A cyberespionage campaign involving malware known as Wipbot and Turla has systematically targeted the governments and embassies of a number of former Eastern Bloc countries. Trojan.Wipbot (known by other vendors as Tavdig) is a back door used to facilitate reconnaissance operations before the attackers shift to long term monitoring operations using Trojan.Turla (which is known by other vendors as Uroboros, Snake, and Carbon). It appears that this combination of malware has been used for classic espionage-type operations for at least four years. Because of the targets chosen and the advanced nature of the malware used, Symantec believes that a state-sponsored group was behind these attacks.
Turla provides the attacker with powerful spying capabilities. Configured to start every time a computer starts, once the user opens a Web browser it opens a back door that enables communication with the attackers. Through this back door, the attackers can copy files from the infected computer, connect to servers, delete files, and load and execute other forms of malware, among other capabilities.
The group behind Turla has a two-pronged attack strategy that involves infecting victims through spear phishing emails and watering hole attacks. The watering hole attacks display competent compromise capabilities, with the attackers compromising a range of legitimate websites and only delivering malware to victims visiting from pre-selected IP address ranges. These compromised websites deliver a payload of Trojan.Wipbot. It is highly likely that Wipbot is then used as a downloader to deliver Turla to the victim.
While infections initially appeared to be spread over a range of European countries, closer analysis revealed that many infections in Western Europe occurred on computers that were connected to private government networks of former Eastern Bloc countries. These infections appear to have transpired in the embassies of these countries.
Analysis of infections revealed that the attackers were heavily focused on a small number of countries. For example, in May of 2012, the office of the prime minister of a former Soviet Union member country was infected. This infection spread rapidly and up to 60 computers at the prime minister’s office were compromised.
Another attack saw a computer at the embassy to France of a second former Soviet Union member infected in late 2012. During 2013, infections began to spread to other computers linked to the network of this country’s ministry of foreign affairs. In addition, its ministry of internal affairs was also infected. Further investigation uncovered a systematic spying campaign targeted at its diplomatic service. Infections were discovered at embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany.
At least five other countries in the region were targeted by similar attacks. While the attackers have largely focused on the former Eastern Bloc, a number of other targets were also found. These included the ministry for health of a Western European country, the ministry for education of a Central American country, a state electrical authority in the Middle East, and a medical organization in the US.
Prior to publication, Symantec notified all relevant national authorities, such as Computer Emergency Response Centers (CERTs) that handle and respond to Internet security incidents.
The group behind Turla uses spear phishing emails and watering hole attacks to infect victims. Some of the spear phishing emails purported to come from a military attaché at a Middle Eastern embassy and had an attachment masquerading as the minutes of meetings. Opening the attachment resulted in Trojan.Wipbot being dropped on to the victim’s computer. It is believed that Wipbot may be the delivery mechanism for Turla as they share several similarities in code and structure.
Figure 1. Spear phishing emails and watering hole attacks are used to infect victims with Trojan.Wipbot, which can then be used to install Trojan.Turla
Since September 2012, the group has compromised at least 84 legitimate websites to facilitate watering hole attacks. Websites owned by a number of different governments and international agencies were among those compromised by the attackers.
Visitors to these sites were being redirected to Web servers where a ‘fingerprinting’ script was executed. This script collected some identifying information about the visitor’s computer. This phase of the campaign appeared to serve as an intelligence trawl, gathering information about what browsers and plugins website visitors were using, which would help identify which exploits would work best against them.
The next phase of the operation was highly targeted, with servers then configured to drop Wipbot only to IP addresses associated with intended targets. In one instance, the malware delivered was disguised as a Shockwave installer bundle. Wipbot was then used to gather further information about the infected computer. If the attackers deemed the victim of interest, it appears likely that a second back door (Trojan.Turla) with far greater capabilities was downloaded on to the victim’s computer.
Wipbot appears to act as a reconnaissance tool, while Turla is used to maintain a long term presence on the victim’s computer. Analysis conducted by Symantec has found several technical connections between Wipbot and Turla which indicates the same group or larger organization wrote both pieces of code.
Symantec has been tracking the activities of the group behind Turla for a number of years. The identity of the attackers has yet to be established, although timestamps from activity associated with the attacks indicate that most activity occurs during the standard working day of the UTC +4 time zone.
Turla is an evolution of an older piece of malware, Trojan.Minit, which has been in operation since 2004. The current campaign is the work of a well-resourced and technically competent attack group that is capable of penetrating many network defenses. It is focused on targets that would be of interest to a nation state, with spying and theft of sensitive data among its objectives.
Symantec has the following detection in place for the malware used in these attacks: