Technical Report about the RUAG espionage case

Published on May 23, 2016 08:00 UTC by (permalink)
Last updated on January 5, 2021 16:08 UTC

After several months of Incident Response and Analysis in the RUAG cyber espionage case, we got the assignment from the Federal Council to write and publish a report about the findings. The following is a purely technical report, intending to inform the public about Indicators of Compromise (IOCs) and the Modus Operandi of the attacker group behind this case. We strongly believe in sharing information as one of the most powerful countermeasures against such threats; this is the main reason we publish this report not only within our constituency, but to the public as well.

The attackers have been using malware from the Turla family, which has been around for several years. This malware family is still under active development and used in the wild. We provide an analysis, as well as relevant IOCs to detect this threat, and try to give an insight on how the attackers infiltrate a network, move laterally, and exfiltrate data. It is interesting to see the clever design of their fingerprinting to exclude any victim not on the target list. Another impressive observation is the patience shown during the lateral movement. However, it is important to emphasize that attackers also make mistakes and have their weaknesses, so there is always an opportunity for the defenders to detect them.

Links to the report

Technical Report about the Malware used in the Cyberespionage against RUAG

Back to top