The cyber attack against Austria’s foreign ministry has ended

Austria’s foreign ministry announced that the cyber attack against its systems, allegedly carried by a state actor has ended.

Earlier January, Austria’s foreign ministry announced it was facing a “serious cyberattack” and that it could be the work of a nation-state actor.

“Due to the gravity and nature of the attack, it cannot be ruled out that this is a targeted attack by a state actor,” the foreign ministry said at the time in a joint statement with the interior ministry.

“Despite all the intensive security measures, there is no 100-percent protection against cyberattacks.”

The attack took place on the evening of Saturday 4 January evening and it was quickly detected. Local reports revealed that the attack aimed at the ministry’s IT infrastructure.

Authorities immediately adopted the defensive measures to protect their infrastructure, it also set up a special committee to respond to the incident. It is not clear if the hackers gained access to sensitive data.

This week, the Austrian foreign ministry announced that the cyber attack against its systems has ended.

“After really intensive work and excellent cooperation between all the departments involved, last weekend we managed to clean up our IT systems and end the cyber attack on the Foreign Ministry,” said Foreign Minister Alexander Schallenberg. “The highest possible data security at the Foreign Ministry is guaranteed and no damage to the IT equipment could be detected.”

“According to current knowledge, this was a targeted attack against the Foreign Ministry with the intention of gathering information. However, due to the dimension and the high complexity, it cannot yet be said beyond doubt who is behind the attack.”

The authorities are still investigating the attack, the government experts have no doubt about the fact that it was a targeted cyber-espionage attack against the Foreign Ministry.

“Espionage is a serious offence, so such accusations should not be made lightly,” explained Schallenberg.

Intelligence experts speculated the involvement of Russian or Chinese cyber spies, but the local Russian ambassador Dmitri Ljubinski denied any involvement and demanded an apology.

A local radio station, the Österreichischer Rundfunk (ORF, state broadcaster Austrian Radio), reported in January that the attack was carried out by the Russia-linked Turla APT Group.

“The entire course of this cyberattack and above all the high-level target are characteristic of the “Turla” group, which operates aggressive “foreign intelligence”. After the discovery, Turla always delivers violent cyber battles to the technicians of the attacked networks. That still happens in the Republic’s Ministry of Foreign Affairs.” reported ORF. “The entire attack on a target network starts with a tiny command line module that sends a TCP request to an external command / control server, the command consisting of only four bytes of text [!]. This command brings in a so-called “dropper”, which then places the subsequent trojan in disguise.”

The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

Major cyber ​​attacks are a rarity in Austria, only a few large-scale attacks were observed in the past years. In September 2019, before the National Council election, the ÖVP was hit by a “very targeted hacker attack” on the party headquarters. 

In 2018, the websites of the parliament and various ministries in Austria were targeted by DDoS attacks (Distributed Denial of Service). 

Other European countries suffered similar attacks in the past, in 2015 more than 20,000 computers belonging to the German Bundestag were infected with malware. Experts and media reported a possible involvement of Russian state-sponsored hackers. 

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Austria, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]