Collaborating Authors

Russian hacker group use HTTP status codes to control malware implants


Today's security threats have expanded in scope and seriousness. There can now be millions -- or even billions -- of dollars at risk when information security isn't handled properly. Security researchers from Kaspersky have identified a new version of the COMpfun malware that controls infected hosts using a mechanism that relies on HTTP status codes. The malware has been first spotted last year, in November, and has been deployed in attacks against diplomatic entities across Europe. Responsible for the attacks is a group known as Turla, a state-sponsored Russian threat actor that has historically engaged in cyber-espionage operations.

Suspected Russian hackers disguised as Iranian spies attacked more than 35 countries, security officials say

FOX News

Fox News Flash top headlines for Oct. 22 are here. Check out what's clicking on A suspected Russian hacking group disguised as Iranian spies attacked more than 35 countries, U.S. and U.K. security officials said Monday. The group Turla, also known as Waterbug and VENOMOUS BEAR, used a variety of Iranian tools and infrastructure to hack into "government, military, technology, energy and commercial organizations" in order to steal intelligence from dozens of countries, the U.K. National Cyber Security Center (NCSC) and National Security Agency (NSA) said in a joint report. The majority of the vulnerable nations were primarily in the Middle East, NCSC said.

SolarWinds hackers linked to known Russian spying tools, investigators say

The Japan Times

London – The group behind a global cyber-espionage campaign discovered last month deployed malicious computer code with links to spying tools previously used by suspected Russian hackers, researchers said Monday. Investigators at Moscow-based cybersecurity firm Kaspersky said the "backdoor" used to compromise up to 18,000 customers of U.S. software-maker SolarWinds closely resembled malware tied to a hacking group known as "Turla," which Estonian authorities have said operates on behalf of Russia's FSB security service. The findings are the first publicly available evidence to support assertions by the United States that Russia orchestrated the hack, which compromised a raft of sensitive federal agencies and is among the most ambitious cyberoperations ever disclosed. Moscow has repeatedly denied the allegations. The FSB did not respond to a request for comment.

Russia-linked group likely used Iranian hacking tools, NSA says

The Japan Times

WASHINGTON – A Russia-linked group is believed to have utilized Iranian tools to conduct cyberattacks against dozens of countries, in an apparent effort to mask their identities, according to joint advisories by the U.S. and the U.K. The group, known as Turla, used tools from suspected Iran-based hacking groups and deployed them against old and new targets. In order to acquire the tools, Turla "comprised the suspected Iran-based hacking groups themselves," according to the U.S. National Security Agency and the U.K.'s National Cyber Security Centre, which released the advisories on Monday. The original owners of the tools "were almost certainly not aware of, or complicit with, Turla's use of their implants," the agencies said. The attacks, against more than 35 countries, would appear to the victims as coming from Iran. "We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them," said Paul Chichester, director of operations for the U.K. cyber agency, in one of the advisories.

Turla Mosquito Hacker Group shift to Open Source Malware


Turla, a hacking group that has been active for over ten years and one of the largest known state-sponsored cyberespionage groups, is showing a shift in its behaviour from using its own creations to leveraging the open source exploitation framework Metasploit before dropping the custom Mosquito backdoor. While this is not the first time Turla is using generic tools, researchers at ESET say that this is the first time the group has used Metasploit, which is an open-source penetration testing project, as a first stage backdoor. "In the past, we have seen the group using open-source password dumpers such as Mimikatz," ESET Research said in a blog post. "However, to our knowledge, this is the first time Turla has used Metasploit as a first stage backdoor, instead of relying on one of its own tools such as Skipper." The typical targets of the attacks remain to be embassies and consulates in Eastern Europe and the group is still using a fake Flash installer to install both the Turla backdoor and the legitimate Adobe Flash Player.