{"id":594596,"date":"2023-01-06T05:49:29","date_gmt":"2023-01-06T11:49:29","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/01\/06\/turla-a-russian-espionage-group-piggybacked-on-other-hackers-usb-infections\/"},"modified":"2023-01-06T05:49:29","modified_gmt":"2023-01-06T11:49:29","slug":"turla-a-russian-espionage-group-piggybacked-on-other-hackers-usb-infections","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/01\/06\/turla-a-russian-espionage-group-piggybacked-on-other-hackers-usb-infections\/","title":{"rendered":"Turla, a Russian Espionage Group, Piggybacked on Other Hackers&#8217; USB Infections"},"content":{"rendered":"<div data-testid=\"ArticlePageChunks\">\n<div data-journey-hook=\"client-content\" data-testid=\"BodyWrapper\">\n<p><span>The Russian cyberespionage<\/span> group known as Turla became infamous in 2008 as the hackers behind agent.btz, a virulent piece of malware that spread through US Department of Defense systems, gaining widespread access via infected USB drives plugged in by unsuspecting Pentagon staffers. Now, 15 years later, the same group appears to be trying a new twist on that trick: hijacking the USB infections of <em>other<\/em> hackers to piggyback on their infections and stealthily choose their spying targets.<\/p>\n<p>Today, cybersecurity firm Mandiant <a data-offer-url=\"https:\/\/www.mandiant.com\/resources\/blog\/turla-galaxy-opportunity\" href=\"https:\/\/www.mandiant.com\/resources\/blog\/turla-galaxy-opportunity\" rel=\"nofollow noopener\" target=\"_blank\">revealed<\/a> that it has found an incident in which, it says, Turla&#8217;s hackers\u2014<a data-offer-url=\"https:\/\/interaktiv.br.de\/elite-hacker-fsb\/en\/index.html\" href=\"https:\/\/interaktiv.br.de\/elite-hacker-fsb\/en\/index.html\" rel=\"nofollow noopener\" target=\"_blank\">widely believed to work in the service of Russia\u2019s FSB intelligence agency<\/a>\u2014gained access to victim networks by registering the expired domains of nearly decade-old cybercriminal malware that spread via infected USB drives. As a result, Turla was able to take over the command-and-control servers for that malware, hermit-crab style, and sift through its victims to find ones worthy of espionage targeting.<\/p>\n<p>That hijacking technique appears designed to let Turla stay undetected, hiding inside other hackers\u2019 footprints while combing through a vast collection of networks. And it shows how the Russian group\u2019s methods have evolved and become far more sophisticated over the past decade and a half, says John Hultquist, who leads intelligence analysis at Mandiant. \u201cBecause the malware already proliferated through USB, Turla can leverage that without exposing themselves. Rather than use their own USB tools like agent.btz, they can sit on someone else\u2019s,\u201d Hultquist says. \u201cThey\u2019re piggybacking on other people\u2019s operations. It\u2019s a really clever way of doing business.\u201d<\/p>\n<p>Mandiant\u2019s discovery of Turla\u2019s new technique first came to light in September of last year, when the company\u2019s incident responders found a curious breach of a network in Ukraine, a country that\u2019s become a primary focus of all Kremlin intel services after Russia\u2019s catastrophic invasion last February. Several computers on that network had been infected after someone inserted a USB drive into one of their ports and double-clicked on a malicious file on the drive that had been disguised as a folder, installing a piece of malware called Andromeda.<\/p>\n<p>Andromeda is a relatively common banking trojan that cybercriminals have used to steal victims\u2019 credentials since as early as 2013. But on one of the infected machines, Mandiant\u2019s analysts saw that the Andromeda sample had quietly downloaded two other, more interesting pieces of malware. The first, a reconnaissance tool called Kopiluwak, has been previously used by Turla; the second piece of malware, a backdoor known as Quietcanary that compressed and siphoned carefully selected data off the target computer, has been used exclusively by Turla in the past. \u201cThat was a red flag for us,\u201d says Mandiant threat intelligence analyst Gabby Roncone.