HOME     MENU     SEARCH     NEWSLETTER    
NEWS & INFORMATION FOR TECHNOLOGY PURCHASERS. UPDATED 10 MINUTES AGO.
You are here: Home / Network Security / Kaspersky Looks Inside 'Epic' Attack
Build Apps 5x Faster
For Half the Cost Enterprise Cloud Computing
On Force.com
Kaspersky Lab Reveals a Look Inside Cyber-Espionage
Kaspersky Lab Reveals a Look Inside Cyber-Espionage
By Dan Heilman / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
AUGUST
07
2014

Where do cyberattacks come from, and what is their methodology? New research from Kaspersky Lab sheds light on those common questions, using a cyber-espionage operation as an example. Researchers at Kaspersky say they've kept tabs on an operation that was able to find its way into two spy agencies and hundreds of government and military targets in Europe and the Middle East over the past eight months.

The espionage operation, Epic Turla, is one of the most sophisticated ongoing cyber-espionage campaigns. The "Epic" project portion of Turla has been used since at least 2012, when it was first discovered, with the highest volume of activity observed in January-February 2014, according to Kaspersky.

Kaspersky Lab, based in Moscow, issued a report Thursday on Epic Turla at the Black Hat security conference in Las Vegas. Symantec Corp., the biggest U.S. security software maker, also planned to issue a report on Epic Turla at the conference.

Spyware Building Blocks

According to the cybersecurity researchers, the malware components of Turla are used in stages, and break down this way:

  • Epic Turla/Tavdig: An early-stage infection mechanism.
  • Cobra Carbon system/Pfinet (plus others): Intermediary upgrades and communication plug-ins, used to determine whether the target computer has information worth gathering.
  • Snake/Uroburos: High-grade malware platform that includes a rootkit and virtual file systems.
Most of Epic's targets are embassies, military, research and education organizations, pharmaceutical companies, and government entities. The latter category includes intelligence agencies along with ministries of interior, trade and commerce, and foreign/external affairs.

A majority of Epic's victims are in the Middle East and Europe. But Kaspersky also observed victims in other regions, including the United States. Kaspersky's experts counted hundreds of victim IP addresses in more than 45 countries, with France having the greatest number.

Breaches Discovered 'Almost Every Day'

We reached out to Kurt Baumgartner, principal security researcher at Kaspersky Lab, and asked him how well prepared for Epic Turla are U.S. organizations and agencies, considering that most of the attacks have been in other countries.

"It depends on the organization," Baumgartner told us. "We see stories almost every day about one breach or another. Some know very well not only what resources are on their network, but patch them well by monitoring traffic closely, etc."

How do the people behind Epic Turla go about their attacks? Mostly via zero-day exploits, social engineering (such as e-mail phishing) and "watering hole" techniques, an attack that compromises a popular Web site by inserting an exploit that results in malware infection to site visitors.

"While Epic activity has included zero-day (attacks), the water-holing attacks include non-zero day exploits as well," Baumgartner said.

Kaspersky counted at least two examples of zero-day exploits. One enabled escalation of privileges in Windows XP and Windows Server 2003, allowing the Epic backdoor to achieve administrator privileges on the infected systems. The other was an exploit in Adobe Reader that's commonly used in malicious e-mail attachments.

Are We Prepared?

The attackers behind Turla don't seem to be native English speakers, routinely misspelling English words and misusing expressions in their code. Another hint about the origins of the attack is that the internal name of one of the Epic backdoors is "Zagruzchik.dll," which means "bootloader" or "load program" in Russian.

Kaspersky and other researchers have concluded that the hackers are probably backed by a nation state. This is based on the likelihood that the techniques and tools they used were similar to the ones used in two other high-profile cyber espionage operations linked to the Russian government.

Are the best-selling consumer-level security software makers staying ahead of Turla, or at least working to?

"Sure," Baumgartner said, "but (attacks) like Epic can increase their game to zero-day to attack and evade defenses, making them especially dangerous and effective."

Tell Us What You Think
Comment:

Name:

Prof. Engr. Muhammad Naee:
Posted: 2014-12-01 @ 8:50pm PT
We should always avoid using free distributing sites. Normally these sites have such exploits.

Every agency is engaged in hiring hackers to develop such tools. Regarding misspelling and appearing to be a non english developer, it's again done intentionally so that people can mislead and blame others.

Being security people, we should concentrate on finding such malware and mitigate it.

Like Us on FacebookFollow Us on Twitter
TOP STORIES NOW
MAY INTEREST YOU
Salesforce.com is the market and technology leader in Software-as-a-Service. Its award-winning CRM solution helps 82,400 customers worldwide manage and share business information over the Internet. Experience CRM success. Click here for a FREE 30-day trial.
MORE IN NETWORK SECURITY
Product Information and Resources for Technology You Can Use To Boost Your Business

NETWORK SECURITY SPOTLIGHT
An easily avoided security lapse -- failure to use two-factor authentication on a single server -- is being blamed for the massive computer breach that hit JPMorgan Chase this past summer.

ENTERPRISE HARDWARE SPOTLIGHT
Flying under the radar just before Christmas, HP has launched a new version of its Chromebook 14, most notable for its touch screen and full high-definition display, plus more powerful specs.
© Copyright 2014 NewsFactor Network, Inc. All rights reserved. Member of Accuserve Ad Network.