Ever since hackers targeted Swiss defense
contractor RUAG, government officials have been tight lipped about the breach.
But on Monday Switzerland’s CERT (Computer Emergency Readiness Team) spilled
the beans on the attack against the firm and the how perpetrators pulled it
off.
While Monday’s report falls short when it comes
to outlining the type of data stolen, it goes into rare detail on how it was
taken. For example, central to the attack was malware from the Turla family and
the use of a sophisticated mix of Trojans and rootkits. Additionally, security
experts assert that RUAG computers were infected as early as 2014, according
the report, making the attack slow and methodical.
It
wasn’t until early May that the public even became aware of the attacks. That’s
when Swiss defense minister Guy Parmelin went public about a breach against his
government that took place in January during the World Economic Forum in Davos,
Switzerland. Parmelin also revealed the attack included penetration of RUAG’s
system where attackers breached the company’s servers stealing an undisclosed
amount of data.
The attack was an act of espionage where
attackers went to great lengths to go undetected using a slow and patient
strategy to first breaking into the systems and then moving laterally infecting
other devices. Central to the attack was the use of Epic Turla, a highly
sophisticated and ongoing cyberespionage campaign that targets government,
militaries and embassies.
This type of attack, outlined in detail by Kasperky
Lab researchers, uses a mix of spear-phishing and PDF-based exploits, social
engineering to entice email recipients to run a malware infected .SCR
extension, or a watering hole type attack leveraging Java exploit or a fake
Flash Player. “The attackers showed great patience during the infiltration and
lateral movement.
They only attacked victims they were interested
in by implementing various measures, such as a target IP list and extensive
fingerprinting before and after the initial infection,” according to the
report. Once they gained access to RUAG’s network, attackers moved laterally by
infecting other devices and by gaining higher privileges, according to the
report. “One of their main targets was the (Microsoft) Active Directory, as
this gave them the opportunity to control other devices, and to access the
interesting data by using the appropriate permissions and group memberships,”
according to the report. CERT reports that the malware sent HTTP requests to
transfer data outside the network, where several command-and-control servers
were located.
These C&C servers, in turn, provided new
tasks to the infected devices, according to the report. In an effort to evade
detection, once inside the infiltrated network, the attackers created a
hierarchy of communication pipes for internal communication between infected
devices.
This peer-to-peer network of pipes required
some devices to take on the role of a communication drone, while others acted
as worker drones that never actually contacted any C&C servers. For
Kasperky researchers who have studied Epic Turla, the cyberespionage attack
against RUAG adds new insight into the public activities of Turla.
“By
describing this group’s use of BeEF and Google Analytics activity, we are
seeing a confirmation of our Epic Turla paper – as far Turla evaluating target
systems and progressively deploying more advanced tools to those systems,” said
Kurt Baumgartner, principal security researcher at Kaspersky Lab’s Global
Research and Analysis Team. Baumgartner is referring to the chain of infection
used by the attackers where, before infecting a device, the attacker does
extensive fingerprinting to ensure the target is well suited for its purposes.
To accomplish this, the attackers created watering
hole attacks that contained redirects to an infection site. “The waterhole just
contains a redirection to the actual infection site. This redirection can vary.
We observed URL shorteners as well as JavaScripts disguised as Google Analytics
scripts. The infection site tests whether the victim’s IP address is on a
target list; if so, a fingerprinting script is returned,” according to the
report.
The result of it is sent back to the same
server, where it is manually checked. Next, the attacker decides, whether the
device shall be infected, either by sending an exploit, or by using social
engineering techniques. “The next step is a more sophisticated fingerprinting
script. The fingerprinting scripts gains as much information about the victim
as possible by using JavaScript. It is taken from the BeEF framework (Browser
Exploitation Framework).”
The sophisticated set unique tools stand in
contrast to some of the tools used inside infected networks, Baumgartner said.
Lateral movements by the attackers, while effective, are noticeably devoid of
the technical intrusion panache used by attackers to infiltrate the network.
For the lateral movement, the attackers use various public available tools such
as Mimikatz, Pipelist, Psexec, Dsquery and ShareEnum.
The authors of the report said they
intentionally did not speculate on who was behind the attacks explaining,
“First, it is nearly impossible to find enough proof for such claims. Secondly,
we think it is not that important, because – unfortunately – many actors use
malware and network intrusions for reaching their intentions,” the report
stated.