A cyber-attack targeted at the Swiss defense contractor RUAG used malware from the Turla family, which had no rootkit functionality, but relied on obfuscation to stay undetected.
In a technical analysis by the Reporting and Analysis Center for Information Assurance MELANI and the Swiss CERT, it found that the attackers showed great patience during the infiltration and lateral movement of the attack. RUAG had been affected by this threat since at least September 2014.
The Bern-based company was originally infected in September 2014 according to IoCs in logs, and waited until December 2015 when no in-depth search was possible because a proxy did not log internal client IP addresses.
“After they got into the network, they moved laterally by infecting other devices and by gaining higher privileges,” the summary said. “One of their main targets was the active directory, as this gave them the opportunity to control other devices, and to access the interesting data by using the appropriate permissions and group memberships. The malware sent HTTP requests to transfer the data to the outside, where several layers of Command-and-Control (C&C) servers were located.”
Once the attackers were inside, they used named pipes for the internal communication between infected devices and constructed a hierarchical peer-to-peer network: some of these devices took the role of a communication drone, while others acted as worker drones. The worker ones never actually contacted any C&C servers, but instead received their tasks via named pipes from a communication drone, and also returned stolen data this way.
Ruag is a defense contractor and provider of aerospace and terrestrial military equipment, and supplies munitions to the Swiss military. The final attack was conducted using the same tactics as against the annual World Economic Forum (WEF) in Davos, Switzerland in January.
The report deemed that the attack was part of a long running campaign of the threat actor using and running Epic/Turla/Tavdig that has infiltrated many governmental organizations and commercial companies in the private sector in the past decade.
The report concluded: “Even if we think completely preventing such attacks is very difficult, the goal must be to make them as difficult as possible. There is a good chance to make the entry point difficult to find, when protecting the clients adequately using tools like Applocker or virtualized browsers. Even if this does not completely eliminate this kind of threat, the bar is raised for the attacker.”
MELANI and the Swiss CERT said that it is sharing information gathered with its partners and this instance was detected based upon mutual sharing of information. “We’re happy to work together with many partner organizations throughout Europe and are grateful for their efforts and the good international cooperation,” it said.
“Putting all elements together over a long time gives the momentum of action back to the CERTs and CSIRTs, struggling to keep their networks clean and their data safe. The fact that attackers abuse vulnerable systems for their purpose - no matter if this is for criminal activities or espionage - shows the importance and responsibility of every party providing services on the internet. There is no such thing as an insignificant system on the internet, every server may be abused for attacking others. This puts great responsibility on everyone, and we hope that this report contributes to increasing the security level within every network and server.”
Gadi Evron, CEO and founder of Cymmetria, who also chairs the Israeli CERT, told Infosecurity that he believed in information sharing generally, and coordination. “I’ve been involved in the CERT community for many years, and the thing about information sharing and response is we are doing as much as we can,” he said.
“That said, people are talking about information sharing and coordination, and it is good for the industry as we are doing as much as we can so I am always for coordination and information sharing and doing what we can together, but we are doing as much as we can considering the legal standpoint of things compared to how many companies are willing to share with each other.”