Connect with us

Hi, what are you looking for?


Malware & Threats

Attack on Swiss Defense Firm Linked to Turla Cyberspies

The recent cyber espionage attack aimed at Swiss defense firm RUAG was carried out by the Russia-linked threat group known as Turla, according to a report commissioned by the Swiss government.

The recent cyber espionage attack aimed at Swiss defense firm RUAG was carried out by the Russia-linked threat group known as Turla, according to a report commissioned by the Swiss government.

RUAG is a Bern-based technology company owned by the Swiss government. The organization specializes in aviation, space and defense with products ranging from satellite equipment to ammunition.

News of a cyberattack on RUAG came to light earlier this month when Switzerland’s Defense Minister Guy Parmelin revealed that his ministry was targeted by malicious actors in January while he was attending the World Economic Forum. Parmelin said at the time that the government was investigating a possible connection between the attack on the country’s Department of Defense and an attack on RUAG.

Initial news reports said the attacks were carried out by Russian hackers, who managed to steal sensitive information from RUAG. However, the defense firm denied the reports, claiming that the servers storing classified data could not have been accessed.

A report published on Monday by Switzerland’s Government Computer Emergency Response Team (GovCERT) and its parent organization, the Reporting and Analysis Centre for Information Assurance (MELANI), revealed that while the breach was discovered in January, the attackers gained access to RUAG’s systems as early as September 2014.

MELANI/GovCERT monitored the attackers’ activities in the RUAG network from January until May, when the press was informed about the incident. MELANI said this made their monitoring efforts useless.

Swiss investigators believe the attack on RUAG is part of a long-running campaign conducted by the Russia-linked advanced persistent threat (APT) actor known as Turla and Waterbug. The group is known for its operations involving pieces of malware such as Turla (aka Snake and Uroburos) and Epic Turla (aka Wipbot and Tavdig).

Advertisement. Scroll to continue reading.

Researchers have not been able to determine the initial infection vector in the RUAG attack, but noted that Turla often leverages watering holes to deliver its malware. Experts also pointed out that the threat actor usually tailors its attacks to ensure that only the targeted entities get infected.

In this operation, the cyberspies leveraged variants of Tavdig and Carbon-DLL, a threat described by experts as a descendant of the Carbon rootkit and a “sibling” of the Snake malware. The malware doesn’t have any rootkit functionality, but it does use obfuscation in an effort to remain undetected.

“After they got into the network, [the attackers] moved laterally by infecting other devices and by gaining higher privileges. One of their main targets was the active directory, as this gave them the opportunity to control other devices, and to access the interesting data by using the appropriate permissions and group memberships,” MELANI said in its report.

“The malware sent HTTP requests to transfer the data to the outside, where several Command-and-Control (C&C) servers were located. These C&C servers provided new tasks to the infected devices. Such tasks may consist of new binaries, configuration files, or batch jobs. Inside the infiltrated network, the attackers used named pipes for the internal communication between infected devices, which is difficult to detect. This way, they constructed a hierarchical peer-to-peer network: some of these devices took the role of a communication drone, while others acted as worker drones,” MELANI explained.

Researchers noticed that there was very low activity in some phases of the operation, while in other phases the attackers managed to exfiltrate large amounts of data. The most active phase took place between September and December 2015.

Investigators found that a total of 23Gb of data were exfiltrated, which also includes beaconing requests sent to the C&C servers. Experts also noted that some data was transferred twice and the exfiltrated data was usually compressed. Since the analysis is based on proxy logs, MELANI has not been able to determine if the stolen files included sensitive information.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...