Since Russia made its initial incursion into Ukraine, the world has been wondering where the superpower will strike next. However, the next strike likely won’t be a physical attack, but rather will occur in the cyber landscape. U.S. officials have warned about potential Russian cyber threats on critical infrastructure, and based off the long history of Russian-based threat groups, that concern is valid. It isn’t a question of if they will attack; it is more about when.
A well-known Russian-based threat group is Turla. The group has infected more than 45 countries since 2004, encompassing numerous industry types, such as governments, embassies, military, education, research and pharmaceutical companies. Their latest attack on Germany, the U.S. and Afghanistan wasn’t that long ago either.
Turla is known for attacking with watering hole and spear phishing campaigns and using in-house tools and malware. Their espionage platform is mainly deployed against Windows systems but was also effective against macOS and Linux machines in 2014. Turla’s activity heightened in mid-2015, but the group has been around since 2004. The goal of their attacks is to siphon data from local computers to other servers. Turla also has been known by other names, including Snake, Uroburos, Krypton, Venomous Bear and more.
Early reports about Snake compared it to Stuxnet, the worm that attacked Iran’s nuclear program, but the inner workings of Snake were found to be quite different. Snake is not as powerful as Stuxnet yet, and there isn’t evidence that Snake would be capable of taking over computer controllers that run nuclear centrifuges. However, when Snake first appeared, many wondered whether there was another purpose for it other than just espionage. Could there be more going on that people weren’t seeing?
“The usual Russian approach would be to design something that could both conduct surveillance and aid in an attack,” said a senior intelligence official in the New York Times, who was describing how the National Security Agency and the Pentagon’s Cyber Command were on the lookout for the kind of computer attacks that were unleashed on Estonia several years ago.
Another one of Turla’s big campaigns was Epic Turla, where they launched a multistage attack, starting with spear phishing emails with Adobe PDF exploits and watering hole attacks to infect users. The Epic Turla attackers were extremely dynamic, using many different methods depending on what was available at the time. As the group started gaining confidence, they upgraded to using backdoors alongside each attack. Then, once the victims’ systems were infiltrated, the attackers would deploy the rootkit and other mechanisms. Links to the Moonlight Maze backdoors have been found with Turla, as well, which means the group was able to use leftover backdoors from a previous attack in the 1990s and upgrade them enough to be useful in more recent exploits.
The backdoor attacks
The Epic Turla attack was not the last time Turla used backdoors as a way to infiltrate systems. The attack in September 2021 on the U.S., Germany and Afghanistan was also through backdoors. Turla developed a new, sophisticated technique called TinyTurla. The TinyTurla malware is a backdoor that allows attackers to maintain access to the victim’s system even if the attacker’s other malware is discovered and removed. This backdoor can also act as a second-stage dropper to input more malware on the same system and can launch subprocesses and export data from devices. Its limited functionality and simple coding, which has been used since 2020, makes it difficult to detect as malware.
Cisco Talos Intelligence Group stated that the Turla hacking group started targeting Afghanistan before the U.S. and other Western military forces left the country and the Taliban took control of the government. It was likely these hacking groups were using the backdoor malware in an attempt to compromise the information technology systems of the previous government in Afghanistan due to the turmoil surrounding the shifting power.
A sample of the backdoor malware collected by the Cisco team demonstrated that it comes in the form of a .DLL and is installed as a service on a Windows device. The file name was listed as w64time.dll because there was another legitimate version of the malware dubbed w32time.dll.
Once the backdoor was installed on the victim’s device, it was linked back to the command-and-control (C2) server run and operated by the Turla hacking group. The backdoor then linked up to the system using an encrypted HTTPS channel after every five seconds and checked if there were any newly launched commands or instructions.
“One public reason why we attributed this backdoor to Turla is the fact that they used the same infrastructure as they used for other attacks that have been attributed to their Penguin Turla Infrastructure,” the researchers stated.
Lessons from Turla
APT groups continually come up with new ways to infect their victims while remaining relatively invisible on their systems. Using a backdoor isn’t anything new; for example, the Equation group has been using them for decades. However, new and old threat actors are finding different ways to exploit this strategy as well as original ways to stay hidden. Cybersecurity experts continue to monitor threat groups, such as Turla, and advise having multi-layered security architecture in place to detect these kinds of attacks
While there is constant speculation all over the world about where the next Russian cyberattack will occur, there may already be one in progress that simply hasn’t been detected yet. The technology and techniques are already out there; it may just be a matter of time until something is found.