Turla Group, the Gazer Backdoor, and WhiteBear Activity
This week, two security researchers published reports relating to well-known cyberespionage APT group,Turla.
Security researchers from ESET, an IT security company based in Slovakia, wrote about a previously undocumented backdoor called Gazer which appears to be the latest tool used in an ongoing cyberespionage campaign targeting embassies and ministries of foreign affairs this year.
Moscow-based Kaspersky Lab’s Securelist recently publicly released a report documenting cyberespionage activity it has codenamed “WhiteBear.” The Kaspersky report states that WhiteBear is likely “a parallel project or second stage” that “has overlap with other Turla campaigns” and shares infrastructure overlap and code artifacts with Turla. This report also notes a shift in targets around June 2017 when the previously narrow target of embassies and related organizations expanded to include unnamed “defense-related organizations.”
Turla is known for its highly specific targeting of embassies, consulates, or ministries of foreign affairs around the world. The majority of targets are in Southeastern Europe and former Soviet states, but targets throughout Europe, Asia and South America were also compromised in 2016.
Who is Turla?
Turla is thought to be a well-established cyber espionage group, active since at least 2015, but possibly active since 2011 or before. Security researchers earlier this year speculated on links that may tie the Turla group to the Moonlight Maze espionage operations targeting US government agencies from 1998-1999. Turla is believed to be a Russia-based, Russian-language threat group at least partly sponsored by the Russian government.
According to Kaspersky, “Turla, also known as Snake or Uroboros is one of the most sophisticated ongoing cyber-espionage campaigns.” ESET calls Turla “a notorious group that has been targeting governments, government officials and diplomats for years. They are known to run watering hole and spearphising campaigns to better pinpoint their targets.”
Turla is thought to be related to the Russian APT group Sofacy, also known as FancyBear. Sofacy is the group accused of being the source of the 2016 Democratic National Committee hacks.
Why has Gazer been attributed to Turla?
A pattern of techniques used by Turla in the past is also used with Gazer. The initial infection is thought to employ spearphising. A malicious email attachment delivers the first-stage backdoor, called Skipper (used previously by Turla). The Skipper backdoor calls the second-stage backdoor, Gazer. Previously, the Carbon or Kazuar backdoors were used in place of Gazer, indicating the Gazer may be the latest development used to update a continuing campaign. The second-stage backdoor receives encrypted instruction from command and control servers using compromised, but legitimate, websites as proxies. Infection allows for full remote code execution and activity monitoring by operators.
Similarities of targets and methods of delivery and anti-detection led ESET researchers to connect or attribute this malware to Turla “with high confidence.”
Why is Gazer’s use by Turla significant?
- The Gazer backdoor is considered to be highly sophisticated, stealthy, and persistent.
- Gazer code is being closely maintained and updated. The most recent version differs from previous versions where strings have been changed and video game references have been inserted throughout the code. These modifications make it more difficult to track and stop the malware even after it has been identified.
- This new backdoor malware is just the latest update in a long-running cyberespionage campaign targeting embassies and diplomatic organizations indicating that this campaign remains active and is evolving.
- The scope of targeted organizations may be expanding to include defense organizations. This shift may indicate a new phase in Turla’s cyberoperations.
- Turla is a well-known and established APT group in the cyberespionage field that may have been conducting reconnaissance operations against government or diplomatic targets for years and possibly decades.
We must consider what the end goal could be for Turla group or those sponsoring the group– beyond the information gathering. Once the group gains access to embassy computers, we can assume they will seek out individual user credentials and network administrator credentials. Will those credentials be used only in cyberespionage or will this access be used to possibly alter or interfere with diplomatic communications?
Kaspersky Lab, Securelist, Introducing WhiteBear
ESET, Welivesecurity.com, Gazing at Gazer: Turla’s new second stage backdoor (PDF)
Graham Cluley, Welivesecurity.com, New ESET research uncovers Gazer, the stealthy backdoor that spies on embassies
Threatpost, Russian-Speaking Turla Joins APT Elite
For more recent news stories, visit This Week in CyberSec