Russian-speaking Turla hacking group has breached the systems of an undisclosed European government organization.
As per the report of a new Accenture Cyber Threat Intelligence (ACTI), the attack perfectly matches Turla’s information theft and espionage motivation and its constant targeting of government-related entities from several countries.
In order to compromise the network of the organization, the hackers used a combination of recently updated remote administration trojans (RATs) and remote procedure call (RPC)-based backdoors including HyperStack, analyzed by ACTI between June and October 2020.
The researchers stated that they have identified novel command and control (C&C) configurations for Turla’s Carbon and Kazuar backdoors on the same victim network.
The Kazuar instances varied in configuration between using external C&C nodes off the victim network and internal nodes on the affected network, and the Carbon instance was updated to include a Pastebin project to receive encrypted tasks together with its traditional HTTP C&C infrastructure.
Turla has compromised over thousands of systems belonging to governments, embassies, education and research facilities from over 100 countries in their espionage campaigns.
Accenture said that Turla might continue to use its legacy tools with upgrades, to compromise and maintain long-term access to its victims as these tools are successful against Windows-based networks.
ACTI recommends the government entities to check network logs to look for any indicators of compromise included at the end of the report and to build detections capable of blocking Turla attacks in future.
The state-sponsored Turla group aka Waterbug and VENOMOUS BEAR were active since 1996 and they are believed to be the main suspect behind attacks targeting the Pentagon and NASA, the U.S. Central Command, the Finnish Foreign Ministry, and, Eastern European Ministries of Foreign Affairs this year.
They are famous for using unorthodox methods to perform cyber-espionage goals.
Image Credits : Medium