The security giants have both investigated the advanced (APT) attack known as Turla, Snake or Uroburos, after it was first revealed earlier this year by German research firm G Data and the UK's BAE Systems Applied Intelligence.
In a 7 August blog post, Kaspersky says that in the last 10 months a “massive” cyber espionage operation it calls Epic Turla has infected several hundred computers in more than 45 mainly east European and Middle East countries, including government institutions, embassies, military, education, research and pharmaceutical companies.
Meanwhile, Symantec posted on the same day to say Turla has targeted the health ministry of a Western European country, a Central American country's ministry for education, a state electrical authority in the Middle East, and a medical organisation in the US. It also hit the governments and embassies of at least six former Eastern Bloc countries, including multiple attacks on one state's embassies in France, Belgium, Germany and elsewhere.
Kaspersky provides details of Turla's attack method, saying it uses at least two zero-days – a privilege escalation vulnerability in Windows XP and Windows 2003 (CVE-2013-5065) and an arbitrary code execution vulnerability in Adobe Reader (CVE-2013-3346).
G Data first revealed Turla/Snake/Uroburos in February and linked it to the Russian intelligence service. In March BAE also noted its use of the Russian language.
In this week's report, Symantec says it suspects a state-sponsored group is behind the attacks and found that most of its activity occurred in the standard working day of the UTC +4 time zone – Russia's time zone.
“It is focused on targets that would be of interest to a nation state, with spying and theft of sensitive data among its objectives,” Symantec said.
Kaspersky says one backdoor in the malware is named ‘Zagruzchick' (‘boot loader' in Russian) and the compilation code page language set to ‘LANG_RUSSIAN'.
Commenting on this, Ralf Benzmüller, head of G Data SecurityLabs, told SCMagazineUK.com: “The reports of Kaspersky and Symantec are in line with what we saw earlier - mistakes in the English used and Cyrillic artefacts; the group is extremely dynamic in using exploits; the time zone of the attackers is in Russia.”
He added: “We are not surprised that Uroburos is spread all over the world, even though we have personally seen in it only a number of countries.”
Kaspersky said that after G Data's report “one big unknown” was the infection vector for Turla/Snake/Uroburos. It now confirms the attackers use an original ‘Epic Turla' backdoor and a more sophisticated related malware family called Carbon or Cobra.
“Victims are infected via a sophisticated multi-stage attack, which begins with the Epic Turla,” Kaspersky says. “In time, as the attackers gain confidence, this is upgraded to more sophisticated backdoors, such as the Carbon/Cobra system. Sometimes, both backdoors are run in tandem, and used to ‘rescue' each other if communications are lost with one of the backdoors.”
Kaspersky said the Turla group use spear-phishing, social engineering and watering-hole attacks, via more than 100 hijacked websites.
Symantec agrees that they infect victims through both spear-phishing and watering-hole attacks, saying the group has compromised at least 84 legitimate websites, including sites owned by several different governments and international agencies.
Kaspersky says Epic Turla's targets include government ministries, embassies, military, education, research and pharmaceutical companies. The top five affected countries by victim's IP address were France, the US, Iran, Russia and Belarus.
In its original report, BAE found ‘Snake' targeting mainly Eastern Europe countries, but also the US, UK and other Western European countries, since at least 2005, infiltrating Windows XP, Vista, 7 and Windows 8-based systems.
Earlier this month, BAE raised questions when it pulled out of presenting a paper on ‘Snake' at the Black Hat conference in the US. But a spokesperson told SC MagazineUK.com this was because it plans to publish a new report on the attack in “the next month or two”.
Commenting on the latest Symantec and Kaspersky findings, he said: “”When we published the original Snake report, because it's such a sophisticated operation our spokesperson at the time made a call to action to the security community to come together, given the threat Snake presents.
“It's important that security works together, and works to identify where Snake might be operating, how it can be tackled and so on. So we welcome any further work that might be done by other members of the security community about Snake which can help businesses and other organisations improve their understanding and defences against the threat.”