Swiss Defense Firm Hack Tied to 'Turla' MalwareLong-Running Espionage Malware Campaign Has Suspected Russian Government Ties
The Swiss government now says that online attackers used a variant of "Turla" malware to steal at least 23 GB of data from a state-owned defense firm since 2014.
The government had already confirmed on May 4 that technology firm RUAG, based in Bern, had been hacked. In addition to the defense sector, state-owned RUAG operates in aerospace, aviation and other sectors.
On May 23, the Swiss government released a 34-page technical report on the hack attack, "to give organizations the chance to check their networks for similar infections, and to show the modus operandi of the attacker group." The report, released via the Swiss public-private partnership called Melani, was prepared in conjunction with Switzerland's computer emergency response team, GovCERT.
The government says its intention isn't to assign blame over the long-running breach because "these attacks may happen to [any] organization regardless of their security level," but rather to help others spot and block similar attacks.
Several information security experts have praised the hack attack report, which includes "indicators of compromise" that can be used to identify signs of related attacks in other networks, as well as defenses that can be used to detect and block related attacks.
"[The] new RUAG report is a very big step on the part of the Swiss," Thomas Rid, a professor in security studies at King's College London, says via Twitter. "Kudos to @GovCERT_CH for raising the bar on governmental attribution reports."
Switzerland isn't the first country to attribute an attack to a specific type of malware, or a group known to have used that malware. In the U.S., for example, the FBI blamed "North Korea actors" for the hack and wiper malware attack against Sony Pictures Entertainment in 2014. But the Swiss report is notable because it lets published technical details do the talking, rather than relying on public officials to make allegations based on unreleased, classified information.
Attribution: Malware, Not Actors
The Melani reports say investigators have purposefully not attempted to attribute the RUAG attacks to a specific group or nation "because - unfortunately - many actors use malware and network intrusions."
But the Turla malware, also known as Snake or Uroburos, has been previously tied to attacks launched by Russian-language speakers. Some security researchers believe that Turla has been used in numerous attacks that have alleged ties to Russian intelligence services. They say that related campaigns stretch back to 2007 or 2008 cyberattacks in the United States that used malware known as Agent.BTZ, which also appeared to have been written by Russian-speaking developers.
The Melani report also describes a variety of countermeasures - many of which are not cost-intensive - that can be used to spot related attacks. "Even if it is difficult to completely protect an organization against such actors, we are confident that they are detectable, as everyone makes mistakes," the report says. "The defending organization must be ready to see such traces, and to share this information with other parties, in order to follow such attackers closely."
Target: Active Directory
The Melani report, which is based on RUAG's security logs, says that attackers demonstrated "great patience during the infiltration and lateral movement," focused only on targets of interest and alternated periods of relative inactivity with "high-activity periods with many [data] requests and big amounts of exfiltrated data," occasionally stealing 1 GB in a day.
After attackers gained access to RUAG's network - Melani says the initial infection vector hasn't been discovered - they also focused on infecting other systems and gaining higher levels of access, aided by a Trojan reconnaissance tool called Tavdig, which is also known as Wipbot and Epic. "One of their main targets was the Active Directory, as this gave them the opportunity to control other devices and to access the interesting data by using the appropriate permissions and group memberships," the report says. Attackers also created peer-to-peer connections between infected devices, using Windows named pipes, to help relay instructions from command-and-control servers to infected endpoint, as well as move stolen information, in a difficult-to-detect manner.
Attackers used some infected endpoints - or bots - to obtain and relay information inside the network and other bots to exfiltrate the data, again to make the attack more difficult to spot. "Some [bots] took the role of a communication drone, while others acted as worker drones," the report says. "The latter ones never actually contacted any C&C servers, but instead received their tasks via named pipes from a communication drone, and also returned stolen data this way. Only communication drones ever contacted C&C servers directly."
The report says that based on a digital forensic investigation, related attacks date from at least September 2014. "Unfortunately, log files at RUAG only go back until September 2014, where we still see C&C activity," the report says. "Additionally, many suspicious devices have been re-installed in the meantime; hence, we cannot determine the initial attack vector." But one possibility, it adds, is that systems were initially infected by targeting websites frequented by RUAG employees via so-called watering-hole attacks.
Highly significant: Swiss gov't publishes detailed APT report, links Ruag cyber attack to Turla, ancestor: Agent.BTZ pic.twitter.com/y9pRzR2G2w— Thomas Rid (@RidT) May 23, 2016
Stolen Information: Value Remains Unclear
The Melani report says that although at least 23 GB was stolen, it's not clear how much of that information might have been of value, in part because investigators didn't discover the attack and begin monitoring attackers until January 2016. "The size of exfiltrated data gives no insight about the confidentiality and the value of the stolen data," the report says. "It is not possible to find out what data actually was stolen using proxy logs because no wiretap was in place before the attack was detected."
But RUAG did begin monitoring the attackers' activities closely after it discovered the attack campaign in January. It says that monitoring continued until May 3, when the related investigation was revealed via multiple press reports, thus tipping off the attackers. "This leakage heavily [damaged] the ongoing investigation, rendering the ongoing monitoring useless," the Melani report says.