Where do cyberattacks come from, and what is their methodology? New research from Kaspersky Lab sheds light on those common questions, using a cyber-espionage operation as an example. Researchers at Kaspersky say they've kept tabs on an operation that was able to find its way into two spy agencies and hundreds of government and military targets in Europe and the Middle East over the past eight months.
The espionage operation, Epic Turla, is one of the most sophisticated ongoing cyber-espionage campaigns. The "Epic" project portion of Turla has been used since at least 2012, when it was first discovered, with the highest volume of activity observed in January-February 2014, according to Kaspersky.
Kaspersky Lab, based in Moscow, issued a report Thursday on Epic Turla at the Black Hat conference in Las Vegas. Symantec Corp., the biggest U.S. security software maker, also planned to issue a report on Epic Turla at the conference.
Spyware Building Blocks
According to the cybersecurity researchers, the malware components of Turla are used in stages, and break down this way:
- Epic Turla/Tavdig: An early-stage infection mechanism.
- Cobra Carbon system/Pfinet (plus others): Intermediary upgrades and communication plug-ins, used to determine whether the target computer has information worth gathering.
- Snake/Uroburos: High-grade malware platform that includes a rootkit and virtual file systems.
Most of Epic's targets are embassies, military, research and education organizations, pharmaceutical companies, and government entities. The latter category includes intelligence agencies along with ministries of interior, trade and commerce, and foreign/external affairs.
A majority of Epic's victims are in the Middle East and Europe. But Kaspersky also observed victims in other regions, including the United States. Kaspersky's experts counted hundreds of victim IP addresses in more than 45 countries, with France having the greatest number.
Breaches Discovered 'Almost Every Day'
We reached out to Kurt Baumgartner, principal security researcher at Kaspersky Lab, and asked him how well prepared for Epic Turla are U.S. organizations and agencies, considering that most of the attacks have been in other countries.
"It depends on the organization," Baumgartner told us. "We see stories almost every day about one or another. Some know very well not only what resources are on their network, but patch them well by monitoring closely, etc."
How do the people behind Epic Turla go about their attacks? Mostly via zero-day exploits, social engineering (such as e-mail phishing) and "watering hole" techniques, an that compromises a popular Web site by inserting an exploit that results in malware infection to site visitors.
"While Epic activity has included zero-day (attacks), the water-holing attacks include non-zero day exploits as well," Baumgartner said.
Kaspersky counted at least two examples of zero-day exploits. One enabled escalation of privileges in Windows XP and Windows Server 2003, allowing the Epic backdoor to achieve administrator privileges on the infected systems. The other was an exploit in Adobe Reader that's commonly used in malicious e-mail attachments.
Are We Prepared?
The attackers behind Turla don't seem to be native English speakers, routinely misspelling English words and misusing expressions in their code. Another hint about the origins of the attack is that the internal name of one of the Epic backdoors is "Zagruzchik.dll," which means "bootloader" or "load program" in Russian.
Kaspersky and other researchers have concluded that the hackers are probably backed by a nation state. This is based on the likelihood that the techniques and tools they used were similar to the ones used in two other high-profile cyber espionage operations linked to the Russian government.
Are the best-selling consumer-level security software makers staying ahead of Turla, or at least working to?
"Sure," Baumgartner said, "but (attacks) like Epic can increase their game to zero-day to attack and evade defenses, making them especially dangerous and effective."
Prof. Engr. Muhammad Naee:
Posted: 2014-12-01 @ 8:50pm PT
We should always avoid using free distributing sites. Normally these sites have such exploits.
Every agency is engaged in hiring hackers to develop such tools. Regarding misspelling and appearing to be a non english developer, it's again done intentionally so that people can mislead and blame others.
Being security people, we should concentrate on finding such malware and mitigate it.