Malware snoops on diplomats, government targets in Eastern Europe

News by SC Staff

Cyber-espionage platform Attor was utilised to target Russian-speaking individuals for at least seven years, finds ESET researchers

A new cyber-espionage platform aimed at diplomatic and government organisations was discovered by ESET researchers. Dubbed ‘Attor’, the platform was being utilised to target Russian-speaking individuals for at least seven years, said the research report.

"Attor’s espionage operation is highly targeted – we were able to trace Attor’s operation back to at least 2013, yet we only identified a few dozen victims. Despite that, we were able to learn more about the intended victims by analysing artifacts in the malwarel," ESET malware researcher Zuzana Hromcová wrote in the report.

Attor keeps a constant tab on the victim’s activities by taking screenshots of standard services such as web browsers, instant messaging applications and email services. 

Apart from that, selected applications containing several Russian services -- including two most popular social networks in Russia (Odnoklassniki, VKontakte) and a VoIP service provided by a Russian telecom operator (Multifon) -- are targeted.

"Our conclusion is that Attor is specifically targeting Russian-speakers, which is further supported by the fact that most of the targets are located in Russia," Hromcová wrote in the report.

Other targets are located in spread across Eastern Europe, specifically Ukraine, Slovakia, Lithuania and Turkey, and they include diplomatic missions and governmental institutions.

"In addition to its geographical and language targeting, Attor’s creators appear to be specifically interested in users concerned about their privacy," Hromcová wrote.

The creators of the cyber-espionage platform have taken extra care to hide the track of data it leaks from the target to the operator. 

"The malware, which has flown under the radar since 2013, has a loadable-plugin architecture that can be used to customise the functionality to specific victims. It includes an unusual plugin for GSM fingerprinting that utilises the rarely used AT command set, and incorporates Tor with the aim of anonymity and untraceability," concluded the report.

"Keeping track of network activity over such a long period of time is difficult, but not for organisations that perform network security monitoring," observed Richard Bejtlich, author and principal security strategist at Corelight. 

"NSM software such as Zeek could create high fidelity yet compact network transactions logs, suitable for long-term, inexpensive storage. When a victim organisation suspects it may be affected by a long-term adversary campaign, it could retrieve those Zeek records from storage and accelerate its detection, response, and recovery process," he explained.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews