Russian space systems hacked in Lurid attack

Central Russian government and space-research systems have been infected in a suspected cyber-espionage attack based on the Lurid DownLoader, according to Trend Micro
Written by Tom Espiner, Contributor

Central Russian government computers were among systems hacked in a large-scale cyberattack that has been going on at least a year, according to Trend Micro.

Over a thousand systems in the Commonwealth Independent States (CIS) were hacked in a search for documents, spreadsheets and archive files, the security company said on Friday. Organisations in 60 other countries, including Vietnam, India and Mongolia, were also targeted.

The hackers have compromised Russian central government computers, diplomatic missions and space-related government agencies in the attack. The main Russian institution associated with space research is the Russian Federal Space Agency.

"This has all the hallmarks of espionage-related activity, given the concentration of targets," Trend Micro solutions architect Rik Ferguson told ZDNet UK. "We are liaising with companies directly and talking to local computer emergency response teams."

Lurid DownLoader

The cyberattack is being referred to as the 'Lurid DownLoader' attack, after the malware used. Overall, it has compromised 1,465 unique hosts in 61 different countries, Trend Micro said in a blog post.

This has all the hallmarks of espionage-related activity, given the concentration of targets.
– Rik Ferguson, Trend Micro

The Russian computer emergency response team (RU-CERT) said it was aware of the Trend Micro report, but had not received any other information from the security company.

"Next week I'll ask colleagues in law enforcement to look at this," RU-CERT deputy head Mikhail Ganev told ZDNet UK. "If government systems have been attacked, it's the duty of law enforcement to look at it."

Large-scale cyber-espionage attacks are increasingly a concern for governments. In August, UK intelligence agency GCHQ called for organisations to make more efforts to protect themselves after the detection of a cyberattack dubbed 'Operation Shady Rat' by security vendor McAfee.

Social-engineering attacks

In the Lurid campaign, hackers infected the systems through a series of targeted attacks. Users were sent emails with infected attachments in social-engineering attacks — the files appeared harmless, but downloaded malware when opened by unsuspecting users. The malicious files mostly exploited flaws in Adobe Reader and Microsoft Office software, according to Ferguson.

The malware was from the Enfal family of malware, a Trojan downloader that can also be used to upload files from an infected machine. The hackers themselves called the malware 'Lurid DownLoader' in part of a parse left in the source code, said Ferguson. Once they had infected one machine in an organisation, they used it as a jumping-off point to infect other machines in the network.

The hackers sent waves of emails in a series of campaigns. Logfiles in intercepted examples of malware show that there have been at least 301 waves of discrete attacks. In total, 59 percent of the attacks have been directed towards unique hosts.

"This targeting of individual systems is an indication of the precision of the campaign as a whole," said Ferguson. The attacks appear to have started in August 2010, with malware that talked to the same command-and-control infrastructure.

Trend Micro has gained access to logfiles on the command-and-control server, but did not access the interface on the server, Ferguson added. The initial malware sample that alerted Trend Micro to the operation was submitted in March this year from an NGO related to Tibet.

The FBI and the Metropolitan Police Central eCrime Unit (PCeU) have been informed of the attacks, as the command-and-control servers that direct the extraction of information are located in the US and the UK, Ferguson said. These servers were operational at the time of writing.

Although the malware was commanded from the UK and the US, attribution about responsibility for the attacks was very difficult to ascertain, Ferguson noted.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Editorial standards