Technical Report about the RUAG espionage case

Published on 2016-05-23 08:00:00 UTC by GovCERT.ch (permalink)
Last updated on 2016-05-23 08:00:53 UTC

After several months of Incident Response and Analysis in the RUAG cyber espionage case, we got the assignment from the Federal Council to write and publish a report about the findings. The following is a purely technical report, intending to inform the public about Indicators of Compromise (IOCs) and the Modus Operandi of the attacker group behind this case. We strongly believe in sharing information as one of the most powerful countermeasures against such threats; this is the main reason we publish this report not only within our constituency, but to the public as well.

The attackers have been using malware from the Turla family, which has been around for several years. This malware family is still under active development and used in the wild. We provide an analysis, as well as relevant IOCs to detect this threat, and try to give an insight on how the attackers infiltrate a network, move laterally, and exfiltrate data. It is interesting to see the clever design of their fingerprinting to exclude any victim not on the target list. Another impressive observation is the patience shown during the lateral movement. However, it is important to emphasize that attackers also make mistakes and have their weaknesses, so there is always an opportunity for the defenders to detect them.

Links to the report

Technical Report about the Malware used in the Cyberespionage against RUAG

Technischer Bericht zur eingesetzten Schadsoftware beim Cyberangriff auf die RUAG

Rapport technique sur le maliciel utilisé lors de la cyber-attaque contre RUAG

Rapporto tecnico sul software nocivo utilizzato nell’attacco cyber contro la RUAG

Share on Twitter Share on Facebook

Back to top