Turla, a Russian Espionage Group, Piggybacked on Other Hackers’ USB Infections

The Russian cyberespionage group known as Turla became infamous in 2008 as the hackers behind agent.btz, a virulent piece of malware that spread through US Department of Defense systems, gaining widespread access via infected USB drives plugged in by unsuspecting Pentagon staffers. Now, 15 years later, the same group appears to be trying a new twist on that trick: hijacking the USB infections of other hackers to piggyback on their infections and stealthily choose their spying targets.

Today, cybersecurity firm Mandiant revealed that it has found an incident in which, it says, Turla’s hackers—widely believed to work in the service of Russia’s FSB intelligence agency—gained access to victim networks by registering the expired domains of nearly decade-old cybercriminal malware that spread via infected USB drives. As a result, Turla was able to take over the command-and-control servers for that malware, hermit-crab style, and sift through its victims to find ones worthy of espionage targeting.

That hijacking technique appears designed to let Turla stay undetected, hiding inside other hackers’ footprints while combing through a vast collection of networks. And it shows how the Russian group’s methods have evolved and become far more sophisticated over the past decade and a half, says John Hultquist, who leads intelligence analysis at Mandiant. “Because the malware already proliferated through USB, Turla can leverage that without exposing themselves. Rather than use their own USB tools like agent.btz, they can sit on someone else’s,” Hultquist says. “They’re piggybacking on other people’s operations. It’s a really clever way of doing business.”

Mandiant’s discovery of Turla’s new technique first came to light in September of last year, when the company’s incident responders found a curious breach of a network in Ukraine, a country that’s become a primary focus of all Kremlin intel services after Russia’s catastrophic invasion last February. Several computers on that network had been infected after someone inserted a USB drive into one of their ports and double-clicked on a malicious file on the drive that had been disguised as a folder, installing a piece of malware called Andromeda.

Andromeda is a relatively common banking trojan that cybercriminals have used to steal victims’ credentials since as early as 2013. But on one of the infected machines, Mandiant’s analysts saw that the Andromeda sample had quietly downloaded two other, more interesting pieces of malware. The first, a reconnaissance tool called Kopiluwak, has been previously used by Turla; the second piece of malware, a backdoor known as Quietcanary that compressed and siphoned carefully selected data off the target computer, has been used exclusively by Turla in the past. “That was a red flag for us,” says Mandiant threat intelligence analyst Gabby Roncone.

When Mandiant looked at the command-and-control servers for the Andromeda malware that had started that infection chain, its analysts saw that the domain used to control the Andromeda sample—whose name was a vulgar taunt of the antivirus industry—had actually expired and been reregistered in early 2022. Looking at other Andromeda samples and their command-and-control domains, Mandiant saw that at least two more expired domains had been reregistered. In total, those domains connected to hundreds of Andromeda infections, all of which Turla could sort through to find subjects worthy of their spying.

“By doing this you can basically lay under the radar much better. You’re not spamming a bunch of people, you’re letting someone else spam a bunch of people,” says Hultquist. “Then you started picking and choosing which targets are worth your time and your exposure.”

In fact, Mandiant only found that single instance in Ukraine of the hijacked Andromeda infection distributing Turla’s malware. But the company suspects that there were likely more. Hultquist warns there’s no reason to believe the stealthy targeted spying that piggybacked off Andromeda’s USB infections would be limited to just one target, or even to just Ukraine. “Turla has a global intelligence collection mandate,” he says.

Turla has a long history of using clever tricks to hide the control of its malware, and even to hijack the control of other hackers, as Mandiant saw in this most recent case. Cybersecurity firm Kaspersky revealed in 2015 that Turla had taken control of satellite internet connections to obscure the location of its command-and-control servers. In 2019, Britain’s GCHQ intelligence agency warned that Turla had silently commandeered Iranian hackers’ servers to conceal themselves and confuse detectives trying to identify them.

Those innovative techniques have made the group a particular obsession for many cybersecurity researchers, who have traced its fingerprints all the way back to Moonlight Maze, one of the first-ever state-sponsored hacking campaigns, discovered in the late 1990s. Turla’s agent.btz thumbdrive malware represented another historic moment for the group: It resulted in a Pentagon initiative called Operation Buckshot Yankee, designed to vastly upgrade the Defense Department’s cybersecurity after the group’s embarrassing USB-based breach.

Mandiant’s discovery of another, stealthier USB-based hacking technique in Turla’s hands should serve as a reminder that even now, 15 years later, that USB-based intrusion vector has hardly disappeared. Plug an infected drive into your USB port today, it seems, and you may be offering an invitation to not only undiscerning cybercriminals, but also a far more sophisticated breed of operative hiding behind them.

