Security experts have uncovered a major four-year cyber espionage operation thought to have been launched by state-sponsored operatives against multiple former Soviet Union member countries.
The group’s modus operandi appears to fit that of many similar APT-style targeted attacks.
First, they infect a victim’s PC with the Wipbot backdoor – either via a spearphishing email with malicious attachment or watering hole attack – and then the Turla Trojan is downloaded to facilitate long-term covert spying.
“Configured to start every time a computer starts, once the user opens a web browser [Turla] opens a back door that enables communication with the attackers,” wrote Symantec in a blog post.
“Through this back door, the attackers can copy files from the infected computer, connect to servers, delete files, and load and execute other forms of malware, among other capabilities.”
Turla also injects code into web browsers to disguise its presence by hiding C&C traffic in web requests, the firm said.
At least 84 legitimate websites have been compromised by the group’s watering hole attacks since 2012, with web pages of governments and international agencies among those targeted.
The multi-stage attack typically begins with an intelligence gathering phase, where info on site visitors is gathered, according to Symantec.
“The next phase of the operation was highly targeted, with servers then configured to drop Wipbot only to IP addresses associated with intended targets. In one instance, the malware delivered was disguised as a Shockwave installer bundle,” the firm added.
“Wipbot was then used to gather further information about the infected computer. If the attackers deemed the victim of interest, it appears likely that a second back door (Trojan.Turla) with far greater capabilities was downloaded on to the victim’s computer.”
Former Eastern Bloc countries appear to have been the major target, with embassies in France Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany all struck.
The prime minister’s office of a former Soviet Union country, as well as the health ministry of a Western European country, and the ministry for education of a Central American country were also hit.
Symantec made no further attempt at attribution, although the firm did reveal that most malicious activity occurs within the working day of the GMT +4 time zone, which would put it in the current Moscow Time Zone.
Chris McIntosh, CEO of communications firm ViaSat, argued that security bosses should always assume the worst will happen and prepare for that.
“There is a limit to how much you can control people’s behavior – however, limiting access to websites that aren’t necessary to do business, or that can’t be trusted, should be a natural first step,” he told Infosecurity.
“Similarly, ensuring that software updates can only be carried out by administrators, rather than on a whim, should be a priority. This may not close down every possible avenue of attack, but it will at least limit the options of any hostile force.”