Researchers from Russian computer security firm Kasperksy Labs claim to have discovered a massive cyber espionage campaign that targeted government institutions in 45 countries.
The operation, which experts have named "Epic Turla," is said to have successfully infiltrated two surveillance agencies, along with private and public organizations in Asia, the Middle East and Europe.
According to reports, the campaign was likely backed by a state sponsor. Kaspersky, in spite of revealing that the techniques used for the campaign were similar to the modus operandi in spying operations linked to Russian intelligence, declined to speculate on the country's possible involvement.
"We saw them stealing pretty much every document they could get their hands on," Kaspersky Labs Threat Research Team Head Costin Raui said. The hackers were said to have collected spreadsheets, documents and emails that contained terms such as "Budapest" and "EU energy dialogue."
According to Kaspersky's analysis, the unnamed hackers used four types of attacks for the campaign:
- Spearphishing emails that contained PDF exploits.
- Tricking users into running malware installers that have the ".scr" extension. These installers sometimes actually contain RAR files.
- Watering hole attacks that are facilitated through Flash exploits, Java exploits and Explorer 6, 7 and 8 exploits.
- Watering hole attacks that trick people into using fake Flash Player installers.
The spearphishing attacks used attachment names such as "NATO position on Syria.scr" and "border_security_protocol.rar." Watering holes, on the other hand, are compromised websites that have been altered to spread malware. Some of the websites that were infiltrated through watering hole attacks include those of the Palestinian Authority Ministry of Foreign Affairs and the city hall of Pinor, Spain. The researchers found more than 100 websites that have been compromised through the attacks. The country with the most injected websites is Romania, followed by France, the United States, Iran and Russia.
Kaspersky's researchers said that the attacks are coordinated. It targeted specific areas of interest. In Spain, the hackers targeted the websites of city governments. In Romania, on the other hand, the attacks were concentrated in the Mures region. Kaspersky said that the attacks were still going on as of July this year. The hackers are now focused on targets in Europe and the Middle East.