Espionage programs linked to spying on former Soviet targets
A one-two combination of malware programs has infiltrated the embassies and government systems of a number of former Eastern Bloc nations as well as European targets, according to a technical analysis by security researchers.
Using exploits and malicious downloads delivered through phishing attacks or on compromised websites, attackers first infect a system with a program, known as Wipbot, according to an analysis posted by security firm Symantec on Friday. The program conducts initial reconnaissance, collecting system information and only compromising systems that correspond with a specific Internet address. After the target is verified, a second program—alternatively known as Turla, Uroburos, and Snake—is downloaded to further compromise the system, steal data, and exfiltrate information camouflaged as browser requests.
The one-two combination has all the hallmarks of a nation-state intelligence gathering operation targeting the embassies of former Eastern Bloc countries in Europe, China, and Jordan, according to Symantec.
“Wipbot is used as a recon tool at some stage, and if the victim is believed to be of high interest, then Turla is delivered at that point,” said Vikram Thakur, senior security researcher with Symantec. “We see a few technical similarities between the two that makes us believe that they are both developed by people either in the same building or are part of the same organization.”
The malware known as Turla is not new, but it has been part of a series of espionage campaigns conducted for at least four years. In March, security firm G-Data and government contractor BAE Systems described one campaign using Turla, which they called Uroburos and Snake. The campaign compromised US and European targets.
In the latest campaign, a handful of former Soviet states was targeted, but Symantec did not name the countries. In May 2012, for example, an attacker infiltrated more than 60 systems in the office of the prime minister of a former Soviet Union member country. A second attack targeted the embassy to France of another such nation, eventually infecting both the nation’s ministry of foreign affairs and internal affairs.
Symantec did inform every victim’s computer emergency response team prior to publishing its analysis, the company said.
Turla has some attributes that have led other security researchers to link it to another piece of malware, Agent.BTZ. Agent.BTZ spread through USB memory sticks and widely infected the US Department of Defense.
Symantec’s Thakur did not extend the link between Wipbot and Turla beyond those two programs. While the security firm did not connect the attacks to any particular nation-state, it did point out that most of the components of the program were compiled in the UTC + 4 time zone. Both Moscow and St. Petersburg are in that time zone.
The problem with any attempts at attribution is that sophisticated nation-state adversaries can easily create a development environment that produces code that appears to be from a second country, Thakur said. Yet, only a nation-state would likely have the funds and wherewithal to conduct an operation of the complexity as the Wipbot-Turla combination, he said.
“They are going after explicit government networks that are not easy to find,” Thakur said. “There were some IP networks that we had to deeply research, because we had no idea what they were.”