Some of the tactics used in APT attacks die hard. A
good example is provided by Turla’s watering hole campaigns. Turla, which has
been targeting governments, government officials and diplomats for years – see,
as an example, this recent paper – is still using watering hole
techniques to redirect potentially interesting victims to their C&C
infrastructure. In fact, they have been using them since at least 2014 with
very few variations in their modus operandi.
A watering hole attack compromises websites that
are likely to be visited by targets of interest. The people behind Turla are
apparently keen on targeting embassy websites. Indeed, there was a February
2017 blogpost by Forcepoint highlighting some of the websites most recently
compromised.
We, of course, are monitoring the developments of
these campaigns closely and recently noticed them reusing a technique that we
haven’t seen them use for several months.
Initial compromise
In the IoCs section below, there is a list of
websites that have been used to redirect to Turla watering hole C&Cs in the
past. As is usual with this group, there are many websites directly related to
embassies throughout the world.
More details on: