Security researchers at Kaspersky Lab said they have uncovered a cyber espionage operation that successfully penetrated two spy agencies and hundreds of government and military targets in Europe and the Middle East since the beginning of this year.
The hackers, according to Kaspersky, were likely backed by a state and used techniques and tools similar to ones employed in two other high-profile cyber espionage operations that Western intelligence sources have linked to the Russian government.
Kaspersky, a Moscow-based security software maker, declined to say if it believed Russia was behind the espionage.
Dubbed "Epic Turla", the operation stole vast quantities of data, including word processing documents, spreadsheets and emails, Kaspersky said, adding that the malware searched for documents with terms such as "Nato", "EU energy dialogue" and "Budapest".
"We saw them stealing pretty much every document they could get their hands," Costin Raiu, head of Kaspersky Lab's threat research team, said ahead of the release of a report on "Epic Turla" yesterday.
Kaspersky said the ongoing operation was the first cyber espionage campaign uncovered to date that managed to penetrate intelligence agencies. It declined to name those agencies, but said one was in the Middle East and the other in the European Union.
Other victims include government ministries, trade offices, military contractors and pharmaceutical companies, according to Kaspersky. It said the largest number of victims were located in France, the United States, Russia, Belarus, Germany, Romania and Poland.
Kaspersky said the hackers used a set of software tools known as "Carbon" or "Cobra", which have been deployed in at least two high-profile attacks. The first was an attack against the US military's Central Command that was discovered in 2008. The second attack was against Ukraine and other nations, uncovered earlier this year, using malicious software dubbed "Snake" or "Uroburos".
Western intelligence sources said in March that they believed the Russian government was behind those two attacks.
In a separate breach, a major government contractor that oversees hundreds of thousands of security clearance background checks for civilian and military workers reported that it had been targeted in a cyberattack. Two US government agencies have decided to limit operations with the contractor.
The contractor, USIS, said the cyberattack had "the markings of a state-sponsored attack". An official with the Department of Homeland Security said the intrusion may have compromised some of its employees' data.
USIS has been under criticism in Congress for its performance in conducting background checks on National Security Agency leaker Edward Snowden.
Additional reporting by Associated Press