CERT.ch says attackers are linked to the Turla APT

May 23, 2016 14:43 GMT  ·  By

Switzerland's CERT (Computer Emergency Readiness Team) disclosed today a report about the cyber-attacks against Ruag, a local technology company specialized in ground, air and space technologies, also a supplier of military equipment and munitions to the Swiss military.

Details about these attacks surfaced online at the start of the month when Swiss defense minister Guy Parmelin revealed to the press that his ministry faced a powerful cyber-attack this past winter while he was attending the annual World Economic Forum (WEF) in Davos, Switzerland.

Parmelin was talking on this topic, after a day earlier, Swiss newspaper Tages-Anzeiger revealed that Ruag, one of the country's top defense contractors suffered a powerful cyber-attack this past January as well.

Attackers compromised Ruag as early as September 2014

In a report published today, Switzerland's CERT (CERT.ch) team revealed more details about the Ruag attacks. According to the country's top security investigators, attackers compromised Ruag as early as September 2014, the earliest logs CERT.ch could get their hands on.

CERT.ch specialists claim they've discovered malware on Ruag's network that's related to the same malware used by the Turla APT, a Russian-link threat actor.

Security experts said they were monitoring this malware in order to gather more details about the group's operations. Their plan was thrown off course after the above-mentioned Swiss newspaper leaked details about the cyber-attacks at the start of May.

Cyber-espionage group waiting in the shadows for weeks, months

Before having their plan derailed, CERT.ch managed to gather some details about the malware and its mode of operation.

CERT.ch says the group behind this attack is very patient and sometimes willing to wait days, weeks, or months, before moving on to the next stage of their attack.

The threat actor spent a lot of time infiltrating and moving laterally through the network. They also paid special attention to identifying each user, not to infect non-valuable targets. For this, they've used IP range filters and target fingerprinting.

Group used a variation of the Turla malware

After the group reached their desired targets, they deployed a variation of the Turla malware (also known as Tavdig). This malware uses different "workers," each tasked with their own set of operations. Some must gather data, some act as proxies, while others are just communication nodes.

Once the Turla malware workers gathered the data, they would send it to an outside C&C server in large batches using proxy servers. CERT.ch says it detected five instances in Ruag's server logs where the group exfiltrated massive amounts of data. These happened in June, July, September, October, and December 2015.

As CERT explained today, the public disclosure of the cyber-attacks against Ruag might have damaged the team's further monitoring operations.

Timeline of Ruag cyber-attack
Timeline of Ruag cyber-attack

Photo Gallery (2 Images)

Attackers compromised Ruag for almost 2 years
Timeline of Ruag cyber-attack
Open gallery