Cyber Spying Program for a Decade

Friday, March 22, 2013 @ 05:03 PM gHale

A long-term cyber-espionage campaign that used a combination of legitimate software packages and commodity malware tools to target a variety of heavy industry, government intelligence agencies and political activists may have been active for as much as 10 years.

Known as the TeamSpy crew because of its affinity for using the legitimate TeamViewer application as part of its toolset, the attackers may have been active for as long as 10 years, researchers say.

Cyber Attack Against S. Korea
China a Cyber Attack Victim
New Plan to Secure Trade Secrets
Sanctions for Online Espionage

Known as the TeamSpy crew because of its affinity for using the legitimate TeamViewer application as part of its toolset, experts said they are not sure what kind of data the attackers are going after, researchers said.

The Hungarian National Security Authority alerted researchers at the CrySyS Lab in Hungary to an attack against a high-profile target in the country and began looking into the campaign. The researchers found some of the infrastructure used in the attack had been in use for some time and the target they were investigating was by no means the only one.

“During our investigation of the incident, we discovered a number of C&C servers, and a large number of malware samples that have been used in multiple attacks campaigns in the last couple of years. Indeed, the collected evidences suggest that part of the attack toolkit we discovered was used back in 2010. It seems that the main objective of the attackers was information gathering from the infected computers. Many of the victims appear to be ordinary users, but some of the victims are high profile industrial, research, or diplomatic targets, including the case that triggered our investigation,” said Boldizsár Bencsáth, assistant professor at Budapest University of Technology and Economics and member of the CrySyS Lab said in an analysis.

As they dug into the attack against the Hungarian target, the researchers found the toolset used included some modules designed specifically to retrieve certain kinds of documents. Specifically, the modules would look for files with extensions such as .pgp, or keywords such as “secret” or the Russian equivalent.

By observing the C2 activities of the malware, the CrySyS researchers were able to identify a number of other targets the attackers were going after, including the embassy of a NATO country inside Russia, a manufacturer in Russia, educational institutions in France and Belgium and a government-connected electronics company in the Middle East.

“The telemetry revealed additional high-profile victims outside Hungary. Indeed, multiple victims were found in Iran, including victims at, which is an electronics company with government background. The possible date of infection for this victim is from 2010,” CrySyS researchers said.

The TeamSpy crew relies on watering-hole attacks, trying to attract their intended victims to various Web sites that are of interest to the targeted organizations. Researchers said the attackers have used multiple sites as bait over the years, and have employed several C2 servers as well, including two analyzed at “” and “”. After analyzing the malware and toolsets used in the attacks, experts said there are some similarities between the TeamSpy attackers and the Red October attack campaign discovered earlier this year.

There are a number of indications the attackers are Russian-speakers, and researchers said the highest number of targets was in Russia and Turkey. When victims hit one of the attacker-controlled watering-hole sites, they found a variety of typical drive-by download infection methods, such as iframe redirections and exploits from the notorious Eleonore exploit pack.

Leave a Reply

You must be logged in to post a comment.