Security Experts:

Connect with us

Hi, what are you looking for?



Waterbug Threat Group Targeted Systems in Over 100 Countries: Symantec

Symantec has published a new whitepaper detailing the activities of a threat group dubbed by the security firm “Waterbug.”

Symantec has published a new whitepaper detailing the activities of a threat group dubbed by the security firm “Waterbug.”

Waterbug is the attack group previously known for cyber espionage campaigns leveraging toolkits such as Turla (also known as Snake or Uroburos) and Epic Turla (also known as Wipbot or Tavdig).

The group is believed to be active since at least 2005. Its activities became known back in 2008 when one of the pieces of malware associated with it, the notorious Agent.BTZ, was used in an attack aimed at the United States military.

According to Symantec, Waterbug successfully compromised more than 4,500 systems across over 100 countries, targeting government institutions, research and education facilities, embassies, and other high-profile organizations.

The group uses two techniques to infect targeted devices with malware: spear phishing emails containing malicious attachments, and a vast distribution network comprised of at least 84 compromised websites.

One of the spear phishing emails spotted by Symantec in December 2013 carried a harmless-looking PDF document designed to exploit an Adobe Reader zero-day in combination with a Windows vulnerability in order to distribute Trojan.Wipbot.

The distribution network, dubbed by the security firm “Venom,” is used for watering hole attacks designed to target certain users.

“These compromised websites are located in many different countries and were used in a watering-hole style operation in which the attackers monitored and filtered visitors to those websites and focused on the ones of interest for further action. The collection of compromised websites acted like a drag net designed to gather potential targets of interest,” Symantec said in the report.

The compromised websites are mainly located in France, Germany, Romania and Spain. Roughly half of these sites belong to government organizations, and publishing and media companies. What many of the websites have in common is the use of the content management system (CMS) TYPO3, and the fact that they reside on the same net block linked to certain hosting providers, Symantec noted.

In addition to Trojan.Wipbot, the attackers have also distributed Trojan.Turla, which they use to collect and exfiltrate data from infected machines.

Researchers have identified four variants of Trojan.Turla: SAV, FA, ComRAT, and Carbon. The threats, previously detailed by other security companies, use shared components.

In its report, Symantec has pointed out that the use of zero-days, the sophisticated malware, the large network of compromised websites, and the nature of the targets indicate that Waterbug is a state-sponsored group. While the company has not named any country, other security firms believe the threat might have Russian roots.

The complete whitepaper on Waterbug is available online.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

As the year comes to a close, we thought it would be appropriate to highlight some of the best stories and columns for 2010....

Application Security

Hackers breached the systems of anti-adblocking solutions provider PageFair and used the access to deliver malware via the publishers that rely on the company’s...

Application Security

If Patch Tuesday is a party, this would be the IT security version of pre-gaming.On Aug. 9, Microsoft accidentally released information on the five...


A new report from FireEye details the activities of a threat actor whose mission has been to gather valuable information on individuals and organizations...


IBM today released research and intelligence reports on data breaches in the retail sector and trends for the Black Friday/Cyber Monday period.According to the...

Tracking & Law Enforcement

SAN FRANCISCO - US regulators on Thursday announced a deal with Snapchat to settle a charge that the Internet firm misled users into believing...


GENEVA - Washington must shake up its overseas surveillance program, shut Guantanamo, hold Americans accountable for "war on terror" violations and stem racism in...