In the face of allegations that Kaspersky Lab works hand-in-hand with Russian intelligence, the Moscow-based cybersecurity firm published a detailed report Wednesday exposing a complex and expansive cyber-espionage operation orchestrated by what appears to be a Russia-linked hacking group.
The report, authored by Kaspersky’s GReAT research team, reveals some of the techniques, processes and tools used by an attacker with similarities to two known hacking groups, Sofacy and Turla. Both of these groups are considered advanced persistent threats (APTs) and have been linked to the Russian government by U.S. cybersecurity firms CrowdStrike and FireEye.
Kaspersky rarely attributes hacking groups to particular governments.
This latest activity revealed by Kaspersky is codenamed “WhiteBear,” as it resembles but doesn’t match up entirely with known Sofacy or Turla operations. WhiteBear is likely a subgroup within or campaign of Turla group, the firm says.
Based on a technical analysis by Kaspersky, WhiteBear’s recent activity appears to represent a modern cyber-espionage operation that is focused on gathering intelligence from embassies, ministries, defense companies and other governmental organization across Europe. The operation has been going on for at least one year, according to the firm. While the delivery vector isn’t entirely clear, researchers believe the hackers are likely breaching organizations through the deployment of targeted, specially tailored spearphishing emails.
Past hacking activity from WhiteBear has also been traced to victims in South Asia, East Asia, Central Asia and South America.
“From February to September 2016, WhiteBear activity was narrowly focused on embassies and consular operations around the world,” a Kaspersky blog post reads. “All of these early WhiteBear targets were related to embassies and diplomatic/foreign affair organizations. Continued WhiteBear activity later shifted [however] to include defense-related organizations into June 2017.”
The way WhiteBear manages its attack infrastructure — a collage of servers configured to communicate and drop malware on already infected machines — is similar in nature to how Turla has done things in the past.
On Wednesday, another cybersecurity firm, ESET, published additional research about the same Turla-linked operation.
ESET’s findings focus on the discovery of a backdoor implant related to WhiteBear activity — which Kaspersky noted in their own report. The sophisticated backdoor implant, codenamed Gazer, is difficult to detect and continues to be installed on targeted systems. Recent Gazer samples were largely found on systems belonging to political and governmental organizations located in Eastern Europe.
Based on research produced by Kaspersky and other leading vendors, like Symantec and FireEye, the shared indicators between White Bear, Turla and Sofacy suggest a conjoined relationship between the groups.
“Infrastructure overlap with other Turla campaigns, code artifacts, and targeting are consistent with past Turla efforts. With this subset of 2016-2017 WhiteBear activity, Turla continues to be one of the most prolific, longstanding, and advanced APT we have researched, and continues to be the subject of much of our research,” according to Kaspersky’s GReAT team.
Nothing comes without context
Kaspersky’s new public report effectively blows the cover on a foreign hacking effort because it provides defenders with an insider’s look at how WhiteBear infects computers and then navigates around compromised networks to spy on victims.
The research was first authored in February 2017, but it only became publicly available on Wednesday. Private customers already had access to this information.
The findings come at a curious time, as FBI agents continue to dissuade private U.S. companies from purchasing and relying on Kaspersky products to protect them from hackers, as CyberScoop first reported.
Current and former U.S. intelligence officials have disagreed with how the FBI is handling the Kaspersky case. Although there’s a general consensus across the U.S. law enforcement and intelligence communities that Kaspersky’s connection to Russian intelligence services poses a threat to U.S. security, less is agreed upon with regard to how the government should mitigate that risk.
Kaspersky’s CEO Eugene Kaspersky has repeatedly and consistently denied allegations that his company is a pawn of the Kremlin. Spokespeople say the firm does not and would not spy on its clients on behalf of the Russian government.
Public evidence to support the U.S. government’s claims is lacking. Evidence of such an agreement would likely remain classified. Accusations of Kaspersky’s devious relationship with the Kremlin began earlier this year with a series of congressional hearings and public statements made by American lawmakers.