Menu
Cyberespionage arsenal could be tied to French intelligence agencies

Cyberespionage arsenal could be tied to French intelligence agencies

Five additional Trojan programs are related to the Babar malware that Canada's government believes is the work of French intelligence

A collection of computer Trojans that have been used since 2009 to steal data from government agencies, military contractors, media organizations and other companies is tied to cyberespionage malware possibly created by French intelligence agencies.

Researchers from several antivirus companies have found links between the malware programs, which they call Babar, Bunny, Casper, Dino, NBot and Tafacalou. Some share the same command-and-control servers and some use the same implementations for Windows process listing, process blacklisting or export hashing.

In January, German news magazine Der Spiegel published several secret documents about the malware activities of the U.S. National Security Agency and its closest partners, the intelligence agencies of the U.K., Canada, Australia and New Zealand -- collectively known as the Five Eyes intelligence alliance.

One of those documents, which was part of the files leaked to journalists by former NSA contractor Edward Snowden, was a presentation from the Communications Security Establishment Canada (CSEC) dated 2011 that described a foreign cyberespionage operation dubbed SNOWGLOBE.

CSEC, a Canadian government intelligence agency, named the Trojan program used in the operation SNOWBALL, but noted that its internal name was Babar, the name of a popular French children's book series and television show. It also noted other French connections including the user name of the malware's developer "titi," which the French diminutive for Thiery; the use of kilooctet (ko) instead of kilobyte (KB), which is typical of the French technical community; and the language option of the development computer being "fr_FR."

According to CSEC, Babar's victims also matched French intelligence priorities: Iranian science and technology research organizations, European financial associations, French-speaking media organizations and organizations in former French colonies like Algeria and the Ivory Coast.

"CSEC assesses, with moderate certainty, SNOWGLOBE to be a state-sponsored CNO [computer network operation] effort, put forth by a French intelligence agency," CSEC concluded in the presentation that was shared with the Five Eyes partners.

In February, researchers from security firm Cyphort identified and analyzed an information-stealing Trojan, whose internal project name was Babar64. The malware program was capable of logging key strokes, taking screen shots, capturing audio streams from Voice-over-IP applications, stealing clipboard data, and more.

The Cyphort researchers found similarities to an older malware program they had dubbed EvilBunny.

"We assume the same author is behind both families," they said in a blog post.

On Thursday, security researchers from antivirus firm ESET published a report about yet another Trojan program related to Babar and EvilBunny that they dubbed Casper. The program was distributed in April 2014 from a website operated by the Syrian Ministry of Justice using two Flash Player zero-day exploits -- exploits for previously unknown vulnerabilities.

"We are confident that the same group developed Bunny, Babar and Casper," the ESET researchers said in a blog post. Casper did not contain any clues that would point to a French origin, but the use of zero-day exploits indicates that it was created by a powerful organization, they said.

Finally on Friday, researchers from Kaspersky Lab completed the picture with three more malware programs called Dino, Nbot and Tafacalou that they believe were created by the same group as Bunny, Babar and Casper. The Kaspersky researchers have dubbed the group Animal Farm and believe it has been active since at least 2009.

Over the years the group targeted government organizations, military contractors, humanitarian aid organizations, private companies, activists, journalists and media organizations, the Kaspersky researchers said in a blog post.

Tafacalou is a first-stage Trojan that the attackers use to check if the infected computers belong to their intended targets before deploying the more potent Dino or Babar cyberespionage implants.

Kaspersky has seen Tafacalou infections in Syria, Iran, Malaysia, USA, China, Turkey, Netherlands, Germany, Great Britain, Russia, Sweden, Austria, Algeria, Israel, Iraq, Morocco, New Zealand and Ukraine.

While the researchers stop short of associating Animal Farm with any specific country or intelligence agency, they point out that Tafacalou might be a French variation for the phrase "so it's getting hot" in Occitan, a language spoken in Southern France, Monaco and some areas of Italy and Spain.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags intrusionCommunications Security EstablishmentsecurityesetExploits / vulnerabilitiesspywaremalwarekaspersky labCyphort

Featured

Slideshows

Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Veritas honours top performing trans-Tasman partners

Veritas honours top performing trans-Tasman partners

Veritas honoured its top performing partners across the channel in Australia and New Zealand, recognising innovation and excellence on both sides of the Tasman. Revealed under the Vivid lights in Sydney, Intalock claimed the coveted Partner of the Year 2017 (Pacific) award, with Data#3 acknowledged for 12 months of strong growth across the market. Meanwhile, Datacom took home the New Zealand honours, with Global Storage and Insentra winning service provider and consulting awards respectively. Dicker Data was recognised as the standout distributor of the year, while Hitachi Data Systems claimed the alliance partner award. Photos by Bob Seary.

Veritas honours top performing trans-Tasman partners
An Evening With Eugene Kaspersky for Kiwi partners in Auckland

An Evening With Eugene Kaspersky for Kiwi partners in Auckland

​New Zealand partners came together for An Evening With Eugene Kaspersky in Auckland, an invitation only event as part of Kaspersky Lab Partner Engage. Following an evening of insights and executive networking with the founder of Kaspersky Lab, Eugene Kaspersky, Kiwi partners got up close and personal with Eugene in an unprecedented​ panel discussion. Facilitated by Reseller News, this panel explored channel relationships, successful business strategies, and the latest ground breaking technologies to impact the security market. Photos by Maria Stefina.

An Evening With Eugene Kaspersky for Kiwi partners in Auckland
Show Comments