A highly targeted cyberespionage campaign involving Wipbot and Turla malware has systematically targeted the governments and embassies of a number of former Eastern Bloc countries in a classic espionage-type operation that has been going on for at least four years.
According to Symatec, Trojan.Wipbot (known by other vendors as Tavdig) is being used as a back door to facilitate reconnaissance operations before the attackers shift to long-term monitoring operations using the Trojan known as Turla (a.k.a. Uroboros, Snake and Carbon). Configured to start every time a computer starts, once the user opens a web browser Turla opens a back door that enables communication with the attackers, who can copy files from the infected computer, connect to servers, delete files, and load and execute other forms of malware, among other capabilities.
While infections initially appeared to be spread over a range of European countries, closer analysis by the researchers revealed that many infections in Western Europe occurred on embassy computers that were connected to private government networks of former Eastern Bloc countries.
The attacks systematically spread as well. For example, in May of 2012, the office of the prime minister of a former Soviet Union member country was infected. This infection spread rapidly and up to 60 computers at the prime minister’s office were compromised.
Symantec noted that another attack saw a computer at the embassy to France of a second former Soviet Union member infected in late 2012. During 2013, infections began to spread to other computers linked to the network of this country’s ministry of foreign affairs. In addition, its ministry of internal affairs was also infected. Further investigation uncovered a systematic spying campaign targeted at its diplomatic service. Infections were discovered at embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland and Germany.
While the attackers have largely focused on the former Eastern Bloc, they also hit the ministry for health of a Western European country, the ministry for education of a Central American country, a state electrical authority in the Middle East and a medical organization in the US, the firm said.
In terms of infection vector, the group behind Turla has a two-pronged attack strategy that involves infecting victims through spearphishing emails and watering hole attacks.
“The watering hole attacks display competent compromise capabilities, with the attackers compromising a range of legitimate websites and only delivering malware to victims visiting from pre-selected IP address ranges,” Symantec explained in an analysis. “These compromised websites deliver a payload of Trojan.Wipbot. It is highly likely that Wipbot is then used as a downloader to deliver Turla to the victim.”
Since September 2012, the group has compromised at least 84 legitimate websites to facilitate watering hole attacks. Websites owned by a number of different governments and international agencies were among those compromised by the attackers.
Analysis conducted by Symantec has found several technical connections between Wipbot and Turla which indicates the same group or larger organization wrote both pieces of code—and that group appears to carry out attacks during the UTC+4 time zone working hours. That would cover most of European Russia, including Moscow and St. Petersburg, as well as Georgia, Armenia and the United Arab Emirates.