Security researchers at Kaspersky Lab said they have uncovered a massive cyber espionage operation targeting spy agencies and governments in Europe and the Middle East.
The attackers, likely backed by a nation state, managed to successfully penetrate systems of two spy agencies and hundreds of government and military organisations.
The cyber attack has been underway since the beginning of this year, according to Kaspersky.
The tools and techniques used, the Moscow-based firm said, were strikingly similar to those used in two other high-profile cyber espionage operations previously linked to the Russian government.
Dubbed 'Epic Turla', the operation stole vast quantities of data including word processing documents, spreadsheets and emails, Kaspersky said, adding that the malware searched for documents with terms such as 'NATO', 'EU energy dialogue' and 'Budapest'.
"We saw them stealing pretty much every document they could get their hands on," Costin Raiu, head of Kaspersky Lab's threat research team, told Reuters ahead of the release of a report on 'Epic Turla' on Thursday during the Black Hat hacking conference in Las Vegas.
Kaspersky said the ongoing operation is the first cyber espionage campaign uncovered to date that managed to penetrate intelligence agencies. It declined to name those agencies, but said one was located in the Middle East and the other in the European Union.
Other victims include foreign affairs ministries and embassies, interior ministries, trade offices, military contractors and pharmaceutical companies, according to Kaspersky. It said the largest number of victims were located in France, the United States, Russia, Belarus, Germany, Romania and Poland.
Kaspersky said the hackers used a set of software tools known as 'Carbon' or 'Cobra', which have been deployed in at least two high-profile attacks. The first was an attack against the US military's Central Command that was discovered in 2008. The second attack was against Ukraine and other nations, uncovered earlier this year, using malicious software dubbed 'Snake' or 'Uroburos'.
Western intelligence agencies previously said they believed the Russian government was behind those two attacks. Russia's Federal Security Bureau had declined to comment at the time.
Kaspersky refused to confirm whether it believed Russian government was responsible for the Epic Turla operation but hinted that the attackers must have been speaking Russian as the control panels in software for running the campaign were set to use Russian cyrillic characters and its code included the Russian word 'Zagruzchick', which means 'boot loader'.
The cyber espionage operation was also detected by Symantec, the largest US cyber security firm.
Symantec’s researcher Vikram Thakur said the hackers infected machines by first compromising websites that victims would likely visit, including sites of some government agencies. The software was designed to scan a computer to determine if it belonged to somebody who was of interest, such as a government employee, Thakur said.
Once a PC is compromised, 'Epic Turla' can analyse the machine to see if it has data of interest to the hackers. It can also distribute more Carbon components to further study the machine if it had such information, according to Kaspersky.
Symantec said it will release its own report about the operation and other related campaigns.