Espionage campaign hit embassies of former Soviet states

Security experts at Symantec detected a large-scale cyber espionage campaign which hit personnel at embassies of former Soviet states.

Security researchers at Symantec discovered a large-scale cyber attack which is targeting embassies of former soviet states worldwide. The experts detected a huge cyber attack that has been carried out across more than 15 countries, the embassies in France, Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, Germany and other countries have been targeted by hackers. In time I’m writing, there aren’t further news on the specific state embassies targeted.

In cases like this, the first thought is that the operations are conducted by state-sponsored hackers, the bad actors used a couple of known malware in the attacks, named Wipbot and Tavdig, to infect systems in the targeted embassies probably for cyber espionage.

According to the researchers the attackers used a watering hole technique to infect victims at the embassies, it is likely that bad actors compromised websites visited by embassy personnel, it has been estimated that at least 84 websites have been hacked with this intent.

Watering hole attacks are very difficult to be detected and allow attackers to infect only the targeted communities of users.

The researchers speculated that the malware detected could have been used by bad actors in a first stage of the attack, in successive stages more complex malware (like Turla, Uroboros, Snake and Carbon) would then be spread.

” It appears that this combination of malware has been used for classic espionage-type operations for at least four years. Because of the targets chosen and the advanced nature of the malware used, Symantec believes that a state-sponsored group was behind these attacks.” states Symantec.

Some experts believe that the US is the State behind the attacks, but the analysis of the source of the hacking has been traced back to the UTC +4 timezone, which includes Moscow.

“In one instance, the malware delivered was disguised as a Shockwave installer bundle,” “”Wipbot was then used to gather further information about the infected computer.”

“If the attackers deemed the victim of interest, it appears likely that a second back door trojan with far greater capabilities was downloaded on to the victim’s computer.” said a Symnatec researcher in a statement. 

Victims of the attacks were being redirected to Web servers where a ‘fingerprinting’ script was executed to gather identifying information about the visitor’s PC. The bad actors in this phase were collecting data which would be used to choose the best exploits to compromise the targeted machine.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Turla APT group, cyber espionage)