Security Experts:

Connect with us

Hi, what are you looking for?



Russian State-Sponsored Operations Begin to Overlap: Kaspersky

Kaspersky Lab security researchers have uncovered new evidence that shows overlaps between the activity of infamous Russian cyber-espionage groups Turla and Sofacy. 

Kaspersky Lab security researchers have uncovered new evidence that shows overlaps between the activity of infamous Russian cyber-espionage groups Turla and Sofacy. 

Earlier this year, Kurt Baumgartner, principal security researcher, Kaspersky Lab, revealed that activity associated with the Sofacy group, which is also known as APT28, Fancy Bear, Pawn Storm, Sednit and Strontium, appeared to overlap with that of other state-sponsored operations. 

The researcher said at the time that Sofacy’s Zebrocy malware had been discovered on machines also infected with Mosquito, a backdoor previously associated with Turla. The shared victims included organizations in Europe and Asia.

Amid an evolution in the tactics, techniques and procedures (TTPs) employed by the Turla group, also tracked as Snake, Venomous Bear, Waterbug, and Uroboros, Kaspersky Lab has observed further connections with Sofacy, as well as more evidence linking Turla to WhiteBear.

Specifically, the security researchers discovered that Turla’s KopiLuwak malware is employing a delivery mechanism that uses code nearly identical to that previously seen in the Zebrocy operation. 

As part of the attack, Turla employed a new spear-phishing delivery vector, relying on Windows shortcut (.LNK) files for malware delivery. The LNK file, Kaspersky discovered, contained PowerShell code almost identical to that used in Zebrocy activity a month earlier.  

The investigation also uncovered target overlaps between the two threat actors, focused on sensitive political targets, including government research and security entities, diplomatic missions and military affairs, mainly in central Asia. 

The KopiLuwak malware isn’t new, being first associated with the Turla hackers nearly two years ago. In mid-2018, however, the threat actor started using an evolved variant of the malware, targeting entities in Syria and Afghanistan. 

KopiLuwak emerged in 2016 as an evolution from IcedCoffee, Turla’s first foray into full-fledged JavaScript backdoors. Focusing on European governments but more selectively deployed, KopiLuwak performs comprehensive system and network reconnaissance, can run arbitrary system commands and uninstalls itself and leaves little evidence for investigators to work with.

In a newly published report, Kaspersky details the discovery and also provides information on the evolution of the KopiLuwak JavaScript backdoor, along with details on the changes observed in the group’s Carbon framework and in the Meterpreter and Mosquito malware delivery techniques.

Turla is expected to continue to update and use the Carbon framework code into 2019 within Central Asia and related remote locations. The group is also expected to use open-source based or inspired fileless components and memory loaders from the Mosquito malware, Kaspersky says. 

“It’s very interesting to see ongoing targeting overlap, or the lack of overlap, with other APT activity. Noting that Turla was absent from the milestone DNC hack event where Sofacy and CozyDuke were both present, but Turla was quietly active around the globe on other projects, provides some insight as to ongoing motivations and ambitions of this group,” Kaspersky notes. 

Related: Russian Cyberspies Use UEFI Rootkit in Attacks

Related: Turla Backdoor Controlled via Email Attachments

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...