Kaspersky Lab’s Experts Publish Analysis Report of ‘TeamSpy,’ An Active Cyber-Surveillance and Data-Theft Operation
21 Mar 2013
Malicious Program Infects High-Profile Political Targets, Activists and Organizations to Steal Sensitive Data and Perform Geopolitical Reconnaissance
Today Kaspersky Lab’s Global Research & Analysis Team published a research report about TeamSpy, an active cyber-surveillance malware campaign targeting high level political and human rights activists located in Eastern Europe and in countries belonging to the Commonwealth of Independent States (CIS). Additional victims include intelligence agencies, energy and heavy industry manufacturers.
The TeamSpy campaign was first announced earlier today by the Laboratory of Cryptography and System Security (CrySyS Lab) and the Hungarian Government. CrySysLab issued a research post with its own analysis of the campaign.
According to Kaspersky Lab’s report, the TeamSpy malware is designed to perform a sustained level of cyber-surveillance on its victims while stealing sensitive data and information for geopolitical reconnaissance.
Kaspersky Lab’s Summary Research Findings
- TeamSpy is currently an active operation and poses a significant threat to information agencies across the world, notably in former Soviet Republics and countries in Eastern Europe.
- Kaspersky Lab’s experts first identified traces of the TeamSpy operation in April 2012 after a number of high-profile Belarusian political and social activists publicly announced that their systems were infected with the cyberespionage malware; however, further analysis of TeamSpy’s Command and Control (C2) infrastructure revealed that one of the domain names was registered in 2004, which indicates the TeamSpy operation could have been active for nearly a decade.
- The TeamSpy attackers remotely control the malware running on victim computers by using the TeamViewer (teamviewer.exe) application, which is signed with legitimate digital certificates. Through TeamViewer, the attackers are able to perform a number of data-theft operations on infected machines. The type of sensitive data or information being exfiltrated from TeamSpy’s victims includes:
- Confidential or important office documents and PDF files
- Private cryptographic keys and passwords used to access sensitive information
- The Apple iOS device history data from iTunes
- Detailed system configurations, including OS and BIOS information
- Captured keylogger strokes, screenshots and disc images
To read Kaspersky Lab’s research post and FAQ about TeamSpy, please visit Securelist.
Kaspersky Lab’s full research report of the TeamSpy malware, which contains more technical details of the analysis, can be found here.