Vienna/Austria/UK (14/3). Austria’s foreign ministry has said a weeks-long cyber attack from a “state actor” against its systems has ended – amid local reports that pin the blame on a Russian hacking crew and its initial four-byte payload. Or so it seems. But key questions remain unanswered. Who and why?
The attack, which was announced to burghers of the state on a 4th January, was aimed at the ministry’s IT infrastructure, according to local reports.
Foreign minister Alexander Schallenberg said the attack had been ended, adding: “We managed to clean up our IT systems.” He claimed that “no damage to the IT equipment could be detected”.
The ministry said in a statement: “According to current knowledge, this was a targeted attack against the Foreign Ministry with the intention of gathering information. However, due to the dimension and the high complexity, it cannot yet be said beyond doubt who is behind the attack.”
It is unclear whether the attack itself ended yesterday or whether yesterday marked the end of the cleanup and repair period.
Local newspaper Der Standard said that despite news reports blaming usual suspects – Russia and China – local Russian ambassador Dmitri Ljubinski demanded a retraction and apology. The newspaper said: “For example, the Kronen Zeitung headlined on Tuesday with the claim that a trail leads to Moscow – without further substantiating this.”
A local radio station, the Österreichischer Rundfunk (ORF, state broadcaster Austrian Radio), reported in mid-January that the attack bore the hallmarks of Russia’s Turla Group. Citing information from its own sources, the broadcaster described the attack in detail:
Like all previously known malware modules that are assigned to Turla, Topinambour is a pure spy tool. The individual elements of the malware are – as is usual – only put together in the target network, but the sophistication of Turla lies in the “how”. The entire suite consists of short command chains for .NET or PowerShell and uses – wherever possible – legitimate Windows elements such as cmd.exe that are present on the attacked machine anyway.
ORF reported that a command-line module was used by the attackers to send a four-byte TCP request to an external server. That downloads the malware dropper, which in turn places Turla’s trojan. Deployed as a so-called fileless attack, the malware’s operators were, so ORF said, able to revisit freshly disinfected servers with subtly altered strains, reacting to countermeasures on the fly. A Google-translated version of its article, which reads well in English, is available here.
“Strings of the command-line interface PowerShell or the counterpart of the .NET programming suite from Microsoft are always buzzing around in this network,” said ORF, highlighting that Austria’s foreign ministry maintains around 100 diplomatic missions worldwide.
Turla Group, like every other malware operator out there on the internet, has about two-dozen trade names depending on which infosec company is blogging about it at a given moment. It is variously known as Venomous Bear, Group 88, Uruburos, Iron Hunter, and so on. It was last seen on El Reg when British and American spies blamed the hacking crew for masquerading as Iranians to launch attacks on Middle Eastern governments.
Last summer the United Nations HQ in Austrian capital Vienna was hacked. Incredibly, officials covered it up in the hope nobody would notice.