiss G Data's claim as FUD and move on. However, it's not totally unbelievable. In fact, it’s likely. Why wouldn't the Russians develop and deploy malware of this type?

After the U.S. was outed for using Stuxnet, and blamed for the creation of Flame and Duqu, it was open season on government sanctioned malware. So again, why wouldn't other nations develop their own toys?

No, G Data's theory isn't totally FUD, but it isn't conclusive either. The fact the malware's authors speak Russian, or use Russian words in their code, isn't a clear sign of government involvement. In fact, logical first assumptions would be to dismiss language usage as a false flag.

In the end, G Data's claims aren't the reason I believe the Russian government is developing and using malware, it's because I assumed they were already – just like every over government with substantial funding and ability.

G Data has published a paper on Uroburos, which is available here.

Cybersecurity market research: Top 15 statistics for 2017