Waterbug espionage group attacks against governments continue

Group may have hijacked a separate group’s infrastructure during one attack against a Middle Eastern target

Waterbug’s most recent campaigns have involved a swath of new tools including custom malware, modified versions of publicly available hacking tools, and legitimate administration tools.
Waterbug’s most recent campaigns have involved a swath of new tools including custom malware, modified versions of publicly available hacking tools, and legitimate administration tools.

The Waterbug espionage group (aka Turla) has continued to attack governments and international organisations over the past eighteen months, Symantec reveals in a new report.

The cyberespionage campaigns have featured a rapidly evolving toolset and, in one notable instance, the apparent hijacking of another espionage group’s infrastructure.

Waterbug’s most recent campaigns have involved a swath of new tools including custom malware, modified versions of publicly available hacking tools, and legitimate administration tools. The group has also followed the current shift towards “living off the land,” making use of PowerShell scripts and PsExec, a Microsoft Sysinternals tool used for executing processes on other systems.

These three recent Waterbug campaigns have seen the group compromise governments and international organisations across the globe in addition to targets in the IT and education sectors. Since early 2018, Waterbug has attacked 13 organisations across 10 different countries In South America, South Asia and departments in at least three Middle Eastern countries.  

Hijacked infrastructure

One of the most interesting things to occur during one of Waterbug’s recent campaigns was that during an attack against one target in the Middle East, Waterbug appeared to hijack infrastructure from the Crambus espionage group and used it to deliver malware on to the victim’s network. Press reports have linked Crambus and Waterbug to different nation states. While it is possible that the two groups may have been collaborating, Symantec has found no further evidence to support this. In all likelihood, Waterbug’s use of Crambus infrastructure appears to have been a hostile takeover. Curiously though, Waterbug also compromised other computers on the victim’s network using its own infrastructure.

Waterbug has also mounted two other campaigns over the past year, each of which was characterised by separate tools. These campaigns were wide ranging, hitting targets in Europe, Latin America, and South Asia.

Unanswered questions

This is the first time Symantec has observed one targeted attack group seemingly hijack and use the infrastructure of another group, Symantec researchers contend. However, it is still difficult to ascertain the motive behind the attack. Whether Waterbug simply seized the opportunity to create confusion about the attack or whether there was more strategic thinking involved remains unknown.

Waterbug’s ever-changing toolset demonstrates a high degree of adaptability by a group determined to avoid detection by staying one step ahead of its targets. Frequent retooling and a penchant for flirting with false flag tactics have made this group one of the most challenging adversaries on the targeted attack landscape.

Most Popular

Digital Edition

Subscribe today and get your copy of the magazine for free