The technical report on the "Ruag" espionage case
The Ruag cybercausa was analysed by Melani/Gov- CERT with a view to shedding light on the attack and further protection. The Federal Council has decided to publish this report so that those responsible and experts in the field of network security are made aware of similar attacks. However, the tracing of individual espionage attempts in the Ruag federal administration environment remains nebulous.
The report by the Reporting and Analysis Centre for Information Assurance Melani, which was published at the end of May 2016 (see end of text), reveals few new findings - it focuses primarily on technical points. For example, that the attackers used malware from the Turla family that had been circulating for several years. This malware had most likely infiltrated Ruag IT for years. The technical report explicitly underlines: "The attackers showed a lot of patience in infiltrating and advancing further. They only attacked victims in whom they had an interest, using various measures such as spying on IP lists (...)."
Once inside the network, the malware spread laterally "by infecting more devices and gaining higher privileges."
However, such findings about espionage via the Swiss arms company Ruag are only partially satisfactory for security experts. Although the report shows the technical sequence of events from September 2014 to May 2016, it also leaves many points - such as what sensitive data was stolen at the federal level - open.
No overview provided before 2014
The Ruag systems have been infected since at least September 2014. However, as Melani/GovCERT points out, Ruag does not have any proxy log files for the time before September 2014. However, already in the first checked files, Melani experts found signs that the Turla infection had taken place earlier.
Apart from the spies themselves, no security specialist knows when and how the "infection" first took hold. The investigation of this major espionage attack is complex. The only thing that can be estimated is the volume of data that was lost. According to Melani, exactly 23 gigabytes were stolen. However, the commissioned IT experts cannot draw any further conclusions.
"The amount of data transferred does not indicate its confidentiality or the value of the stolen data," Pascal Lamia, head of the Federal Reporting and Analysis Centre, was quoted as saying by insideit. ch quoted. Experts criticize the linked activities between Ruag and the federal IT. However, some insiders believe that security measures, such as appropriate virus blockers, should have been installed much earlier.
However, Pascal Lamia, the federal government's IT security officer, defends Ruag, saying that internal security officers could not have noted what was likely to have infected their computers before 2016. The Melanie report makes it clear: it was not until the beginning of February 2016, several months later, that the cyber attack was discovered and specific monitoring software installed.
In the report, one can also find a graph of the amount of data pulled on a daily basis. This shows little activity between September 2014 and mid-2015. Most of the data was transferred to the "command & control" (C&C) servers used by the attackers between September 2015 and January 2016. After that, however, the activity suddenly stops - i.e. exactly at the time when the attack was discovered and monitoring software was installed.
Admin directory affected?
So, although there is no knowledge of the content or value of the tapped data, the Federal Department of Defense DDPS stated in a press release accompanying the technical report that "it is likely to include data from the admin directory " that "feeds the federal administration's outlook software."
This is a kind of telephone directory, with surnames, first names, function and workplace, i.e. purely business data - the DDPS told sda. It does not contain an agenda. Nor does it contain any personal data. For example, it is not possible to see where someone lives.
How it was concluded that the Ruag spies "might" have tapped into this relatively insensitive data, no federal security official was willing to elaborate.
Federal Council pushes investigation
According to insiders, the first Trojans of the Turla malware family have been known since 2007. The circulating attacker, who uses this type of malware, has infiltrated many government organizations as well as private companies in the last decade. However, political espionage may be assumed here, because only private or public subjects were infected, who have special information about research or armament data.
At Ruag, there was most likely an attempt to spy on IP addresses. As the technical report goes on to say, the Active Directory came into focus in order to gain control of further devices in order to steal authorisations or group memberships to access further data stores of interest. Based on a security report, a committee has proposed to the Federal Council the adoption of 14 short- and medium-term measures. These are intended to eliminate the risks of data theft relating to information or persons. For security reasons, details of the measures are not being communicated.
On the portal of the Reporting and Analysis Centre for Information Assurance MELANI there is a German summary as well as a detailed technical report (only in English). www.melani.admin.ch
