Recent campaigns demonstrate that
The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.
In June, ESET researchers observed the Russia-linked cyberespionage group using weaponizing PowerShell scripts in attacks against EU diplomats.
Experts at Symantec observed in the last eighteen months at least three distinct campaigns, each using a different set of hacking tools. In one campaign the attackers used a previously unseen backdoor tracker as Neptun (Backdoor.Whisperer), the malicious code is deployed on Microsoft Exchange servers and passively listen for commands from the attackers.
In a second campaign, the group used three different backdoors, it involved a modified version of Meterprete, a publicly available backdoor, two custom loaders, a custom backdoor called photobased.dll, and a custom Remote Procedure Call (RPC) backdoor.
The third wave of attacks was characterized by the usage of another custom RPC backdoor, that borrowed the code derived from the PowerShellRunner tool to execute PowerShell scripts and bypass detection.
“Recent Waterbug activity can be divided into three distinct campaigns, characterized by differing
Turla attackers used many other tools and malware in the latest campaigns, such as a custom dropper to deliver the Neptun backdoor, a USB data collecting tool, a hacking tool that combines four NSA tools (EternalBlue, EternalRomance, DoublePulsar, SMBTouch)
Attackers also used a set of Visual Basic and PowerShell scripts for reconnaissance, and publicly available tools such as IntelliAdmin, SScan, NBTScan, PsExec, Mimikatz, and Certutil.exe.
The three recent Turla campaigns targeted governments and international organizations worldwide. Since early 2018, the cyberspies hit at least 13 organizations across 10 different countries:
“This is the first time Symantec has observed one targeted attack group seemingly hijack and use the infrastructure of another group. However, it is still difficult to ascertain the motive behind the attack. Whether Waterbug simply seized the opportunity to create confusion about the attack or whether there was more strategic thinking involved remains unknown.” Symantec concludes.
“Waterbug’s ever-changing toolset demonstrates a high degree of adaptability by a group determined to avoid detection by staying one step ahead of its targets.”