Some of the more recent TeamViewer-based campaigns also targeted users from many other countries in Europe, the Middle East, Africa, North America and Asia. The campaigns were marked with unique ID numbers on the C2 servers and there are clear indications that different campaigns targeted different regions, the CrySyS researchers said.
There is strong evidence inside the malware components and the C2 infrastructure that the attackers are Russian-language speakers, security researchers from Kaspersky Lab, said in their own report on TeamSpy.
Some aspects of the operation, like the file search keywords and the use of Russian terms, are reminiscent of a different cyberespionage campaign called Red October, the Kaspersky researchers said. However there are no direct links between the two operations at the moment, they said.
"If we are to compare it to Red October, the TeamSpy Crew and the tools they use are far less sophisticated and professional," the Kaspersky researchers said. "Unlike Red October, where many IPs could be traced to governments and governmental institutions based on WHOIS data, in this case, the vast majority of IPs belong to ISPs which do not advertise such information. In case of TeamSpy crew, except for a very few cases, the identity of the victims remains a mystery."
Sign up for CIO Asia eNewsletters.