A cyber-espionage system named TURLA has infected thousands of government computers across Europe and the U.S. TURLA is suspected to be a Russian system and probably a recent mutation of Agent BTZ, an espionage worm that infected some U.S. systems as early as 2006.
As early as 2007, a virus named Careto or “Mask” was infecting government computers in 31 countries. Mask claims 380 institutional “victims, with South America and Europe being heavily infested, and Russia not at all
It appears TURLA was embedded in U.S. military computer networks since 2008 when a U.S. counteroffensive called Buckshot Yankee was mounted to eradicate or co-opt TURLA. The original pathway for military computer infections was small flash drives (thumb drives) popular with military users. TURLA has changed itself in many ways and it remains active today.
These adaptive, sophisticated malwares change their structure, file-naming habits, frequency for uploading captured files, and routing of reports. This savvy design and patience for results suggests the owner is reclusive and has a long term plan for these investments – unlike the perpetrators of smash and grab tactics following the theft of customer identifications from Target stores.
While Russia is the likely instigator for TURLA, Agent BTZ, and perhaps Mask, there is no conclusive modus operandi or programming signature found in these malware systems. It is unclear whether the owner, author and operators are even based in the same country. It is plausible that cyber-factions from Russia, China, Korea, Iran or India could be accountable for some aspects of the systems and the planting of subtle false-flag evidence would be expected, although it was not yet found. The countries with enough budget and sufficient interest to value the intelligence product from these malwares would be Russia, China and Iran.
It’s impossible that the U.S. knows every piece of government information that TURLA, Agent BTZ or Mask has harvested from U.S. sources – so we do not know the full extent of our vulnerabilities. That leaves us a bit knowledgeable and a bit paranoid. Some viruses can cause damage to physical infrastructure, but TURLA does not seem to be designed for that.
The U.S. government operates espionage malware and surveillance of its own in domestic and foreign locations. Stuxnet was a malware that caused Iranian uranium centrifuges to operate improperly, causing serious damage, something the U.S. and Israel each would value. It is unclear who actually built and placed it. Recently, the National Security Agency and RSA (a security products company) have been accused of collaborating to dumb-down the encryption protections in some RSA products, allowing someone with a spare super-computer (e.g., NSA) to quickly discover client encryption keys.
Military secrets, high tech designs and commercial contracting plans are obvious targets for espionage malware, but so are intelligence estimates and foreign affairs plans. Since the government is aware of foreign espionage, we wonder what role cyber-vulnerabilities play in our handling of international tensions. Do our opponents release malware-sourced U.S. secrets to their client states (e.g. Syria, Iran, North Korea and Venezuela)? What revelations of our plans and thinking help opponents act brazenly – e.g. in the Crimea, or with the Iran-nuclear talks, or with Syrian chemical warfare, or trade pact negotiations?
When the U.S. is found to have violated foreign privacy through surveillance, we should keep in mind the pervasive, persistent foreign malware siphoning of our military, trade and diplomatic secrets. We are not in a contest to be crowned “most righteous” – but, in some instances, we’re in a scuffle to survive.
Alan Daley is a retired businessman who writes for The American Consumer Institute for Citizen Research