Turla APT Used WhiteBear Espionage Tools Against Defense Industry, Embassies

The Turla APT’s WhiteBear toolset was used to attack defense organizations as recently as June, and diplomatic targets in Europe, Asia and South America during most of 2016.

A toolset belonging to the Russian-speaking Turla APT has been publicly disclosed, and along with it details on its capabilities and indicators of compromise. The tools, called WhiteBear, were used to attack defense organizations as recently as June, and diplomatic targets in Europe, Asia and South America during most of 2016.

Researchers at Kaspersky Lab said today in a Securelist report that WhiteBear could be the second stage of another Turla operation known as Skipper Turla with separate malware development efforts behind each set of activity.

Turla is among the elite APT organizations in the world. It’s been active since the mid-1990s and it one of the oldest cyberepionage groups. At this year’s Security Analyst Summit, researcher Thomas Rid along with Kaspersky’s Juan Andres-Guerrero-Saade and Costin Raiu said there are likely links between Turla and the infamous Moonlight Maze espionage operations targeting U.S. government agencies, including the Pentagon and NASA.

The suspected link between Moonlight Maze and Turla is the use of an open source backdoor called LOKI2 found in code samples from both operators. If this is the definitive link between Moonlight Maze and Turla, it puts them among the elite nation-state attack groups in terms of capabilities and durability. Equation Group, considered by many to have strong ties the U.S. National Security Agency, is the only other known APT active in 1996.

“This places Turla in another league altogether,” Guerrero-Saade said at SAS.

Turla is known for its use of hijacked satellite connections for command and control infrastructure. In WhiteBear’s case, Kaspersky Lab said the WhiteBear command and control servers are consistent with Turla’s practice and use hijacked destination satellite IP hosts in South Sudan and Congo.

Researchers said activity around this toolset dropped off this summer, but Turla remains active running a number of subgroups and simultaneous campaigns.

“Infrastructure overlap with other Turla campaigns, code artifacts, and targeting are consistent with past Turla efforts,” Kaspersky Lab said in its report.

Researchers did find a couple of unique facets with WhiteBear, starting with the encryption implementation in its orchestrator.

“We note that the resource section is encrypted/decrypted and packed/decompressed with RSA+3DES+BZIP2,” the Kaspersky report said. “This implementation is unique and includes the format of the private key as stored in the resource section.”

The Sofacy and Duqu2 APTs, Russian- and English-speaking APTs respectively, also use triple-DES, but the private key format and RSA crypto combination is unique to WhiteBear, Kaspersky Lab said.

“The private key itself is stored as a raw binary blob, in a format similar to the one Microsoft code uses in PVK format. This format is not officially documented, but its structures and handling are coded into OpenSSL,” researchers wrote. “This private key value is stored in the orchestrator resources without valid headers. The orchestrator code prepends valid headers and passes the results to OpenSSL functions that parse the blob.”

WhiteBear samples are also signed with a legitimate code-signing certificate issued to a defunct British organization called Solid Loop Ltd. Researchers wrote that Solid Loop could be a front organization or that it no longer exists and the attackers adopted the identity to leverage trust in the name and obtain the certificate.

Suggested articles