The Turla virus, which came to light earlier, hit two secret services in Europe and the Middle East. This is according to research by Kaspersky. Hundreds of other government agencies have also been affected by the malware.
The existence of the malware was already revealed last year and in March Kaspersky already reported that hundreds of government institutions have been infected with the malware. However, it now appears that there are also two secret services. It would be one secret service in the Middle East and one in the European Union, reports Reuters news agency. According to Kaspersky, it is the first digital espionage campaign in which secret services have been infected.
Kaspersky suspects that a government is behind the attack. The attack targeted secret services and government institutions such as ministries and embassies, but also suppliers of the army and pharmaceutical companies. The largest numbers of victims are said to be in France, the United Kingdom, Russia, Belarus, Germany, Romania and Poland.
It is unknown where exactly the attack came from. A report from Kaspersky, released during the Black Hat security conference in Las Vegas, would suggest the hackers spoke Russian, but that doesn’t necessarily mean they are from Russia. Kaspersky won’t say where it thinks the hackers are coming from; Symantec, which will later release a report on the attack, also does not.
The attack allegedly used tools that were used in two previous attacks, and which Western secret services believe are attributable to Russia. The fact that the victims were also institutions from Russia is not a counter-argument for Russia’s involvement: it could be diplomatic posts from other countries and branches of foreign companies in Russia.
The malware was distributed by infecting websites likely to be visited by victims. Remarkably enough, this also included government websites. After infection, the malware would try to estimate whether the victim is interesting enough, for example if he or she works at a government agency. The malware used by the attackers would have specifically looked for documents containing terms such as “Nato”, “EU energy dialogue” and “Budapest”.