Join us in Wellington 4th December and Auckland 27th November
Want to help us test an ads-free Geekzone? Register for webpass now

Geekzone: technology news, blogs, forums
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Unraveling the Turla cyber-espionage campaign
Posted on 8-Aug-2014 12:49. | Tags Filed under: News.

Researchers at Kaspersky Lab announced the discovery of a precursor to the Turla APT campaign called Epic. The attacks are known to use a cocktail of zero-days and off-the-shelf exploits against previously unknown and patched vulnerabilities to compromise victims.

Peaking during the first two months of the year, the Turla APT campaign, one of the most sophisticated ongoing cyber-espionage campaigns, has targeted municipal governments, embassies, militaries and other high-value targets worldwide in more than 45 countries.

The first research conducted on Turla however, did not reveal a vital element of the cyber-espionage campaign; the question of how victims get infected. The latest Kaspersky Lab research on this operation reveals that Epic is in fact the initial stage of the Turla victim infection mechanism.

Turla’s first stage:
During the analysis, Kaspersky Lab researchers observed the attackers using the Epic malware to deploy a more sophisticated backdoor known as the “Cobra/Carbon system”, also named “Pfinet” by some anti-virus products.

After some time, the attackers went further and used the Epic implant to update the “Carbon” configuration file with a different set of C&C servers. The unique knowledge to operate these two backdoors indicates a clear and direct connection between each other.

“The configuration updates for the ‘Carbon system’ malware are interesting, because this is another project from the Turla actor. This indicates that we are dealing with a multi-stage infection that begins with Epic Turla. The Epic Turla is used to gain a foothold and validate the high profile victim. If the victim is interesting, it gets upgraded to the full Turla Carbon system.” explains Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab.

Turla outline
· Epic Turla / Tavdig: The early-stage infection mechanism.
· Cobra Carbon system/ Pfinet (+others): Intermediary upgrades and communication plugins.
· Snake / Uroburos: High-grade malware platform that includes a rootkit and virtual file systems.

The “Epic” project has been used since at least 2012, with the highest volume of activity observed in January-February 2014. More recently, Kaspersky Lab detected this attack against one of its users on August 5, 2014.

Using zero-day exploits, social engineering and watering hole techniques attacks to infect victims, the attackers aim to gain immediate and full control over the target system.

Links with other threat actors:
Interestingly, possible connections with different cyber-espionage campaigns have been observed. In February 2014, Kaspersky Lab experts observed that the threat actor known as Miniduke was using the same web-shells to manage infected web servers as the Epic team did.

With some of the backdoors compiled using the Russian language, as well as the use of Cyrillic characters, the attackers are likely to be of Russian-speaking origin.

comments powered by Disqus

Trending now »

Hot discussions in our forums right now:

A 17 second violation of airspace? Is Turkey nuts?
Created by DaveB, last reply by xlinknz on 27-Nov-2015 16:32 (79 replies)
Pages... 4 5 6

When should you put up your Xmas tree?
Created by Finch, last reply by Fred99 on 30-Nov-2015 14:28 (39 replies)
Pages... 2 3

Ford Eco Sport Titanium-Looking to buy
Created by psychrn, last reply by gzt on 28-Nov-2015 14:08 (37 replies)
Pages... 2 3

Black Friday 2015 - Post Deals here
Created by Finch, last reply by cshaun on 30-Nov-2015 15:04 (80 replies)
Pages... 4 5 6

Home Automation and Security - New Install
Created by tarlen, last reply by reven on 30-Nov-2015 14:11 (16 replies)
Pages... 2

Huawei and 2degrees Nexus 6P 64/128 GB offer for Geekzone users
Created by freitasm, last reply by AntonyNZ on 30-Nov-2015 14:03 (681 replies)
Pages... 44 45 46

Wireless broadband in Wellington?
Created by zhzh, last reply by zhzh on 28-Nov-2015 20:08 (16 replies)
Pages... 2

Has Trade Me had its day?
Created by Rikkitic, last reply by richms on 27-Nov-2015 13:29 (95 replies)
Pages... 5 6 7