Russian cyberespionage The group known as Turla became infamous in 2008 for hacking agent.btz, a virulent malware that spread through US Department of Defense systems and gained widespread access via infected USB drives plugged in by unsuspecting Pentagon employees. Now, 15 years later, the same group appears to be attempting a new twist on this trick: hijacking the USB infections of other Hackers can piggyback on their infections and stealthily choose their spy targets.
Today, cybersecurity firm Mandiant announced that it has discovered an incident in which Turla’s hackers – widely believed to work for Russia’s FSB intelligence agency – gained access to victims’ networks by using the expired domains of an almost Ten-year-old cybercriminals registered malware spreading through infected USB drives. As a result, Turla was able to take over the command-and-control servers for this hermit crab-style malware and sift through its victims to find those worthy of spying on.
This hijacking technique seems designed to keep Turla undetected and hiding in the footsteps of other hackers while it combs through a vast collection of networks. And it shows how the Russian group’s methods have evolved and become much more sophisticated over the past decade and a half, says John Hultquist, who leads intelligence analysis at Mandiant. “Since the malware has already spread via USB, Turla can take advantage of this without exposing itself. Instead of using their own USB tools like agent.btz, they can rely on someone else’s,” says Hultquist. “You piggyback on other people’s surgeries. It’s a really smart way of doing business.”
Mandiant’s discovery of Turla’s new tech first came to light in September last year, when the company’s forces uncovered a strange breach in a network in Ukraine, a country that has become a prime focus for all Kremlin intelligence following Russia’s disastrous invasion last February is. Several computers on this network had been infected after someone plugged a USB drive into one of their ports and double-clicked a malicious file on the drive, disguised as a folder, which installed malware called Andromeda.
Andromeda is a relatively common banking Trojan that cybercriminals have been using since 2013 to steal victims’ credentials. But on one of the infected machines, Mandiant analysts saw that the Andromeda sample had secretly downloaded two other, more interesting pieces of malware. The first, a reconnaissance tool called Kopiluwak, was previously used by Turla; The second piece of malware, a backdoor called Quietcanary that compresses carefully selected data and siphons it off the target computer, was used exclusively by Turla in the past. “That was a red flag for us,” said Gabby Roncone, threat intelligence analyst at Mandiant.
When Mandiant probed the command-and-control servers for the Andromeda malware that started this infection chain, its analysts found that the domain used to control the Andromeda probe – whose name is a vulgar mockery of the antivirus Industry was – actually expired and was re-registered in early 2022. Looking at other Andromeda samples and their command-and-control domains, Mandiant found that at least two other expired domains had been re-registered. Collectively, these domains were linked to hundreds of Andromeda Infections, all of which Turla could search to find individuals worthy of her spying.
https://www.wired.com/story/russia-turla-fsb-usb-infection/ Turla, a Russian Espionage Group, Piggybacked on Other Hackers’ USB Infections