Feeds

TeamSpy snooped on governments, big biz undetected for 10 years

Experts lift lid on hacking crew

Protecting against web application threats using SSL

Computer security researchers say they have uncovered a decade-long espionage campaign against governments, businesses and human-rights activists in Eastern Europe and beyond.

We're told the spying operation was partially pulled off by subverting TeamViewer - a legitimate tool for remotely controlling computers and holding meetings online. The snoopers installed the software on victims' Windows PCs and modified the code's behaviour with DLL hijacking to open a backdoor on the compromised machines. This successful tactic earned the campaign the nickname of TeamSpy and kept the hacking crew under the radar for years.

The researchers, who are based at the Laboratory of Cryptography and System Security (CrySyS Lab), said the spying team also used custom-built malware in days gone by.

Many of the compromised computers appeared to belong to ordinary punters, but some were within high-profile organisations involved in industry, scientific research or diplomacy. Hungary opened a joint investigation with the CrySyS Lab and the Hungarian National Security Authority after some of the country's government computers were infiltrated by TeamSpy.

Other targeted bodies, according to the researchers, include an unnamed EU state's embassy in Russia; an electronics company in the Middle East; multiple research and educational organisations in France and Belgium; and an industrial manufacturer in Russia.

The cyber-spies were interested in Microsoft Office documents and such files (e.g., those with the filename extensions .doc, .rtf, .xls or .mdb), PDF files, disk images (e.g., .tc or .vmdk), as well as files that potentially contain sensitive information such as encryption keys (e.g., .pgp, .p12) or passwords (e.g., files with the following strings in their names: pass, secret, saidumlo, секрет and парол).*

"Most likely the same attackers are behind the attacks that span for the last 10 years, as there are clear connections between samples used in different years and campaigns. Interestingly, the attacks began to gain new momentum in the second half of 2012," CrySyS Lab concluded.

"The campaigns are a mix of targeted attacks and conventional cyber-crime activities, for example, banking crime operations such as the Sheldor campaign."

CrySyS Lab reckoned the attacks are the work of a small and technically skilled team that has grown more sloppy over the years as complacency set in.

"The attackers use distinct tools for nearly every simple activity – this means that the group is most likely small, and technically professional people carry out all types of activities including strategic planning and executing the attacks," the lab's experts said.

"The attackers commit errors and produce a lot of garbage. One reason for this carelessness may be that after so many years of undetected operation, they are not afraid of detection."

A summary of the research by Budapest-based CrySyS Lab and the Hungarian National Security Authority can be found here [PDF].

Staff at security biz Kaspersky Lab added that human-rights activists have also been targeted in the campaign. The researchers said the attackers were siphoning off Apple iOS device history data from iTunes, detailed OS and BIOS information, as well as logging victims' keystrokes and screen-grabbing desktops on compromised devices. A blog post by Kaspersky contains tips on defeating computer espionage, such as blocking access from corporate machines to known command-and-control servers operated by hackers.

TeamSpy's modus operandi is similar to the approach taken by the hackers behind the earlier Red October attack, although the two operations are not thought to be directly linked. The TeamSpy crew usually roped in victims using so-called waterhole attacks based on planting malicious code on websites frequently visited by people working at targeted organisations. That attack code was also injected into advertising networks that ran across the targeted regions.

A detailed technical analysis by Kaspersky Lab of TeamSpy can be found here [PDF]. ®

Bootnote

* “Saidumlo” means “secret” in Georgian; “секрет” means “secret” in Russian; and “парол” means “password”.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.