New research by Kaspersky Lab tries to answer some interesting questions regarding cyber espionage. Conducted over the past eight months, this study tries to reveal the truth behind recent espionage attempts. During the research, two major spy agencies, along with innumerable military and government targets, were monitored through an operation.
Epic Turla has emerged as one of the most sought after campaigns in cyber espionage. It is a combination of two projects, out of which, ‘Epic’ has been in operation since 2012. It recorded the most activity in January-February 2014.
At the Las Vegas Black Hat Security Relevant Products/Services Conference, the Moscow based Kaspersky Lab came up with a report on Epic Turla on Thursday. Another major company planning to issue a similar report is Symantec Corp.
Epic targets some of the most sought after entities, including military, pharmaceutical companies, embassies, and a number of other major government organizations, including critical ministries such as foreign, trade, and commerce.
Middle East and Europe constitute most of the victims of Epic. However, Kaspersky reported that it has victims in as many as 45 countries, with France being the biggest contributor. The techniques used by the Epic Turla attackers are watering hole, social engineering and zero-day exploits.
The past record highlights that they have made use of a couple of zero-day exploits. One of them was directed towards Adobe Reader, and was used in infected email attachments. As soon as the victim tries to open the malicious PDF file, the system gets infected and gives the hacker the complete control of the system.
The other exploit was directed at Windows Server 2003 and Windows XP for Escalation of Privileges (EoP). This exploit provides unrestricted access and privileges to the system.
The techniques used by the hackers also include direct spear-phishing emails. Based upon the technique used to deceive the user, these attacks are classified into the following categories:
• Spear-phishing emails containing infected Adobe PDF files
• Tricking the user into clicking ‘.scr’ extension, which are malware installers
• Making use of Adobe Flash, Java, or IE exploits for watering hole attacks
• Tricking the user into running an infected copy of Flash player that spreads the malware
Attackers customize the watering hole options based on the IP address of the target. A study of over 100 attacked websites highlight a significant pattern in the modus operandi of the attackers. For instance, a number of Spanish websites that were attacked were operated by the local government.
As soon as the system is infected, the Epic backdoor transmits the critical system information to the Command-and-Control (C&C) server. Some of the codenames given to backdoor are “TadjMakhal”, “Tadvig”, “WorldCupSec”, and “Wipbot”.
Upon receiving the information, attackers prepare a series of commands for the victim’s machine, and deliver it using pre-configured batch files. Apart from these, attackers also make use of a number of custom lateral movements tools, such as RAR archiver, DNS query tool, and the keylogger tool.
According to Kaspersky, Epic Turla’s command infrastructure comprises of over 50 hacked servers. The infected machine communicates to the server with the help of VPN connections and a proxy network. The hackers decide if they wish to attack a machine based on the configurations of third party applications. Processes such as windump, wireshark, ethereal, and tcpdump would automatically terminate the Epic backdoor.
If the victim seems to be a profitable entity, the Carbon or Pfinet backdoor is used, and the configuration file is updated with suitable commands along with the concerned control servers. The attacks also involve a keylogger that can extract useful information about the victim. Some document searches gave these results: NATO.msg, EU energy dialogue, and EU.msg.
According to the Director of Global Research & Analysis Team at Kaspersky Lab, Costin Raiu, Turla is a multistage attack. It begins with Epic Turla and if found favorable, the victim’s machine is upgraded to the complete Turla carbon system.
Who Is Behind It
There are certain hints highlighting that the attackers behind Turla could be of Russian origin. “Zagruzchik.dll,” which means bootloader or load program in Russian, is one of the Epic backdoors. Another reason that hints towards the presence of foreign attackers is that they keep using misspelled English words.
And then another significant proof to back this claim is that a number of techniques used in these attacks are similar to the ones found in a couple of previous espionage attempts, which were later found to have links with the Russian Government. This also supports the theory that these attackers are supported by a nation state.