Read More
Andy Greenberg

Latest

The 10 Best Vikings Players | Our Writers Cast Ballots

Dec 21, 2025; East Rutherford, New Jersey, USA; Minnesota Vikings wide receiver Justin Jefferson (18) makes a catch against the New York Giants during the first half at MetLife Stadium. Mandatory Credit: Vincent Carchietta-Imagn Images Among Vikings players, WR1 Justin Jefferson remains unchallenged as the best football player in the Twin Cities. He alone is

Cowboys safety Jalen Thompson receives votes among league’s best at position

We are a stone’s throw away from training camp beginning, and this being the case, the normal happenings of professional football will be dominating our lives on a day-to-day basis soon enough. The last few months have been an exercise in holding our attention until the real thing can. One of the best ways to

Indiana lands 5-star football recruit: Monshun Sales — nation’s No. 1 WR — commits to Curt Cignetti

The Hoosiers' first-ever, five-star commitment comes on the heels of IU's national championship run Jul 17, 2026 at 2:56 pm ET • 1 min read Imagn Images Indiana football landed the highest-rated recruit in program history on Friday when five-star wide receiver Monshun Sales committed to the Hoosiers, beating out finalists Alabama, LSU, Ohio State

Pros and Cons of Notre Dame’s 2026 Football Schedule

If you've heard anything about Notre Dame's schedule this coming season, you're aware that it isn't exactly setting the world on fire in terms of difficulty. The first six games Notre Dame plays come against that failed to qualify for bowl games last year. While that doesn't guarantee a similiar outcome for all in 2026

Newsletter

Don't miss

The 10 Best Vikings Players | Our Writers Cast Ballots

Dec 21, 2025; East Rutherford, New Jersey, USA; Minnesota Vikings wide receiver Justin Jefferson (18) makes a catch against the New York Giants during the first half at MetLife Stadium. Mandatory Credit: Vincent Carchietta-Imagn Images Among Vikings players, WR1 Justin Jefferson remains unchallenged as the best football player in the Twin Cities. He alone is

Cowboys safety Jalen Thompson receives votes among league’s best at position

We are a stone’s throw away from training camp beginning, and this being the case, the normal happenings of professional football will be dominating our lives on a day-to-day basis soon enough. The last few months have been an exercise in holding our attention until the real thing can. One of the best ways to

Indiana lands 5-star football recruit: Monshun Sales — nation’s No. 1 WR — commits to Curt Cignetti

The Hoosiers' first-ever, five-star commitment comes on the heels of IU's national championship run Jul 17, 2026 at 2:56 pm ET • 1 min read Imagn Images Indiana football landed the highest-rated recruit in program history on Friday when five-star wide receiver Monshun Sales committed to the Hoosiers, beating out finalists Alabama, LSU, Ohio State

Pros and Cons of Notre Dame’s 2026 Football Schedule

If you've heard anything about Notre Dame's schedule this coming season, you're aware that it isn't exactly setting the world on fire in terms of difficulty. The first six games Notre Dame plays come against that failed to qualify for bowl games last year. While that doesn't guarantee a similiar outcome for all in 2026

2 Vikings Included in PFN’s Top 100 Players of 2026

Minnesota Vikings receiver Justin Jefferson smiles during NFC practice for the Pro Bowl Games at Camping World Stadium, showing a relaxed side as players prepare for the weekend showcase. On Feb. 1, 2025, Jefferson takes part in the lighthearted session while the conference’s top players work through drills before the annual competition in Orlando. Mandatory

Grey Business processes $61 million as stablecoins dominate payments

Grey Business enables startups and SMEs to open US Dollar (USD) corporate accounts, send and receive international payments, convert currencies, and transact using stablecoins such as USDC and USDT...

Utah Marketers to Host Free Business Networking Event in Layton on June 24

The custom web design company is hosting free monthly networking events for Northern Utah business leaders, with the next event scheduled for June 24 from 4 to 6 p.m. Utah Marketers is hosting a free local business networking event on June 24 from 4 to 6 p.m. at the company’s Layton office. The event is

WellnessVibe Announces Business DNA Workshop in Delhi and Mumbai, where Ancient Sound Wisdom Meets Modern Business Strategy

WellnessVibe has officially announced the launch of its transformative Business DNA Workshop on 7th June 2026 in Delhi and 20th June 2026 in Mumbai. (1888PressRelease) June 03, 2026 - Delhi/Mumbai, India - WellnessVibe has officially announced the launch of its transformative Business DNA Workshop on 7th June 2026 in Delhi and 20th June 2026 in