<\/p>\n<p>When Mandiant looked at the command-and-control servers for the Andromeda malware that had started that infection chain, its analysts saw that the domain used to control the Andromeda sample\u2014whose name was a vulgar taunt of the antivirus industry\u2014had actually expired and been reregistered in early 2022. Looking at other Andromeda samples and their command-and-control domains, Mandiant saw that at least two more expired domains had been reregistered. In total, those domains connected to hundreds of Andromeda infections, all of which Turla could sort through to find subjects worthy of their spying.<\/p>\n<\/div>\n<div data-journey-hook=\"client-content\" data-testid=\"BodyWrapper\">\n<p>\u201cBy doing this you can basically lay under the radar much better. You\u2019re not spamming a bunch of people, you\u2019re letting someone else spam a bunch of people,\u201d says Hultquist. \u201cThen you started picking and choosing which targets are worth your time and your exposure.\u201d<\/p>\n<p>In fact, Mandiant only found that single instance in Ukraine of the hijacked Andromeda infection distributing Turla\u2019s malware. But the company suspects that there were likely more. Hultquist warns there\u2019s no reason to believe the stealthy targeted spying that piggybacked off Andromeda\u2019s USB infections would be limited to just one target, or even to just Ukraine. \u201cTurla has a global intelligence collection mandate,\u201d he says.<\/p>\n<p>Turla has a long history of using clever tricks to hide the control of its malware, and even to hijack the control of other hackers, as Mandiant saw in this most recent case. Cybersecurity firm Kaspersky revealed in 2015 that Turla had <a href=\"https:\/\/www.wired.com\/2015\/09\/turla-russian-espionage-gang-hijacks-satellite-connections-to-steal-data\/\">taken control of satellite internet connections<\/a> to obscure the location of its command-and-control servers. In 2019, Britain\u2019s GCHQ intelligence agency <a href=\"https:\/\/www.wired.com\/story\/russian-hackers-false-flags-iran-fancy-bear\/\">warned that Turla had silently commandeered Iranian hackers\u2019 servers<\/a> to conceal themselves and confuse detectives trying to identify them.<\/p>\n<p>Those innovative techniques have made the group a particular obsession for many cybersecurity researchers, who have <a href=\"https:\/\/www.wired.com\/2017\/04\/russian-hackers-used-backdoor-two-decades\/\">traced its fingerprints all the way back to Moonlight Maze<\/a>, one of the first-ever state-sponsored hacking campaigns, discovered in the late 1990s. Turla\u2019s agent.btz thumbdrive malware represented another historic moment for the group: It resulted in a Pentagon initiative called Operation Buckshot Yankee, designed to vastly upgrade the Defense Department\u2019s cybersecurity after the group\u2019s embarrassing USB-based breach.<\/p>\n<p>Mandiant\u2019s discovery of another, stealthier USB-based hacking technique in Turla\u2019s hands should serve as a reminder that even now, 15 years later, that USB-based intrusion vector has hardly disappeared. Plug an infected drive into your USB port today, it seems, and you may be offering an invitation to not only undiscerning cybercriminals, but also a far more sophisticated breed of operative hiding behind them.<\/p>\n<\/div>\n<\/div>\n<p><a href=\"https:\/\/www.wired.com\/story\/russia-turla-fsb-usb-infection\/\" class=\"button purchase\" rel=\"nofollow noopener\" target=\"_blank\">Read More<\/a><br \/>\n Andy Greenberg<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Russian cyberespionage group known as Turla became infamous in 2008 as the hackers behind agent.btz, a virulent piece of malware that spread through US Department of Defense systems, gaining widespread access via infected USB drives plugged in by unsuspecting Pentagon staffers. Now, 15 years later, the same group appears to be trying a new<\/p>\n","protected":false},"author":1,"featured_media":594597,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[776,46,117691],"tags":[],"class_list":{"0":"post-594596","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-russian","8":"category-technology","9":"category-turla"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/594596","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=594596"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/594596\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/594597"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=594596"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=594596"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=594596"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}