Russia-linked cyber attack on Ukraine PM’s office

Sam Jones

Dozens of computers in the Ukrainian prime minister's office and at least 10 of Ukraine's embassies abroad have been infected with a virulent cyber espionage weapon linked to Russia.

The cyber attack has also affected embassies in eastern Europe of at least nine countries including Germany, China, Poland and Belgium. Sensitive diplomatic information has been made available to the perpetrators of the attack as a result.

News of the aggressive campaign comes as tensions between Russia and the west over Ukraine are running high: punitive economic sanctions enacted against Moscow by US and EU officials in recent days have been met with reprisals from the Kremlin. A Russian troop build-up on the Ukrainian border has continued apace.

Smeel Photography | E+ | Getty Images

The diplomatic infections were revealed partly in data compiled by the online security firm Symantec and partly by intelligence sources contacted by the Financial Times. They are the latest evidence of the spread and penetration of the Snake malware. It is also known as Ouroboros, the tail-swallowing serpent of Greek mythology.

Security and military analysts told the FT earlier this year they believed Snake to be a programme used by hackers linked to the Russian government.

Analysis then indicated that Ukraine was the likely primary target of Snake – an operation of a sophistication and dexterity that experts believed could only be executed by an extremely well-resourced, state-backed group controlled by a military or intelligence authority.

Read MoreChina originates 35%of 'nuclear bomb' cyber attacks

Cyber security experts believe Snake to be the successor malware to a cyber weapon used successfully to attack the Pentagon in 2008. Officials described it at the time as the worst breach of US military computers.

According to Symantec, in a report produced for clients on Thursday, 60 computers in "the office of the prime minister of a former Soviet Union member country" were infected with Snake in a campaign that began in May 2012. It is still ongoing.

According to senior intelligence officials of Nato member states who spoke on condition of anonymity, that country is Ukraine.

Those officials say Russia has been waging a sophisticated and aggressive digital espionage campaign against Kiev that has directly fed into its handling and responses to the crisis.

More from the Financial Times:
Kremlin wages alleged cyber war on Kiev
Cyber Security
Second Open SSL flaw discovered
Ebay adds to cyber war hacking worry

Since the existence of Snake was first publicised earlier this year, analysts have built up a detailed picture of the way it is used as a cyber weapon.

Cyber criminals using MH17 to spread malware
Cyber criminals using MH17 to spread malware

Unlike other sophisticated, state-backed pieces of malware, such as Stuxnet – the programme used by the US and Israel to disrupt Iran's uranium enrichment facilities – Snake is a far more precise weapon.

"The interesting thing about Snake is how it is spreading," said Peter Roberts, an expert in cyber warfare at the Royal United Services Institute and a former senior military intelligence officer. "If you take a normal virus, its spread and infection is fairly uncontrollable. The thing about Snake is that it is a far more targeted piece of malware. It is being carefully targeted at security and defence systems of governments and key government partners in a very specific way."

"It has all the hallmarks of being generated by Russian operatives," he added. "There is a very high degree of probability, just short of certainty, that it is Russian."

Read MoreCyberattacks get bigger, smarter, more damaging

Computers and networks infected by Snake have been carefully preselected by the malware's operators over several stages of targeting, according to Symantec's research.

The espionage campaign in eastern Europe began with Snake's operators infecting 84 prominent public websites which they knew were visited regularly by government, defence industry and diplomatic service employees.

The first level of infection involved visitors to those websites being prompted to upgrade their shockwave player software.

Details of thousands of visitors who agreed to do so were then compiled by Snake's operators.

The second level of infection involved Snake operators targeting groups of those visitors whose IP addresses corresponded to those of institutions and organisations of interest.

Read MoreUkraine: Cyberattack on communications, MPs phones blocked

Those individuals were subsequently infected with a preliminary piece of malware known as "wipbot". The wipbot malware allowed Snake's operators to determine how senior those infected were in their organisations. This then allowed for a specific and targeted deployment of the full Snake malware package solely to those whose computer systems contained the most sensitive and valuable information.

"We think in a lot of cases where an individual or employee was infected that attack was very deliberate, very targeted," said Alan Neville, intelligence analyst at Symantec. "The most sophisticated part of this is how it is used." Snake operators nevertheless do not appear to be interested in one-off hits, Mr Neville adds. "They are interested in infecting and penetrating diplomatic systems deeply ... they are interested in all of them."

Symantec said it had informed the relevant cyber security authorities across Europe of its findings.