The Russian cyberespionage group generally known as Turla turned notorious in 2008 because the hackers behind agent.btz, a virulent piece of malware that unfold by US Division of Protection programs, gaining widespread entry by way of contaminated USB drives plugged in by unsuspecting Pentagon staffers. Now, 15 years later, the identical group seems to be attempting a brand new twist on that trick: hijacking the USB infections of different hackers to piggyback on their infections and stealthily select their spying targets.
Right now, cybersecurity agency Mandiant revealed that it has discovered an incident by which, it says, Turla’s hackers—broadly believed to work within the service of Russia’s FSB intelligence company—gained entry to sufferer networks by registering the expired domains of practically decade-old cybercriminal malware that unfold by way of contaminated USB drives. Consequently, Turla was in a position to take over the command-and-control servers for that malware, hermit-crab type, and sift by its victims to seek out ones worthy of espionage focusing on.
That hijacking approach seems designed to let Turla keep undetected, hiding inside different hackers’ footprints whereas combing by an enormous assortment of networks. And it reveals how the Russian group’s strategies have advanced and develop into much more refined over the previous decade and a half, says John Hultquist, who leads intelligence evaluation at Mandiant. “As a result of the malware already proliferated by USB, Turla can leverage that with out exposing themselves. Fairly than use their very own USB instruments like agent.btz, they will sit on another person’s,” Hultquist says. “They’re piggybacking on different individuals’s operations. It’s a extremely intelligent means of doing enterprise.”
Mandiant’s discovery of Turla’s new approach first got here to gentle in September of final yr, when the corporate’s incident responders discovered a curious breach of a community in Ukraine, a rustic that’s develop into a major focus of all Kremlin intel providers after Russia’s catastrophic invasion final February. A number of computer systems on that community had been contaminated after somebody inserted a USB drive into one in every of their ports and double-clicked on a malicious file on the drive that had been disguised as a folder, putting in a chunk of malware referred to as Andromeda.
Andromeda is a comparatively frequent banking trojan that cybercriminals have used to steal victims’ credentials since as early as 2013. However on one of many contaminated machines, Mandiant’s analysts noticed that the Andromeda pattern had quietly downloaded two different, extra attention-grabbing items of malware. The primary, a reconnaissance software referred to as Kopiluwak, has been beforehand utilized by Turla; the second piece of malware, a backdoor generally known as Quietcanary that compressed and siphoned rigorously chosen knowledge off the goal laptop, has been used completely by Turla previously. “That was a crimson flag for us,” says Mandiant risk intelligence analyst Gabby Roncone.
When Mandiant seemed on the command-and-control servers for the Andromeda malware that had began that an infection chain, its analysts noticed that the area used to regulate the Andromeda pattern—whose identify was a vulgar taunt of the antivirus trade—had truly expired and been reregistered in early 2022. different Andromeda samples and their command-and-control domains, Mandiant noticed that not less than two extra expired domains had been reregistered. In complete, these domains related to a whole lot of Andromeda infections, all of which Turla might type by to seek out topics worthy of their spying.