Attacks on government systems in Eastern Europe, Middle East and Central Asia linked to Russian state
Flaws in Windows Server 2003 and Adobe Acrobat Reader opened doors to "Epic Turla" cyber-attackers
More than 40 governments have been attacked in a cyber-campaign believed to be linked to the Russian state, according to security software vendors Kaspersky and Symantec.
The attack was directed at a government ministry in Western Europe, a US medical organisation and some 45 other governmental targets across Eastern Europe and the Middle East.
It follows an investigation of the advanced malware known as either Epic Turla, Snake or Uroburos, which was first uncovered earlier this year by Germany's G-Data and the security arm of BAe Systems, Applied Intelligence.
When it was first uncovered in March, both G-Data and BAe noted its use of the Russian language in its code.
According to Kaspersky, the attack starts at a low level, but can be ratcheted up as the attackers feel more confident.
"Our analysis indicates that victims are infected via a sophisticated multi-stage attack, which begins with the Epic Turla. In time, as the attackers gain confidence, this is upgraded to more complex backdoors, such as the Carbon/Cobra system. Sometimes, both backdoors are run in tandem, and used to "rescue" each other if communications are lost with one of the backdoors," claims Kaspersky in a blog posting.
"Once the attackers obtain the necessary credentials without the victim noticing, they deploy the rootkit and other extreme persistence mechanisms. In other words, Epic Turla comes to stay. The attacks are known to have used at least two zero-day exploits:
- CVE-2013-5065 - privilege escalation vulnerability in Windows XP and Windows Server 2003; and,
- CVE-2013-3346 - Arbitrary code-executing vulnerability in Adobe Reader."
France, the US and Iran are, according to Kaspersky, the most widely affected countries, with Russia fourth - the UK does not make the top 20 - although other countries across Europe, the Middle East and Central Asia feature prominently.
Symantec, likewise, has posted information about the attacks and how they were carried out.
"The watering hole attacks display competent compromise capabilities, with the attackers compromising a range of legitimate websites and only delivering malware to victims visiting from pre-selected IP address ranges. These compromised websites deliver a payload of Trojan.Wipbot. It is highly likely that Wipbot is then used as a downloader to deliver Turla to the victim," it claims.
Symantec believes that the attacks spread from former Eastern Bloc countries.
"While infections initially appeared to be spread over a range of European countries, closer analysis revealed that many infections in Western Europe occurred on computers that were connected to private government networks of former Eastern Bloc countries. These infections appear to have transpired in the embassies of these countries.
"The attackers were heavily focused on a small number of countries. For example, in May of 2012, the office of the prime minister of a former Soviet Union member country was infected. This infection spread rapidly and up to 60 computers at the prime minister's office were compromised.
Another attack saw a computer at the embassy to France of a second former Soviet Union member infected in late 2012. During 2013, infections began to spread to other computers linked to the network of this country's ministry of foreign affairs.
"In addition, its ministry of internal affairs was also infected. Further investigation uncovered a systematic spying campaign targeted at its diplomatic service. Infections were discovered at embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany," claimed Symantec.