Espionage campaign hit embassies of former Soviet states

Security experts at Symantec detected a large-scale cyber espionage campaign which hit personnel at embassies of former Soviet states.

Security researchers at Symantec discovered a large-scale cyber attack which is targeting embassies of former soviet states worldwide. The experts detected a huge cyber attack that has been carried out across more than 15 countries, the embassies in France, Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, Germany and other countries have been targeted by hackers. In time I’m writing, there aren’t further news on the specific state embassies targeted.

In cases like this, the first thought is that the operations are conducted by state-sponsored hackers, the bad actors used a couple of known malware in the attacks, named Wipbot and Tavdig, to infect systems in the targeted embassies probably for cyber espionage.

According to the researchers the attackers used a watering hole technique to infect victims at the embassies, it is likely that bad actors compromised websites visited by embassy personnel, it has been estimated that at least 84 websites have been hacked with this intent.

Watering hole attacks are very difficult to be detected and allow attackers to infect only the targeted communities of users.

The researchers speculated that the malware detected could have been used by bad actors in a first stage of the attack, in successive stages more complex malware (like Turla, Uroboros, Snake and Carbon) would then be spread.

turlaturla

” It appears that this combination of malware has been used for classic espionage-type operations for at least four years. Because of the targets chosen and the advanced nature of the malware used, Symantec believes that a state-sponsored group was behind these attacks.” states Symantec.

Some experts believe that the US is the State behind the attacks, but the analysis of the source of the hacking has been traced back to the UTC +4 timezone, which includes Moscow.

“In one instance, the malware delivered was disguised as a Shockwave installer bundle,” “”Wipbot was then used to gather further information about the infected computer.”

“If the attackers deemed the victim of interest, it appears likely that a second back door trojan with far greater capabilities was downloaded on to the victim’s computer.” said a Symnatec researcher in a statement. 

Victims of the attacks were being redirected to Web servers where a ‘fingerprinting’ script was executed to gather identifying information about the visitor’s PC. The bad actors in this phase were collecting data which would be used to choose the best exploits to compromise the targeted machine.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Turla APT group, cyber espionage)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Meta stopped covert operations from Iran, China, and Romania spreading propaganda

Meta stopped three covert operations from Iran, China, and Romania using fake accounts to spread…

14 hours ago

US Treasury sanctioned the firm Funnull Technology as major cyber scam facilitator

The U.S. sanctioned Funnull Technology and Liu Lizhi for aiding romance scams that caused major…

23 hours ago

ConnectWise suffered a cyberattack carried out by a sophisticated nation state actor<gwmw style="display:none;"></gwmw><gwmw style="display:none;"></gwmw>

ConnectWise detected suspicious activity linked to a nation-state actor, impacting a small number of its…

1 day ago

Victoria’s Secret ‘s website offline following a cyberattack

Victoria’s Secret took its website offline after a cyberattack, with experts warning of rising threats…

2 days ago

China-linked APT41 used Google Calendar as C2 to control its TOUGHPROGRESS malware

Google says China-linked group APT41 controlled malware via Google Calendar to target governments through a…

2 days ago

New AyySSHush botnet compromised over 9,000 ASUS routers, adding a persistent SSH backdoor.

GreyNoise researchers warn of a new AyySSHush botnet compromised over 9,000 ASUS routers, adding a…

2 days ago