- May 7, 2016
- 1,311
The recent cyber espionage attack aimed at Swiss defense firm RUAG was carried out by the Russia-linked threat group known as Turla, according to a report commissioned by the Swiss government.
RUAG is a Bern-based technology company owned by the Swiss government. The organization specializes in aviation, space and defense with products ranging from satellite equipment to ammunition.
News of a cyberattack on RUAG came to light earlier this month when Switzerland’s Defense Minister Guy Parmelin revealed that his ministry was targeted by malicious actors in January while he was attending the World Economic Forum. Parmelin said at the time that the government was investigating a possible connection between the attack on the country’s Department of Defense and an attack on RUAG.
Initial news reports said the attacks were carried out by Russian hackers, who managed to steal sensitive information from RUAG. However, the defense firm denied the reports, claiming that the servers storing classified data could not have been accessed.
A report published on Monday by Switzerland’s Government Computer Emergency Response Team (GovCERT) and its parent organization, the Reporting and Analysis Centre for Information Assurance (MELANI), revealed that while the breach was discovered in January, the attackers gained access to RUAG’s systems as early as September 2014.
MELANI/GovCERT monitored the attackers’ activities in the RUAG network from January until May, when the press was informed about the incident. MELANI said this made their monitoring efforts useless.
Swiss investigators believe the attack on RUAG is part of a long-running campaign conducted by the Russia-linked advanced persistent threat (APT) actor known as Turla and Waterbug. The group is known for its operations involving pieces of malware such as Turla (aka Snake and Uroburos) and Epic Turla (aka Wipbot and Tavdig).
Researchers have not been able to determine the initial infection vector in the RUAG attack, but noted that Turla often leverages watering holes to deliver its malware. Experts also pointed out that the threat actor usually tailors its attacks to ensure that only the targeted entities get infected.
RUAG is a Bern-based technology company owned by the Swiss government. The organization specializes in aviation, space and defense with products ranging from satellite equipment to ammunition.
News of a cyberattack on RUAG came to light earlier this month when Switzerland’s Defense Minister Guy Parmelin revealed that his ministry was targeted by malicious actors in January while he was attending the World Economic Forum. Parmelin said at the time that the government was investigating a possible connection between the attack on the country’s Department of Defense and an attack on RUAG.
Initial news reports said the attacks were carried out by Russian hackers, who managed to steal sensitive information from RUAG. However, the defense firm denied the reports, claiming that the servers storing classified data could not have been accessed.
A report published on Monday by Switzerland’s Government Computer Emergency Response Team (GovCERT) and its parent organization, the Reporting and Analysis Centre for Information Assurance (MELANI), revealed that while the breach was discovered in January, the attackers gained access to RUAG’s systems as early as September 2014.
MELANI/GovCERT monitored the attackers’ activities in the RUAG network from January until May, when the press was informed about the incident. MELANI said this made their monitoring efforts useless.
Swiss investigators believe the attack on RUAG is part of a long-running campaign conducted by the Russia-linked advanced persistent threat (APT) actor known as Turla and Waterbug. The group is known for its operations involving pieces of malware such as Turla (aka Snake and Uroburos) and Epic Turla (aka Wipbot and Tavdig).
Researchers have not been able to determine the initial infection vector in the RUAG attack, but noted that Turla often leverages watering holes to deliver its malware. Experts also pointed out that the threat actor usually tailors its attacks to ensure that only the targeted entities get infected.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
