|
 The hackers, according to Kaspersky, were likely backed by a nation
state and used techniques and tools similar to ones employed in two
other high-profile cyber espionage operations that Western
intelligence sources have linked to the Russian government.
Kaspersky, a Moscow-based security software maker that also sells
cyber intelligence reports, declined to say if it believed Russia
was behind the espionage campaign.
Dubbed "Epic Turla," the operation stole vast quantities of data,
including word processing documents, spreadsheets and emails,
Kaspersky said, adding that the malware searched for documents with
terms such as "NATO," "EU energy dialogue" and "Budapest."
"We saw them stealing pretty much every document they could get
their hands," Costin Raiu, head of Kaspersky Lab's threat research
team, told Reuters ahead of the release of a report on "Epic Turla"
on Thursday during the Black Hat hacking conference in Las Vegas.
Kaspersky said the ongoing operation is the first cyber espionage
campaign uncovered to date that managed to penetrate intelligence
agencies. It declined to name those agencies, but said one was
located in the Middle East and the other in the European Union.
Other victims include foreign affairs ministries and embassies,
interior ministries, trade offices, military contractors and
pharmaceutical companies, according to Kaspersky. It said the
largest number of victims were located in France, the United States,
Russia, Belarus, Germany, Romania and Poland.
Kaspersky said the hackers used a set of software tools known as
"Carbon" or "Cobra," which have been deployed in at least two
high-profile attacks. The first was an attack against the U.S.
military's Central Command that was discovered in 2008. The second
attack was against Ukraine and other nations, uncovered earlier this
year, using malicious software dubbed "Snake" or "Uroburos."
Western intelligence sources told Reuters in March that they
believed the Russian government was behind those two attacks.
Russia's Federal Security Bureau had declined to comment at the
time.
[to top of second column] |
Symantec Corp, the biggest U.S. security software maker, said it
also planned to release a report on "Epic Turla" and related
campaigns on Thursday, following months of research. Symantec
declined to say if the hackers were linked to Russia and would not
name specific victims.
Many cybersecurity researchers refrain from commenting on who they
believe are behind cyber attacks, saying they lack the intelligence
needed to draw such conclusions.
The Kaspersky report suggests the hackers spoke Russian, though that
could mean people from a number of countries. It said the control
panels in software for running the "Epic Turla" campaign were set to
use Russian Cyrillic characters and its code include the Russian
word "Zagruzchick," which means "boot loader."
Symantec researcher Vikram Thakur said the hackers infected machines
by first compromising websites that victims would likely visit,
including sites of some government agencies. The software was
designed to scan a computer to determine if it belonged to somebody
who was of interest, such as a government employee, Thakur said.
Once a PC is compromised, "Epic Turla" analyzed the machine to see
if it has data of interest to the hackers, distributing more Carbon
components to further study the machine if it had such information,
according to Kaspersky.
(Reporting by Jim Finkle; Editing by Tiffany Wu)
[© 2014 Thomson Reuters. All rights
reserved.] Copyright
2014 Reuters. All rights reserved. This material may not be
published, broadcast, rewritten or redistributed.
 |
