Cyber Security firm Mandiant, which was recently acquired by Google, has published research on a new espionage operation targeting Ukraine. Mandiant suspects the campaign is being conducted by the Russian cyber espionage group, Turla Team.
This is Mandiant’s first observation of suspected Turla targeting Ukrainian entities since the onset of Russia’s invasion.
What’s novel about this instance is that the group – currently tracked as UNC4210 – re-registered expired Command & Control (C2) domains that were once used (dating back to the 2010s) by financially motivated threat groups to distribute the ANDROMEDA malware.
Mandiant suspects that by using older malware and infrastructure, Turla’s operation was “more likely to be overlooked by defenders triaging a wide variety of alerts.”
Upon registering these C2’s in January 2022, Turla Team began profiling victims to selectively deploy the KOPILUWAK reconnaissance utility, and then the QUIETCANARY backdoor in September 2022. Based on Mandiant’s investigation, it’s believe that the ANDROMEDA domains reported back basic system information and IP addresses on the victims that allowed UNC4210 to determine whether to send the Turla payload to the victim or to do nothing. As part of the espionage, Turla was collecting MS Office documents, PDFs, text files and LNK files.
Here’s what Mandiant’s head of threat intelligence, John Hultquist, had to say:
“Removable media remains a powerful if indiscriminate tool for cybercriminals and state actors alike. Turla, which has been linked to the FSB, famously used removable media before in a widespread incident that led to loud, mass proliferation across DoD systems over a decade ago. The proliferation of Agent.BTZ, clearly beyond the intent of the service, led to unprecedented response and exposure of the FSB operations.
This incident is familiar, but the new spin is the actors aren’t releasing their own USB malware into the wild. Now they are taking advantage of another actor’s work by taking over their command and control. By doing so Turla removes itself from the high-profile dirty work of proliferation but still gets to select victims of interest.
Accesses obtained by cybercriminals are an increasingly leveraged tool for Russian intelligence services who can buy or steal them for their own purposes.”
Full research can be read here: https://www.mandiant.com/resources/blog/turla-galaxy-opportunity