Cyber-Espionage Campaign Targets Former Communist Governments

An ongoing cyber-espionage campaign which relies on the sophisticated Turla Trojan (also known as Snake, Uroboros and Carbon) appears to target the governments and embassies of the former Eastern Bloc countries and has all the markings of a state-sponsored effort, reports Symantec.

According to the US security vendor, this campaign has compromised at least 84 legitimate websites to facilitate watering hole attacks since September 2012. Kaspersky Labs has dubbed the first stage of the infection mechanism ‘Epic’, adding that the campaign had hit its peak in the first two months of 2014.

The identity of the attackers or the location of their base of operations is yet to be established, although code artefacts suggest they communicate in Russian.

“Interesting” adresses

The infection starts with spear phishing and watering-hole attacks, when hackers hijack one of the pages on a legitimate site and alter it to serve malicious code.

Symantec says that some of the spear phishing emails pretend to originate from a military attaché at a Middle Eastern embassy. Meanwhile, the watering-hole exploits are configured to only infect visitors from certain IP ranges, allowing more or less accurate geographical targeting.

The attackers are using sing these mechanisms to deliver Trojan.Wipbot (a.k.a. Tavdig, WorldCupSec and TadjMakhal) for further reconnaissance purposes, in order to decide whether a certain IP address is “interesting” – a definition discovered by Kaspersky when analysing the Command & Control infrastructure.

If the IP fits the defined criteria, Wipbot leaves Trojan.Turla on the system. Turla then sets up a hidden file container to store configuration, tools and stolen information. It enables the attacker to copy files from the infected computer, connect to servers, delete files, and load and execute other forms of malware.

Analysis conducted by Symantec has found several technical connections between Wipbot and Turla which indicates the same group or larger organization wrote both pieces of code. Symantec calls the campaign the work of a “well-resourced and technically competent attack group” that likely carries out this operation on behalf of a nation state.

State sponsored attack?

At first, researchers thought the actors behind Turla campaign were interested in a variety of European government organizations, but a closer look revealed that most of the infected machines in Western Europe were at some point connected to government networks of the former countries of the Eastern Bloc.

Traces of infection were found on machines that belong to ministries and embassies, military, research and education organisations,going as far as the top leadership. Confirmed cases include embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany. At least five other countries in the region were targeted by similar attacks.

Kaspersky Labs suggests that the hackers responsible for this campaign are not native English speakers, since they commonly misspell words and expressions, producing jewels like “File is not exist”. It adds that some of the backdoors have been compiled on a system with Russian language and one of them is called “Zagruzchik.dll”, which means “bootloader” in Russian.

There appear to be several links between Turla and Miniduke, which is also used in attacks against government organisations, but investigation into this connection is still ongoing.

What do you know about IT in Russia? Take our quiz!

Max Smolaks

Max 'Beast from the East' Smolaks covers open source, public sector, startups and technology of the future at TechWeekEurope. If you find him looking lost on the streets of London, feed him coffee and sugar.

Recent Posts

Generative AI Not Replacing UK Jobs, Study Finds

Study finds UK organisations broadly deploying generative AI to support existing jobs, but execs say…

3 hours ago

Google Must Face Trial In Ad Tech Monopoly Case

Google loses bid for summary judgement as judge says 'too many facts in dispute' as…

16 hours ago

Silicon In Focus Podcast: Feeding the Machine

Learn how your business can meet the challenges associated with managing data across multiple platforms…

17 hours ago

Apple, Meta Likely To Face EU Antitrust Charges

Apple, Facebook parent Meta reportedly likely to face EU antitrust charges before August under new…

17 hours ago

Adobe Shares Jump On AI Success

Adobe shares post biggest gains in more than four years after it reports user take-up…

17 hours ago

Winklevoss’ Gemini To Pay $50m In Crypto Fraud Settlement

Winklevoss twins' Gemini Trust to pay $50m to settle cypto fraud claims over failed Gemini…

18 hours ago