14 DAY TRIAL // A new type of cyber-spying campaign has been detected by FireEye researchers, one they suspect to be tied to a Russian state-sponsored group previously analyzed by Kaspersky and known under the name of Turla.
This time around, as FireEye reports, the group has breached and infected over 100 websites that have a business and government audience.
Instead of stealing data from the websites or leaving malware behind to infect visitors, the group has added a small piece of code that redirects some of the site's users to one of its servers.
Here, details about each user are logged, and users are also inoculated with a supercookie that's difficult to find and delete from their computer. This supercookie continues to broadcast data whenever users visit other infected websites. If a victim visits multiple of these infected sites, the group may be alerted to investigate particular users further.
The Turla group seems to be interested in gathering information like the victim's browser type & version, browser plugin types & versions, Microsoft Office version, IP address, OS/browser language, and many other more.
The group's malicious code behaves like regular Web analytics tracking scripts
Since the profile of the infected websites relates to business and government affairs, the group might be looking to identify government employees and persons of power and interest in official positions.
Whenever such victims are identified, they can then be targeted with spear phishing campaigns that don't rely on broadcasting large-scale attacks that can easily be detected by cyber-security vendors.
FireEye says the group has targeted individuals from embassies, the military, and government positions from the US and several European countries. Turla seems to be putting a lot of effort into targeting Eastern European countries.
FireEye has dubbed this campaign WITCHCOVEN, based on the name of the malicious tracking script. Previously, the Turla group was observed by Kaspersky using satellites to spy on its targets. Such a level of sophistication and resources hints that the group may be sponsored by a nation that has interests in keeping an eye on its neighbors and main rivals.
"Customers often ask for ways to mitigate the risk against the malicious cyber activity we observe," says the FireEye team. "For the activity described in this report, mitigation is a challenge because the threat actors are collecting information about potential targets in the course of a user's normal web browsing activity."
The company recommends using TOR to hide a government employee's identity when navigating the Web.
