Over the last 10 months, Researchers from Russian computer security firm Kasperksy Labs have analyzed a massive cyber-espionage operation called “Epic Turla”. The attackers behind Epic Turla have infected several hundred computers in more than 45 countries, running from research and pharmaceutical companies to government institutions, embassies, military and education. The operation is said to have successfully infiltrated two surveillance agencies, along with private and public organizations in Asia, the Middle East and Europe.
Once the attackers obtain the necessary credentials without the victim noticing, they deploy the rootkit and other extreme persistence mechanisms. The attacks are still ongoing as of July 2014, actively targeting users in Europe and the Middle East.
According to reports, the campaign was likely backed by a state sponsor. Kaspersky, in spite of enlightening that the techniques used for the crusade were similar to the modus operandi in spying operations linked to Russian intelligence, declined to speculate on the country’s possible involvement.
“We saw them stealing pretty much every document they could get their hands on,” Kaspersky Labs Threat Research Team Head Costin Raui said. The hackers were said to have collected spreadsheets, documents and emails that contained terms such as “Budapest” and “EU energy dialogue.”
According to Kaspersky’s analysis, the unnamed hackers used four types of attacks for the campaign:
1. Spearphishing emails that contained PDF exploits.
2. Tricking users into running malware installers that have the “.scr” extension. These installers sometimes actually contain RAR files.
3. Watering hole attacks that are facilitated through Flash exploits, Java exploits and Explorer 6, 7 and 8 exploits.
4. Watering hole attacks that trick people into using fake Flash Player installers.
The spear phishing attacks used attachment names such as “NATO position on Syria.scr” and “border_security_protocol.rar.” Watering holes, on the other hand, are compromised websites that have been altered to spread malware. Some of the websites that were infiltrated through watering hole attacks include those of the Palestinian Authority Ministry of Foreign Affairs and the city hall of Pinor, Spain. The researchers found more than 100 websites that have been compromised through the attacks. The country with the most injected websites is Romania, followed by France, the United States, Iran and Russia.
Kaspersky’s researchers said that the attacks are coordinated. It targeted specific areas of interest. In Spain, the hackers targeted the websites of city governments. In Romania, on the other hand, the attacks were concentrated in the Mures region.
To protect themselves, organizations must rely on more than just AV since “the actor is known to use 0-day and a dynamic toolset,” Baumgartner said. He suggested that companies actively scan inbound and outbound network traffic “for traces of Epic activity,” keep systems updated, and segment resources “to make a significant impact in delaying this attacker.”