Gazer/WhiteBear Advanced Persistent Threat Activity
On Wednesday, the Slovakian cybersecurity firm ESET published a reportoutlining analysis of recent Advanced Persistent Threat (APT) espionage activity attributed to a Russian hacking group known as Turla. ESET observed a new backdoor deployed since at least 2016, which they are naming "Gazer." The Russian cybersecurity firm Kaspersky, which is under increased scrutiny for suspected but unconfirmed links to Russian Intelligence Services, also reported on the same malware on Wednesday, naming the activity "WhiteBear." ESET's findings suggest organizations in Southeastern and Eastern Europe have been the primary targets of this activity, which was discovered on the networks at Ministries of Foreign Affairs (MFAs) and embassies. The tactics observed included spear-phishing emails that initially compromised systems with a first stage backdoor, commonly known as Skipper, followed by the stealthier, sophisticated second stage backdoor, Gazer. ESET notes that Gazer shares many similarities with other backdoors known to be used by Turla, including Carbon and Kazuar. According to ESET, the developers of Gazer make heavy use of custom encryption and other tactics to obfuscate their activity and complicate forensic analysis. The group is also utilizing a variety of compromised, legitimate websites for command and control (C2) servers, most of which are WordPress CMS-based websites. The NJCCIC recommends administrators and security operations personnel review the ESET "Gazing at Gazer" report and utilize the provided YARA rules and other indicators of compromise (IOCs) to determine if your networks have encountered this activity.