Some Malware Victims in Turkey Have No Idea They’ve Been Targeted

A resourceful group that used Turkish-made trojans, among other malware, appears to have targeted several victims in Turkey, according to computer forensics company Arsenal Consulting. Among those hit were likely several high-profile officials, given the cost of the operation: some of the malware was custom-made and the infrastructure was robust.

"Even against a single target, we found the attackers using multiple email addresses, multiple remote access trojans, multiple command and control servers, multiple cellular services," digital forensics expert Mark Spencer at Arsenal Consulting told me. "The infrastructure was obviously built and leveraged in a way to avoid single points of failure."

The attackers are same who targeted Barış Pehlivan, an OdaTV investigative journalist who spent 19 months in jail accused of terrorism based on documents found on his computer. Several forensics reports later showed that the files had been planted. The journalist, who was targeted in 2011, is now out of jail, but his trial continues. The next hearing is scheduled for February 15, 2017.

Except for Pehlivan and his colleagues, other victims targeted in 2011 remain unknown. Their names are caught in bureaucracy. Digital forensics expert Mark Spencer at Arsenal Consulting said they probably won't find out they were hit.

To learn who the victims are, the researcher told me that he needs information from telcos, hosting companies and internet providers whose infrastructure had been used in the attack. However, they declined to help, saying this would violate the privacy of their customers.

Vodafone told me a court order would need to be issued in Turkey to release the data, but given the situation in Turkey, that might prove difficult, several sources told me. "No court [in Turkey] is going to issue an order that may lead to evidence that may be embarrassing [to] the government," Pınar Doğan, lecturer in public policy at Harvard Kennedy School, said.

Investigative journalist Barış Pehlivan suspects that among the individuals hit in the attack were politicians, military personnel, as well as other people working in media. NGOs could also add to the list.

It all started when Arsenal Consulting examined Pehlivan's computer pro bono at his attorney's request. Clues found during this investigation led the researchers to a vast attack infrastructure used to hit other victims as well. Apart from the OdaTV journalists, "there are more, probably many more victims of the operation," digital forensics expert Mark Spencer at Arsenal Consulting told me.

"We have confirmed that 406 emails were sent out by the attackers during this operation. There may be more, but we have confirmed 406. Only 18 emails were recovered from known victims," Spencer said.

The attackers were motivated, forensics expert Mark Spencer said. They used at least 12 command and control hostnames, three cellular services, physical attacks, and quite a few trojans.

Spencer said that by looking at what they did to Pehlivan, one can understand how they operate. When the journalist was targeted, the documents based on which he was accused of terrorism were placed on his computer on a Friday night by someone who went to the newsroom, removed the hard drive from the case, copied the documents, and reinstalled the hard drive back. The next Monday morning, a raid by the Turkish National Police seized the journalist's PC.

Prior to infiltrating into the OdaTV office, the attackers attempted to infect Pehlivan's computer using malicious email attachments and thumb drives in an attempt to control it remotely.

The journalist's computer was full of RATs, or remote access trojans, a malware designed to control a machine from a distance, usually to spy on the host and to steal sensitive information. It could also download files.

Among the RATs found were Turkojan, Bandook and the rare beta stage Ahtapot, a trojan named after the Turkish word for octopus. This is probably the only instance it has been seen in the wild.

Spencer analyzed the computer of yet another OdaTV journalist, Müyesser Yıldız, which attackers managed to control remotely. At this point, based on pieces of data put together, it became obvious that there were many more victims. Spencer figured out that the very same email addresses, RATs, servers and cellular services were used against other people as well.

The digital forensics expert still doesn't know who all the victims are, nor how many there are. In order to find out, he said he needs information from hosting companies, telcos and internet providers whose services were used by the attackers. Most of them have declined to help Arsenal based on privacy grounds.

"As I have previously explained to the forensic computer researchers at Arsenal, it is against the law (in every country, not just Turkey) to release or provide access to private data without lawful authority," Matt Peacock, group director of corporate affairs at Vodafone, told me by email.

"Jurisdiction is determined by where the data is held, so if the data in question is held in Turkey, it would need to be a Turkish court that issued any necessary order," Peacock added.

GoDaddy (who acquired HEG), Ultima Hosts, Turkcell, and Xicomm did not respond to my requests for comments.

Barış Pehlivan told me that he and his attorney had tried to get court orders. "We haven't gotten any results," he said. The court orders got tangled up in bureaucracy.

I've contacted the Turkish National Police, the Scientific and Technological Research Council of Turkey (Tübitak), and Havelsan, a company that has done cybersecurity work for the the country. None of them responded to my repeated requests to comment on the matter of funding, building, or deploying malware. The line got put on hold and then disconnected every time I said I was a journalist. I only found out they like Mozart.

"There are extreme measures going on [in Turkey] after the coup attempt [that took place on July 15, 2016]. Nobody from these public institutions would like to talk about the case," Barış Pehlivan told me.

Individuals, corporations and other entities who believe have been the target of this attack may want to search their systems for the data Arsenal gathered, Spencer said. "To mount a comprehensive search for this information technical, skills will be required, but of course some search is better than none."

Turkish computers in general have had an alarming number of trojans, according to Microsoft's Security Intelligence reports from 2008 to 2015. The most recent data, from one year ago, shows that this type of malware was found on 20 percent of the machines, three times the global average.

Turkey is below Pakistan on Reporters Without Borders' press freedom index, ranking 151 out of the 180 countries included, down 50 places since 2007, when the chase of journalists boosted. This year alone, the organization counted 41 media representatives put behind bars in direct relation to what they've published. Numbers from the Committee to Protect Journalists are even higher. A total of 81 Turkish journalists were jailed this year.

"Journalists are harassed, many have been accused of 'insulting the president,' and the internet is systematically censored," Reporters Without Borders wrote on its website. It also notes that the regional context "is exacerbating the pressure on the media, which are also accused of 'terrorism.'"

OdaTV editor Barış Pehlivan told me that journalists have been facing hard times for almost a decade. "The government [led until 2014 by Recep Tayyip Erdoğan, now president] and the Gülen Movement, wanted to send the opponents to jail. And digital conspiracy was the most helpful way to do this. Hundreds of people were sent to prison although they were not guilty. I was one of them," Barış Pehlivan told me.

Referring to the imprisonment of him and six of his colleagues at OdaTV, he said: "The members of the Gülen Movement within the state framed us."

Using malware to identify and monitor high-profile individuals is becoming increasingly popular not only in Turkey, but worldwide, Claudio Guarnieri, technologist at Amnesty International, told me. "There are cases documented from Latin America, through Africa, Middle East and Asia," he said.

Guarnieri lists two main reasons: "[malware] is relatively cheap to operate, and grants access to much more information than any other electronic or physical surveillance technique probably could."

The human rights advocate said that such a method of operation poses a threat to freedom and the freedom of speech, as it promotes self-censorship—individuals change their behaviors knowing they might be monitored.

"Besides the possibility of framing, and reputational damage, knowing you are being watched forces you to conform out of fear," Guarnieri said. "Hacking into someone's computer or phone is the most invasive level of control they can exercise on someone."