Turla, also known as Snake, is an espionage group notorious for having breached some heavily protected networks such as the US Central Command in 2008. Since then, they have been busy attacking diplomats and military targets around the world. Among the notable victims were the Finnish Foreign Ministry in 2013, the Swiss military firm RUAG between 2014 and 2016 and more recently, the German government at the end of 2017/beginning of 2018.
In the latter case, several newspapers quickly released some information about the modus operandi used by the attackers: they used email attachments to control the malware and also to transfer the stolen data from the system. However, no technical information about this backdoor was publicly available. Herein, we release our in-depth analysis of this Turla backdoor, controlled via PDF attachments sent via email.
As media reported, several computers of the German Foreign Office were infected by this backdoor. The attack apparently started in 2016 and was detected by the German security services at the end of 2017. The attackers first infected the Federal College of Public Administration (Hochschule des Bundes), a federal administrative university, and moved through its network until they were able to access the Foreign Office network in March 2017. Thus, Turla operators had access to some highly sensitive information (such as emails sent by the German Foreign Office staff) for almost a year.
Our investigation also reveals this piece of malware targeting Microsoft Outlook was used against various political and military organizations. We were able to ascertain that the Foreign Offices of two other European governments and a large defense contractor were compromised. Our investigation also led to the discovery of dozens of email addresses registered by Turla operators for this campaign and used to receive exfiltrated data from the victims. Read more here.
