Where do cyberattacks come from, and what is their methodology? New research from Kaspersky Lab sheds light on those common questions, using a cyber
-espionage operation as an example. Researchers at Kaspersky say they've kept tabs on an operation that was able to find its way into two spy agencies and hundreds of government and military targets in Europe and the Middle East over the past eight months.
The espionage operation, Epic Turla, is one of the most sophisticated ongoing cyber-espionage campaigns. The "Epic" project portion of Turla has been used since at least 2012, when it was first discovered, with the highest volume of activity observed in January-February 2014, according to Kaspersky.
Kaspersky Lab, based in Moscow, issued a report Thursday on Epic Turla at the Black Hat security conference in Las Vegas. Symantec Corp., the biggest U.S. security software maker, also planned to issue a report on Epic Turla at the conference.
Spyware Building Blocks
According to the cybersecurity researchers, the malware components of Turla are used in stages, and break down this way:
- Epic Turla/Tavdig: An early-stage infection mechanism.
- Cobra Carbon system/Pfinet (plus others): Intermediary upgrades and communication plug-ins, used to determine whether the target computer has information worth gathering.
- Snake/Uroburos: High-grade malware platform that includes a rootkit and virtual file systems.
Most of Epic's targets are embassies, military, research and education organizations, pharmaceutical companies, and government entities. The latter category includes intelligence
agencies along with ministries of interior, trade and commerce, and foreign/external affairs.
A majority of Epic's victims are in the Middle East and Europe. But Kaspersky also observed victims in other regions, including the United States. Kaspersky's experts counted hundreds of victim IP addresses in more than 45 countries, with France having the greatest number.
Breaches Discovered 'Almost Every Day'
We reached out to Kurt Baumgartner, principal security researcher at Kaspersky Lab, and asked him how well prepared for Epic Turla are U.S. organizations and agencies, considering that most of the attacks have been in other countries.
"It depends on the organization," Baumgartner told us. "We see stories almost every day about one breach or another. Some know very well not only what resources are on their network, but patch them well by monitoring traffic closely, etc."
How do the people behind Epic Turla go about their attacks? Mostly via zero-day exploits, social engineering (such as e-mail phishing) and "watering hole" techniques, an attack that compromises a popular Web site by inserting an exploit that results in malware infection to site visitors. (continued...)