An unidentified group is stealing data from ministries and embassies, military, research and education organisations
An ongoing cyber-espionage campaign which relies on the sophisticated Turla Trojan (also known as Snake, Uroboros and Carbon) appears to target the governments and embassies of the former Eastern Bloc countries and has all the markings of a state-sponsored effort, reports Symantec.
According to the US security vendor, this campaign has compromised at least 84 legitimate websites to facilitate watering hole attacks since September 2012. Kaspersky Labs has dubbed the first stage of the infection mechanism ‘Epic’, adding that the campaign had hit its peak in the first two months of 2014.
The identity of the attackers or the location of their base of operations is yet to be established, although code artefacts suggest they communicate in Russian.
The infection starts with spear phishing and watering-hole attacks, when hackers hijack one of the pages on a legitimate site and alter it to serve malicious code.
Symantec says that some of the spear phishing emails pretend to originate from a military attaché at a Middle Eastern embassy. Meanwhile, the watering-hole exploits are configured to only infect visitors from certain IP ranges, allowing more or less accurate geographical targeting.
The attackers are using sing these mechanisms to deliver Trojan.Wipbot (a.k.a. Tavdig, WorldCupSec and TadjMakhal) for further reconnaissance purposes, in order to decide whether a certain IP address is “interesting” – a definition discovered by Kaspersky when analysing the Command & Control infrastructure.
If the IP fits the defined criteria, Wipbot leaves Trojan.Turla on the system. Turla then sets up a hidden file container to store configuration, tools and stolen information. It enables the attacker to copy files from the infected computer, connect to servers, delete files, and load and execute other forms of malware.
Analysis conducted by Symantec has found several technical connections between Wipbot and Turla which indicates the same group or larger organization wrote both pieces of code. Symantec calls the campaign the work of a “well-resourced and technically competent attack group” that likely carries out this operation on behalf of a nation state.
State sponsored attack?
At first, researchers thought the actors behind Turla campaign were interested in a variety of European government organizations, but a closer look revealed that most of the infected machines in Western Europe were at some point connected to government networks of the former countries of the Eastern Bloc.
Traces of infection were found on machines that belong to ministries and embassies, military, research and education organisations,going as far as the top leadership. Confirmed cases include embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany. At least five other countries in the region were targeted by similar attacks.
Kaspersky Labs suggests that the hackers responsible for this campaign are not native English speakers, since they commonly misspell words and expressions, producing jewels like “File is not exist”. It adds that some of the backdoors have been compiled on a system with Russian language and one of them is called “Zagruzchik.dll”, which means “bootloader” in Russian.
There appear to be several links between Turla and Miniduke, which is also used in attacks against government organisations, but investigation into this connection is still ongoing.
What do you know about IT in Russia? Take our quiz!