nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Russian peeping Toms look at but won't touch popped web data troves

No malware, no data slurp, but they still know where you live

By Darren Pauli, 15 Oct 2015

Cyber Defence Summit Researchers have spotted an attack campaign, possibly emanating from Russia, that is compromising Websites solely to conduct reconnaissance.

The "look, don't touch" nature of the campaign makes FireEye's threat intelligence manager Nick Rossman and director Laura Galante suspect it's the work of a spy agency like Moscow's Federal Security Service (FSB), but they aren't able to confirm that attribution.

Rossman and Galante said the attacks are unusual, in that they use completely open source tools, gather specific intelligence on limited targets, and do not involve malware.

The collected data would ordinarily be used by regular attack groups to pillage corporate assets.

"It points to some sort of Russian involvement," Rossman told reporters at the Cyber Defence Summit in Washington DC yesterday.

"We really think it is backed by a nation-state. The targets and the operational security effort, and the fact that we aren't seeing malware being sent … we doubt that a regular crime group would be willing to hold back."

Attackers are targeting victims across almost all sectors in the US and Europe, with education, government, and financial services being the most heavily hit.

Geographies of focus include Ukraine, Georgia, and those along the Russian periphery, Rossman says.

The reconnaissance effort uses a tool chest dubbed "Witchcoven which is compiled of only open source tools; no customisation has been made."

That Galante says demonstrates that attackers need not burn expensive zero days to pop organisations.

"Capable groups are investing significant resources in reconnaissance," Galante says. "You don't have to waste your best tools."

The attacks are discovering all the typical things nosy operational security or marketing sleuths may uncover including the age, gender, name, work, and location of targets.

The pair suspect attackers are popping sites using various scripting attacks.

More detail on the attacks will be released in coming weeks. ®

Darren Pauli travelled to Washington DC as a guest of FireEye.

The Register - Independent news and views for the tech community. Part of Situation Publishing