Russia-linked Turla threat actor spotted using Android malware for first time
Google and the European Union have issued separate warnings this week over Russian cyberattacks and misinformation campaigns.
According to Google, many Russian groups have been focusing on Ukraine since the start of the war, but the level of Russian activity outside of Ukraine is mostly the same as before the conflict started.
The internet giant has been monitoring Russian activity and it has disrupted some campaigns. The company recently noticed that the threat actor tracked as Turla, which has been linked to Russia’s FSB security service, has started distributing a piece of Android malware.
Google says this is the first time Turla has been spotted using Android malware. In April, researchers at Lab52 did report coming across a new Android malware that had used Turla-linked infrastructure, but they could not attribute it to the group.
The Android app distributed recently by Turla was hosted on a domain spoofing the Ukrainian Azov Regiment. The app claimed to allow users to launch denial-of-service (DoS) attacks against Russian websites, but in reality it only sent a single request to the targeted site.
The app, which only had a “minuscule” number of installs, is believed to have been inspired by an Android app created by pro-Ukraine developers that did launch DoS attacks against Russian websites.
Google has also seen at least two Russian state-sponsored threat groups — APT28 and Sandworm — exploiting the recently disclosed Windows vulnerability tracked as Follina. Profit-driven cybercriminals have also been exploiting Follina, as the number of attacks targeting Ukraine has increased.
The company has also observed misinformation campaigns conducted by the Belarus-linked Ghostwriter (UNC1151) group, as well as phishing attacks launched by the Coldriver (Callisto) group against government and defense officials, politicians, NGOs, think tanks, and journalists.
The European Union has warned member states about a significant increase in malicious cyber activities since Russia initiated its invasion of Ukraine. In a statement, the Council of the EU highlighted the January attacks on Ukrainian websites and systems, the attack against Viasat’s KA-SAT network, and the DDoS attacks launched by pro-Russian hackers against member states (Norway and Lithuania).
“Russia’s unprovoked and unjustified military aggression against Ukraine has been accompanied by a significant increase of malicious cyber activities, including by a striking and concerning number of hackers and hacker groups indiscriminately targeting essential entities globally,” the Council of the EU said. “This increase in malicious cyber activities, in the context of the war against Ukraine, creates unacceptable risks of spillover effects, misinterpretation and possible escalation.”
Cybersecurity firm Palo Alto Networks has also analyzed some attacks believed to have been conducted by Russian threat actors. The company has observed a campaign by Cloaked Ursa (APT29, Nobelium and Cozy Bear) that appears to have targeted several Western diplomatic missions between May and June 2022, including foreign embassies in Portugal and Brazil.
In this campaign, the attackers leveraged popular online storage services such as Google Drive and Dropbox to avoid detection.
Related: Russia Coordinating Cyberattacks With Military Strikes in Ukraine
Related: Russia, Ukraine and the Danger of a Global Cyberwar