Swiss defence contractor hacked, details released

The details of a years long campaign against a Swiss defence contractor have been released in partnership with Swiss CERT.

Details of advanced attacks like this one against a Swiss defence contractor are not often released
Details of advanced attacks like this one against a Swiss defence contractor are not often released

Swiss CERT has released details of an APT attack on Swiss defence organisations. Released in conjunction with defence contractor RUAG, the report outlines an attack of considerable ambition on the defence contractor itself as well as Swiss special forces unit, DRA10.

RUAG announced it had been attacked on the 12 May, but that the attack had been halted with assistance. The defence contractor, according to its own statement, "is constantly confronted with cyber-attacks and is accustomed to having to repel them".

Notably, the attackers stole very little data. According to RUAG, it amounted to less than 0.01 percent of the data managed by the company. They were keen to point out that “no secret data was affected by the attack on RUAG”. However, the attack was apparently conducted “very professionally”.

RUAG would not tell SC any more than had already been officially released but thanks to the release of the new report, in partnership with CERT, new information has come to light.

There are discrepancies between the two accounts. While RUAG said it “has been observing and tracing the hackers' activities since January 2016”, the CERT version notes that the attackers have been violating the defence contractor since “at least”  September 2014.

The report further notes that the attackers made their moves with patience. The group tried to collect as much information on RUAG and its inner workings before deploying its infection. The initial attack vector has not been determined as records only go back to the end of 2014.

Once the group got in, it moved laterally, combing through RUAG's data for specific information and identifying targets who may have had it.  Over the years the attackers were actually in the system, they maintained and updated their malware.

CERT wouldn't speculate about attribution. In its report, it said, “We intentionally did not make any attributions in regard who might be behind these attacks. First, it is nearly impossible to find enough proof for such claims. Secondly, we think it is not that important, because - unfortunately - many actors use malware and network intrusions for reaching their intentions. To our belief, nothing justifies such actions, and we support taking steps to ban such attacks instead of accepting them as inevitable.”

There are, however, elements within the report which may give us some clues as to who could have been behind the attack.

Turla, the malware used in the attack, is commonly associated with Russian groups. It has been used to target large companies, government departments and intelligence agencies for close to a decade now.

Research into previous instances of Turla malware has found that the quality of the code strongly indicates nation state backing. It has also been linked by intelligence agencies to the espionage operation called Red October, which targeted defence and nuclear research networks.

CERTs, also known as Computer Emergency Response Teams, are national cyber-defence teams. Many developed countries have one in place to respond to and advise on major cyber-incidents in the public and private sector. 

In a certain sense they represent an elite - the top talent in that region or country's cyber-security community.

When they're not responding to an APT attack, they're trying to teach the broader community how to defend themselves. A spokesperson for Swiss CERT told SCMagazineUK.com that they chose to share the information as “a powerful mean of combatting such attacks”.

This kind of disclosure is not just an aid for potential targets but the weapon against the attackers: “If organisations share such information it is much more difficult and expensive for the attackers to stay hidden. Another goal was to give organisations a short guidance on how the bar for the attackers can be raised with simple and cost-effective countermeasures.”

It was also revealed by two Swiss newspapers SonntagsZeitung and NZZ am that the attacker - whoever it was - was trying to get its hands on the personal information of members of the Swiss Special Forces unit, DRA10. One anonymous source within the Swiss defence community told NZZ am that considering the confusion around the attack, officials “were racking our brains trying to determine whether the elite soldiers will have to be given new identities”.