Translated Article: Coup de grace beat Attackers of the Austrian Federal Ministry for European and International Affairs
Cyberhusarenstück schlug Angreifer im Außenministerium for fm4 by Erich Moechel
[We translated this article, because DeepSec actively supports young talents and students. We are looking for organisation and companies that would like to help us in our support. Furthermore, we like to make Erich’s well-researched and well-written articles available for a wider audience.]
It was young Technicians who fended off the dreaded cyber Troop Turla. After a short Time they cracked the tricky Encryption of the Turla Trojan.
The National Security Council, which the NEOS party convened to discuss the cyberattack on the Federal Ministry for European and International Affairs, meets on Friday. NEOS criticize the cumbersome structures in cyber defence and, above all, that it is not ready to work properly. The quick defence of the notorious cyber troop (APT) Turla is rather not due to the solid defence structures in Austria.
This first cyber attack on Austria the defence relied on improvisation and technical skill. A diverse team of technicians from three ministries had this super-class APT under control after only 10 days. This emerges from new information available to ORF.at. The deciding factor was the coup de grace of young technicians of the Federal Ministry of the Interior who are more hackers than police officers.
Attackers’ Encryption hacked
A very young “Blue Team” from the battered BVT (Office for the Protection of the Constitution and Counter-Terrorism) of all places managed to break the encryption of the data traffic between the Turla Trojan on the Federal Ministry for European and International Affairs network and the command control servers on the Internet just two days after the burglary was discovered. This is an astonishing achievement, because the Turla Group is known for constantly changing the algorithms used for encryption and for doing so in an extremely tricky way.
The first challenge was to recognize which encryption method was being used. This allowed the defenders to read the data traffic between the elements of the malware and identify all new modules of the malware that were being reloaded. The match was overturned after a few days, because from then on the attackers were on the defensive. The Turla team did try to reload another rootkit, but was unable to activate it.
What the Federal Ministry of the Interior does (not) say
Such upper-class attacks are only partially automated, so that “Red Team” and “Blue Team” actually faced each other directly in the Federal Ministry for European and International Affairs. All of this has already taken place around the turn of the year or in the first week of the new year. Subsequently, the Federal Ministry of the Interior was asked for more information about this technical team of the BVT. “We ask for your understanding that, for operational reasons, no further details about the personnel and investigations will be disclosed,” was the answer, of course, because the news embargo on technical information is still in effect.
However, it also said in addition: “With regard to your request, we may inform you that the staff employed in the BVT’s cyber security area are generally not being recruited from within the police force, but from universities or universities of applied sciences as well as in competitions like this ‘Cyber Security Challenge’. ”According to information available to ORF.at, even the majority of these BVT technicians had completed the Cyber Security Challenge of the Bundesheer, BKA and Cybersecurity Austria, and among the army technicians who joined them, were graduates of this competition as well.
Where did the Defenders come from?
This international talent competition, which Austrian teams have won several times, has been around for ten years. Every year the participants are around twenty years, mostly from HTLs (Höhere Technische Lehranstalt) and comparable schools or at the beginning of a technical degree. This means that the BVT security technicians and all other graduates were mostly under thirty. The matches of this challenge are all of the type of “Capture the Flag” or “Blue Team” (defender) versus “Read Team” (attacker), which is particularly popular with hackers. At the Ministry of Foreign Affairs more or less the same match has been going on, but for real.
The Federal Ministry for European and International Affairs’ network was scanned thoroughly in the five weeks after the Turla group was temporarily neutralized. Artifacts and other traces of Turla were apparently only found on the mail servers, because the attackers had not yet tried to penetrate the internal network of the Ministry of Foreign Affairs. In order to ensure that no further hacked email accounts had been overlooked, the decision was made to reset all passwords in the entire mail system of the Federal Ministry for European and International Affairs. In addition to all embassies, this network also connects all other diplomatic institutions of the Republic.
One of the most dangerous cyber troops worldwide was neutralized in record time, and much faster than in Germany in 2017. The Austrian cyber strategy has worked perfectly.
It would be a fine thing if this had been the case.
In fact, the Republic was extremely lucky. As shown in the first two parts, a few very favourable circumstances came together from the rapid discovery onwards. As a result, the Turla group was unable to display its dreaded penetrating power. And it was the gentlemen from Turla who battled the defenders with updates for weeks, but are known for not destroying anything on purpose.
The attack has tied up a large part of all state cyber defences available and hit a large, but only one, network. If the clients behind the attack had actually wanted to frighten the Republic for some reason, they would not have sent Turla. In 2015, APT 28 alias Fancy Bear had contaminated the IT of the German Bundestag to such an extent that in the end 20,000 PCs had to be replaced.
While the attack on the Ministry of Foreign Affairs was ongoing, ELAK, the nationwide system of electronic file processing and more than 300 other large networks in Austria were open for weeks due to a fatal security vulnerability. A single, nicely packaged encryption Trojan would have been enough to paralyse the offices and authorities connected to the ELAK in one fell swoop. If attackers would have wanted it, half the republic’s IT would have been on fire.