Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Turla Cyber-Spies Target European Government With Multiple Backdoors

The Russia-linked cyber-espionage group known as Turla was recently observed targeting a European government organization with a combination of backdoors, security researchers at Accenture reveal.

The Russia-linked cyber-espionage group known as Turla was recently observed targeting a European government organization with a combination of backdoors, security researchers at Accenture reveal.

Also known as Snake, Waterbug, Venomous Bear, Belugasturgeon, and KRYPTON, Turla is believed to have been active since at least 2006. Earlier this year, the threat actor updated ComRAT, one of its oldest malware families, to ensure it remains efficient.

In a report published this week, Accenture notes that the hackers continue to update legacy tools and to employ custom malware in attacks targeting government organizations.

In fact, in a recent attack on such an organization in Europe, Turla was observed employing a combination of remote procedure call (RPC)-based backdoors, including the HyperStack backdoor, and Kazuar and Carbon remote administration Trojans (RATs).

“The RATs transmit the command execution results and exfiltrate data from the victim’s network while the RPC-based backdoors use the RPC protocol to perform lateral movement and issue and receive commands on other machines in the local network. These tools often include several layers of obfuscation and defense evasion techniques,” Accenture explains.

Given the success registered using this combination of tools, Turla is expected to continue employing the ecosystems for the targeting of Windows-based networks. The threat actor was also observed employing various command and control (C&C) implementations for each compromise, to ensure it can regain access if discovered.

The HyperStack backdoor, which was initially identified in 2018, features updated functionality, and employs named pipes for RPC execution. For lateral movement, it attempts to connect to a remote device’s IPC$ share to forward RPC commands.

As part of the campaign, however, Turla was also observed using a variant of HyperStack containing simpler functionality, enabling operators to run commands via a named pipe without IPC$ enumeration.

Advertisement. Scroll to continue reading.

The malware employed in this campaign revealed the use of traditional C&C implementations, such as compromised web servers and legitimate web services, including Pastebin. One Kazuar variant could receive commands sent via internal nodes in compromised network, while others employed external nodes.

“Turla will likely continue to use its legacy tools, albeit with upgrades, to compromise and maintain long term access to its victims because these tools have proven successful against windows-based networks. Government entities, in particular, should check network logs for indicators of compromise and build detections aimed at thwarting this threat actor,” Accenture concludes.

Related: Turla’s Updated ComRAT Malware Uses Gmail for C&C Communication

Related: Mysterious ‘AcidBox’ Malware Used Turla Exploit to Target Russian Organizations

Related: Turla Uses Sophisticated Backdoor to Hijack Exchange Mail Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.