Turla - a Russian cyberespionage group that continues to evolve and expand its attacks

The Russia-linked hacker group Turla (also known as Snake, Venomous Bear, Waterbug and Uroboros), is a prolific cyberespionage group known for launching spy campaigns targeting Western governments, as well as embassies and consulates in post-soviet states. Turla’s activities were first spotted in 2014. The group specializes in developing custom backdoor malware to carry out operations. However, reports also suggest that the hacker group could have been active from before 2014.

Since its notable activities were spotted in the wild, multiple high profile cyber espionage campaigns have been attributed to Turla. Recently, the group launched attacks on fresh targets using scripts and open-source code in its malware development. The hacker group is also known to deploy one of the most complex and sophisticated rootkits called Snake, which typically focuses on NATO-related targets.

Over the years, security experts have identified many other notable developments in the malware and binary code used by the notorious hacker group, since its discovery.

Turla’s recent activities

In 2017, Turla used a new malware variant to target Germany's Federal Foreign Office, two European countries and a defense contractor. The campaign used fully controllable emails that contained malicious PDF attachments, instead of relying on conventional command and control server (C&C). These malicious attachments were used to install malware, exfiltrate data and more. In April 2018, the group developed tools capable of executing PowerShell commands by leveraging Empire PSInject.

In January 2018, the attackers became stealthier, misusing Adobe to trick users into downloading malware. Turla’s attacks tricked victims into believing that they were downloading legitimate software from adobe.com. However, in reality, the victims ended up installing a malicious installer that is designed to connect with the system registry to create an attacker-controlled administrative account on the system. This, in turn, allowed the attackers to gain remote access to targeted systems.

In August 2017, security researchers discovered a new second stage backdoor created by Turla. This backdoor could evade detection by changing strings within its code, randomizing markers and wiping files securely. Researchers could not get a hold of the encryption as the malware used a custom encryption technique.

Turla - One among elite APT groups in the world

Researchers found links relating Turla APT to the Moonlight Maze hacker group, which was fairly active during the late 1990’s. Later, a connection to one of the earliest cyber espionage campaigns, which focused on western targets through the use of hijacked satellite links, water holing attacks, backdoor, and advanced malware, also confirmed a relationship between the two hacker groups.

Moonlight Maze was a vast online spying operation that targeted a number of critical U.S. government agencies, including the Pentagon, NASA and the Department of Energy. The suspected link between Moonlight Maze and Turla highlights the use of an open source backdoor called LOKI2, which was found in code samples used by both operators, which puts them on an elite list of cyberespionage actors.

Recent developments

Some of the notable malware activities revolving around the Trula group in recent times are discussed below:

According to recent reports,Trula has used the KopiLuwak, IcedCoffee, WhiteBear, and WhiteAtlas malware variants in a number of ways to leverage Javascript, Powershell, and install droppers.

• Turla’s first full-fledged deployment of Javascript backdoors began with the use of the IcedCoffee backdoor back in June 2016.
• In November 2016, a new round of weaponized macro documents that dropped a new, heavily obfuscated Javascript payload named KopiLuwak was deployed by the group.
• A much more advanced and highly complex Javascrip was utilized in WhiteAtlas samples that dropped a Firefox extension backdoor developed by Turla.
• WhiteBear scripted spear phishing email attachments and also followed up on initial WhiteAtlas scripting development and deployment efforts.

As Turla continues to target embassies and government organizations around the world, there are no signs indicating that the cyberespionage group may slow down operations anytime soon. The attackers also continue to improve their efforts to spy on promising targets and secretly infect their malware into networks for as long as possible.