Connect with us

Hi, what are you looking for?


Malware & Threats

Attack on Swiss Defense Firm Linked to Turla Cyberspies

The recent cyber espionage attack aimed at Swiss defense firm RUAG was carried out by the Russia-linked threat group known as Turla, according to a report commissioned by the Swiss government.

The recent cyber espionage attack aimed at Swiss defense firm RUAG was carried out by the Russia-linked threat group known as Turla, according to a report commissioned by the Swiss government.

RUAG is a Bern-based technology company owned by the Swiss government. The organization specializes in aviation, space and defense with products ranging from satellite equipment to ammunition.

News of a cyberattack on RUAG came to light earlier this month when Switzerland’s Defense Minister Guy Parmelin revealed that his ministry was targeted by malicious actors in January while he was attending the World Economic Forum. Parmelin said at the time that the government was investigating a possible connection between the attack on the country’s Department of Defense and an attack on RUAG.

Initial news reports said the attacks were carried out by Russian hackers, who managed to steal sensitive information from RUAG. However, the defense firm denied the reports, claiming that the servers storing classified data could not have been accessed.

A report published on Monday by Switzerland’s Government Computer Emergency Response Team (GovCERT) and its parent organization, the Reporting and Analysis Centre for Information Assurance (MELANI), revealed that while the breach was discovered in January, the attackers gained access to RUAG’s systems as early as September 2014.

MELANI/GovCERT monitored the attackers’ activities in the RUAG network from January until May, when the press was informed about the incident. MELANI said this made their monitoring efforts useless.

Swiss investigators believe the attack on RUAG is part of a long-running campaign conducted by the Russia-linked advanced persistent threat (APT) actor known as Turla and Waterbug. The group is known for its operations involving pieces of malware such as Turla (aka Snake and Uroburos) and Epic Turla (aka Wipbot and Tavdig).

Researchers have not been able to determine the initial infection vector in the RUAG attack, but noted that Turla often leverages watering holes to deliver its malware. Experts also pointed out that the threat actor usually tailors its attacks to ensure that only the targeted entities get infected.

Advertisement. Scroll to continue reading.

In this operation, the cyberspies leveraged variants of Tavdig and Carbon-DLL, a threat described by experts as a descendant of the Carbon rootkit and a “sibling” of the Snake malware. The malware doesn’t have any rootkit functionality, but it does use obfuscation in an effort to remain undetected.

“After they got into the network, [the attackers] moved laterally by infecting other devices and by gaining higher privileges. One of their main targets was the active directory, as this gave them the opportunity to control other devices, and to access the interesting data by using the appropriate permissions and group memberships,” MELANI said in its report.

“The malware sent HTTP requests to transfer the data to the outside, where several Command-and-Control (C&C) servers were located. These C&C servers provided new tasks to the infected devices. Such tasks may consist of new binaries, configuration files, or batch jobs. Inside the infiltrated network, the attackers used named pipes for the internal communication between infected devices, which is difficult to detect. This way, they constructed a hierarchical peer-to-peer network: some of these devices took the role of a communication drone, while others acted as worker drones,” MELANI explained.

Researchers noticed that there was very low activity in some phases of the operation, while in other phases the attackers managed to exfiltrate large amounts of data. The most active phase took place between September and December 2015.

Investigators found that a total of 23Gb of data were exfiltrated, which also includes beaconing requests sent to the C&C servers. Experts also noted that some data was transferred twice and the exfiltrated data was usually compressed. Since the analysis is based on proxy logs, MELANI has not been able to determine if the stolen files included sensitive information.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

Merlin Ventures has appointed cybersecurity executive Andrew Smeaton as the firm’s CISO-in-Residence.

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

More People On The Move

Expert Insights