ESET researchers tracking a notorious backdoor and cyberespionage campaign have warned that the list of government victims is far longer than previously thought -- and at least two new European offices have succumbed. The backdoor is the work of an advanced persistent threat (APT) group known as Turla. Turla has previously been linked to the Gazer malware family, which has been used against various government and diplomatic bodies in Europe before. Gazer was connected to watering hole attacks and spear-phishing campaigns targeting government entities and diplomats for the purpose of cyberespionage. In 2017, Turla was also connected to a backdoor implanted in Germany's Federal Foreign Office, where it was used to siphon confidential government information over the majority of the year.
A cyber espionage campaign is targeting the foreign ministry of a country in the European Union with the aid of a previously undocumented form of malware which provides a secret backdoor onto compromised Windows systems. Uncovered by cybersecurity researchers at ESET, the tools are designed to steal sensitive documents and other files by secretly exfiltrating them via Dropbox accounts controlled by the attackers. Dubbed Crutch by its developers, this malware campaign has been active from 2015 through to 2020 and researchers have linked it to the Turla hacking group, due to similarities with previously uncovered Turla campaigns such as Gazer. The working hours of the group also coincide with UTC 3, the timezone which Moscow sits in. The UK's National Cyber Security Centre (NCSC) is among those which has attributed Turla – also known as Waterbug and Venomous Bear – to Russia.
Turla, a hacking group that has been active for over ten years and one of the largest known state-sponsored cyberespionage groups, is showing a shift in its behaviour from using its own creations to leveraging the open source exploitation framework Metasploit before dropping the custom Mosquito backdoor. While this is not the first time Turla is using generic tools, researchers at ESET say that this is the first time the group has used Metasploit, which is an open-source penetration testing project, as a first stage backdoor. "In the past, we have seen the group using open-source password dumpers such as Mimikatz," ESET Research said in a blog post. "However, to our knowledge, this is the first time Turla has used Metasploit as a first stage backdoor, instead of relying on one of its own tools such as Skipper." The typical targets of the attacks remain to be embassies and consulates in Eastern Europe and the group is still using a fake Flash installer to install both the Turla backdoor and the legitimate Adobe Flash Player.
Turla, one of the codenames given by the cyber-security industry to one of Russia's oldest and most "talented" cyber-espionage unit, has been very active in the past three years, even though their operations have not received the same media coverage of other more flashy Russian hacking outfits. According to new research presented yesterday at the Virus Bulletin security conference held in Montreal, Canada, the group has been behind dozens of hacks around the world, operating with revamped malware and a tendency towards runtime scripting and the usage of open source tools. "Turla was absent from the milestone DNC hack event where Sofacy [APT28] and CozyDuke [APT29] were both present, but Turla was quietly active around the globe on other projects," said Kaspersky's GReAT team in a report published shortly after the presentation. But while APT28 and APT29's loudmouth dissemination of the DNC hacked data has led to public inquiries into their ties to Russian intelligence agencies --which eventually led to several public indictments [1, 2, 3]-- Turla has remained the same mystery as it always was. Considered by many to be Russia's elite hacking unit, Turla is believed to have ties to Moonlight Maze, one of the first government-backed hacking operations ever discovered, back in the 90s.