Recently published blog posts:
Go to the blog archive and browse all previous blog posts we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to date and get notified about new blog posts.
Recently published whitepapers:
Subscribe to the whitepapers RSS feed to stay up to date and get notified about new whitepapers.
Report an incident: incidents[at]govcert{dot}chGeneral inquiries: outreach[at]govcert{dot}ch
The following email address can be considered as point of contact for FIRST members and other CERTs/CSIRTs:incidents[at]govcert{dot}ch
GovCERT.ch PGP-Key (preferred) Alternative GovCERT.ch PGP Key (for older versions of PGP without Curve25519 support) GovCERT.ch SMIME
Published on May 23, 2016 08:00 UTC by GovCERT.ch (permalink) Last updated on January 5, 2021 16:08 UTC
After several months of Incident Response and Analysis in the RUAG cyber espionage case, we got the assignment from the Federal Council to write and publish a report about the findings. The following is a purely technical report, intending to inform the public about Indicators of Compromise (IOCs) and the Modus Operandi of the attacker group behind this case. We strongly believe in sharing information as one of the most powerful countermeasures against such threats; this is the main reason we publish this report not only within our constituency, but to the public as well.
The attackers have been using malware from the Turla family, which has been around for several years. This malware family is still under active development and used in the wild. We provide an analysis, as well as relevant IOCs to detect this threat, and try to give an insight on how the attackers infiltrate a network, move laterally, and exfiltrate data. It is interesting to see the clever design of their fingerprinting to exclude any victim not on the target list. Another impressive observation is the patience shown during the lateral movement. However, it is important to emphasize that attackers also make mistakes and have their weaknesses, so there is always an opportunity for the defenders to detect them.
Back to top
