Security Experts:

Connect with us

Hi, what are you looking for?



Turla Cyber-Spies Target European Government With Multiple Backdoors

The Russia-linked cyber-espionage group known as Turla was recently observed targeting a European government organization with a combination of backdoors, security researchers at Accenture reveal.

The Russia-linked cyber-espionage group known as Turla was recently observed targeting a European government organization with a combination of backdoors, security researchers at Accenture reveal.

Also known as Snake, Waterbug, Venomous Bear, Belugasturgeon, and KRYPTON, Turla is believed to have been active since at least 2006. Earlier this year, the threat actor updated ComRAT, one of its oldest malware families, to ensure it remains efficient.

In a report published this week, Accenture notes that the hackers continue to update legacy tools and to employ custom malware in attacks targeting government organizations.

In fact, in a recent attack on such an organization in Europe, Turla was observed employing a combination of remote procedure call (RPC)-based backdoors, including the HyperStack backdoor, and Kazuar and Carbon remote administration Trojans (RATs).

“The RATs transmit the command execution results and exfiltrate data from the victim’s network while the RPC-based backdoors use the RPC protocol to perform lateral movement and issue and receive commands on other machines in the local network. These tools often include several layers of obfuscation and defense evasion techniques,” Accenture explains.

Given the success registered using this combination of tools, Turla is expected to continue employing the ecosystems for the targeting of Windows-based networks. The threat actor was also observed employing various command and control (C&C) implementations for each compromise, to ensure it can regain access if discovered.

The HyperStack backdoor, which was initially identified in 2018, features updated functionality, and employs named pipes for RPC execution. For lateral movement, it attempts to connect to a remote device’s IPC$ share to forward RPC commands.

As part of the campaign, however, Turla was also observed using a variant of HyperStack containing simpler functionality, enabling operators to run commands via a named pipe without IPC$ enumeration.

The malware employed in this campaign revealed the use of traditional C&C implementations, such as compromised web servers and legitimate web services, including Pastebin. One Kazuar variant could receive commands sent via internal nodes in compromised network, while others employed external nodes.

“Turla will likely continue to use its legacy tools, albeit with upgrades, to compromise and maintain long term access to its victims because these tools have proven successful against windows-based networks. Government entities, in particular, should check network logs for indicators of compromise and build detections aimed at thwarting this threat actor,” Accenture concludes.

Related: Turla’s Updated ComRAT Malware Uses Gmail for C&C Communication

Related: Mysterious ‘AcidBox’ Malware Used Turla Exploit to Target Russian Organizations

Related: Turla Uses Sophisticated Backdoor to Hijack Exchange Mail Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.