Unraveling Turla APT Attack Against Swiss Defense Firm

Details of an extensive targeted attack against Swiss defense contractor RUAG were released by Switzerland’s national CERT.

Ever since hackers targeted Swiss defense contractor RUAG, government officials have been tight lipped about the breach. But on Monday Switzerland’s CERT (Computer Emergency Readiness Team) spilled the beans on the attack against the firm and the how perpetrators pulled it off.

While Monday’s report falls short when it comes to outlining the type of data stolen, it goes into rare detail on how it was taken. For example, central to the attack was malware from the Turla family and the use of a sophisticated mix of Trojans and rootkits. Additionally, security experts assert that RUAG computers were infected as early as 2014, according the report, making the attack slow and methodical.

It wasn’t until early May that the public even became aware of the attacks. That’s when Swiss defense minister Guy Parmelin went public about a breach against his government that took place in January during the World Economic Forum in Davos, Switzerland. Parmelin also revealed the attack included penetration of RUAG’s system where attackers breached the company’s servers stealing an undisclosed amount of data.

The attack was an act of espionage where attackers went to great lengths to go undetected using a slow and patient strategy to first breaking into the systems and then moving laterally infecting other devices.

Central to the attack was the use of Epic Turla, a highly sophisticated and ongoing cyberespionage campaign that targets government, militaries and embassies. This type of attack, outlined in detail by Kasperky Lab researchers, uses a mix of spear-phishing and PDF-based exploits, social engineering to entice email recipients to run a malware infected .SCR extension, or a watering hole type attack leveraging Java exploit or a fake Flash Player.

“The attackers showed great patience during the infiltration and lateral movement. They only attacked victims they were interested in by implementing various measures, such as a target IP list and extensive fingerprinting before and after the initial infection,” according to the report.

Once they gained access to RUAG’s network, attackers moved laterally by infecting other devices and by gaining higher privileges, according to the report. “One of their main targets was the (Microsoft) Active Directory, as this gave them the opportunity to control other devices, and to access the interesting data by using the appropriate permissions and group memberships,” according to the report.

CERT reports that the malware sent HTTP requests to transfer data outside the network, where several command-and-control servers were located. These C&C servers, in turn, provided new tasks to the infected devices, according to the report.

In an effort to evade detection, once inside the infiltrated network, the attackers created a hierarchy of communication pipes for internal communication between infected devices. This peer-to-peer network of pipes required some devices to take on the role of a communication drone, while others acted as worker drones that never actually contacted any C&C servers.

For Kasperky researchers who have studied Epic Turla, the cyberespionage attack against RUAG adds new insight into the public activities of Turla. “By describing this group’s use of BeEF and Google Analytics activity, we are seeing a confirmation of our Epic Turla paper – as far Turla evaluating target systems and progressively deploying more advanced tools to those systems,” said Kurt Baumgartner, principal security researcher at Kaspersky Lab’s Global Research and Analysis Team.

Baumgartner is referring to the chain of infection used by the attackers where, before infecting a device, the attacker does extensive fingerprinting to ensure the target is well suited for its purposes. To accomplish this, the attackers created watering hole attacks that contained redirects to an infection site.

“The waterhole just contains a redirection to the actual infection site. This redirection can vary. We observed URL shorteners as well as JavaScripts disguised as Google Analytics scripts. The infection site tests whether the victim’s IP address is on a target list; if so, a fingerprinting script is returned,” according to the report.

The result of it is sent back to the same server, where it is manually checked. Next, the attacker decides, whether the device shall be infected, either by sending an exploit, or by using social engineering techniques.

“The next step is a more sophisticated fingerprinting script. The fingerprinting scripts gains as much information about the victim as possible by using JavaScript. It is taken from the BeEF framework (Browser Exploitation Framework).”

The sophisticated set unique tools stand in contrast to some of the tools used inside infected networks, Baumgartner said. Lateral movements by the attackers, while effective, are noticeably devoid of the technical intrusion panache used by attackers to infiltrate the network. For the lateral movement, the attackers use various public available tools such as Mimikatz, Pipelist, Psexec, Dsquery and ShareEnum.

The authors of the report said they intentionally did not speculate on who was behind the attacks explaining, “First, it is nearly impossible to find enough proof for such claims. Secondly, we think it is not that important, because – unfortunately – many actors use malware and network intrusions for reaching their intentions,” the report stated.

The report that was co-authored by Reporting and Analysis Center for Information Assurance MELANI.

Suggested articles