Russian cyber espionage The group known as Turla gained notoriety in 2008 as the hackers behind agent.btz, a malware that spread through US Department of Defense systems, gaining widespread access through the insertion of infected USB drives by unsuspecting Pentagon operatives .Now, 15 years later, the same group appears to be trying a new take on the trick: hijacking USB infections other Hackers exploit their infections and secretly select their targets for espionage.
Today, cybersecurity firm Mandiant revealed that it had uncovered an incident in which Turla hackers – widely believed to be in the service of Russia’s FSB intelligence agency – had allegedly gained access to victim networks by registering expired domain names of nearly a decade-old cybercriminals Malware that spreads through infected USB drives. As a result, Turla was able to take over the malware’s command-and-control servers, go the way of hermit crabs, and sift through its victims for targets worthy of espionage.
This hijacking technique appears designed to keep Turla undetected, hiding in the tracks of other hackers while combing through large swaths of the web. Mandiant’s head of intelligence analysis, John Hultquist, said it showed how the Russian group’s methods had evolved and become more sophisticated over the past fifteen years. “Because malware is already proliferating via USB, Turla can exploit it without exposing themselves. Instead of using their own USB tools like agent.btz, they can use someone else’s tool,” Hultquist said. “They borrowed someone else’s operation. It’s a very smart way of doing business.”
Mandiant first discovered Turla’s new technology last September, when the company’s incident response personnel discovered a strange cyber breach in Ukraine, the country that became the main source of all Kremlin intelligence services after Russia’s disastrous incursion last February. focus. After someone inserted a USB drive into one of the ports and double-clicked a malicious file masquerading as a folder on the drive, multiple computers on the network were infected with a malware called Andromeda.
Andromeda is a relatively common banking Trojan that cybercriminals have been using since 2013 to steal victims’ credentials. But on one of the infected machines, Mandiant’s analysts found Andromeda samples quietly downloading two other, more interesting pieces of malware. The first is a reconnaissance tool called Kopiluwak, which Turla has used in the past; the second malware is a backdoor called Quietcanary, which compresses and steals carefully selected data from targeted computers, and Turla has used it in the past to used it. “This was a red flag for us,” said Gabby Roncone, threat intelligence analyst at Mandiant.
When Mandiant looked at the command-and-control servers of the Andromeda malware that started the infection chain, its analysts discovered that the domain used to control the Andromeda samples (whose name is a crude mockery of the antivirus industry) had actually expired and had been re-registered in early 2022 . Looking at other Andromeda samples and their command and control domains, Mandiant found at least two more expired domains that had been re-registered. Collectively, these domains are associated with hundreds of Andromeda infections, and Turla can sort through all of them to find those worthy of their monitoring.
