The recent cyber espionage attack aimed at Swiss defense firm RUAG was carried out by the Russia-linked threat group known as Turla, according to a report commissioned by the Swiss government.
RUAG is a Bern-based technology company owned by the Swiss government. The organization specializes in aviation, space and defense with products ranging from satellite equipment to ammunition.
News of a cyberattack on RUAG came to light earlier this month when Switzerland’s Defense Minister Guy Parmelin revealed that his ministry was targeted by malicious actors in January while he was attending the World Economic Forum. Parmelin said at the time that the government was investigating a possible connection between the attack on the country’s Department of Defense and an attack on RUAG.
Initial news reports said the attacks were carried out by Russian hackers, who managed to steal sensitive information from RUAG. However, the defense firm denied the reports, claiming that the servers storing classified data could not have been accessed.
A report published on Monday by Switzerland’s Government Computer Emergency Response Team (GovCERT) and its parent organization, the Reporting and Analysis Centre for Information Assurance (MELANI), revealed that while the breach was discovered in January, the attackers gained access to RUAG’s systems as early as September 2014.
MELANI/GovCERT monitored the attackers’ activities in the RUAG network from January until May, when the press was informed about the incident. MELANI said this made their monitoring efforts useless.
Swiss investigators believe the attack on RUAG is part of a long-running campaign conducted by the Russia-linked advanced persistent threat (APT) actor known as Turla and Waterbug. The group is known for its operations involving pieces of malware such as Turla (aka Snake and Uroburos) and Epic Turla (aka Wipbot and Tavdig).
Researchers have not been able to determine the initial infection vector in the RUAG attack, but noted that Turla often leverages watering holes to deliver its malware. Experts also pointed out that the threat actor usually tailors its attacks to ensure that only the targeted entities get infected.
In this operation, the cyberspies leveraged variants of Tavdig and Carbon-DLL, a threat described by experts as a descendant of the Carbon rootkit and a “sibling” of the Snake malware. The malware doesn’t have any rootkit functionality, but it does use obfuscation in an effort to remain undetected.
“After they got into the network, [the attackers] moved laterally by infecting other devices and by gaining higher privileges. One of their main targets was the active directory, as this gave them the opportunity to control other devices, and to access the interesting data by using the appropriate permissions and group memberships,” MELANI said in its report.
“The malware sent HTTP requests to transfer the data to the outside, where several Command-and-Control (C&C) servers were located. These C&C servers provided new tasks to the infected devices. Such tasks may consist of new binaries, configuration files, or batch jobs. Inside the infiltrated network, the attackers used named pipes for the internal communication between infected devices, which is difficult to detect. This way, they constructed a hierarchical peer-to-peer network: some of these devices took the role of a communication drone, while others acted as worker drones,” MELANI explained.
Researchers noticed that there was very low activity in some phases of the operation, while in other phases the attackers managed to exfiltrate large amounts of data. The most active phase took place between September and December 2015.
Investigators found that a total of 23Gb of data were exfiltrated, which also includes beaconing requests sent to the C&C servers. Experts also noted that some data was transferred twice and the exfiltrated data was usually compressed. Since the analysis is based on proxy logs, MELANI has not been able to determine if the stolen files included sensitive information.