Today, the cybersecurity company Mandiant revealed who found an incident in which, he says, Turla’s hackers…it is widely believed that he works in the service of the Russian intelligence agency FSB— Gained access to victims’ networks by registering the expired domains of nearly a decade-old cybercriminal malware that spread via infected USB drives. As a result, Turla was able to detect the command-and-control servers for that hermit crab-style malware and sift through its victims to find those worthy of being targeted for espionage.
That hijacking technique appears designed to allow Turla to go undetected, hiding inside the footprints of other hackers as he scours a vast collection of networks. And it shows how the Russian group’s methods have evolved and become much more sophisticated over the past decade and a half, says John Hultquist, who leads intelligence analysis at Mandiant. “Because the malware is already proliferated via USB, Turla can exploit it without exposing itself. Rather than using their own USB tools like agent.btz, they can sit on someone else’s,” says Hultquist. “They’re leaning on other people’s operations. It’s a really smart way to do business.”
Mandiant’s discovery of Turla’s new technique first came to light in September of last year, when company responders discovered a curious network breach in Ukraine, a country that has become the target of all Kremlin intelligence services since the catastrophic Russian invasion last February. Several computers on that network had been infected after someone inserted a USB drive into one of their ports and double-clicked a malicious file on the drive that was disguised as a folder, installing malware called Andromeda.
Andromeda is a relatively common banking trojan that cybercriminals have used to steal victims’ credentials as early as 2013. But on one of the infected machines, Mandiant’s analysts saw that Andromeda’s sample had silently downloaded two more interesting pieces of malware. The first, a reconnaissance tool called the Kopiluwak, has previously been used by Turla; the second piece of malware, a backdoor known as Quietcanary that compressed and exfiltrated carefully selected data from the target computer, was used exclusively by Turla in the past. “That was a red flag for us,” says Gabby Roncone, threat intelligence analyst at Mandiant.
When Mandiant examined the command-and-control servers for the Andromeda malware that started that infection chain, its analysts saw that the domain used to control the Andromeda sample, whose name was a crude anti-virus industry taunt, was actually expired and was reregistered in early 2022. Looking at other samples of Andromeda and its command and control domains, Mandiant noticed that at least two other expired domains had been reregistered. In total, those domains were linked to hundreds of Andromeda infections, which Turla could scan to find worthy subjects to spy on.
“That way you can basically put yourself under the radar a lot better. You’re not spamming a bunch of people, you’re letting someone else spam a bunch of people,” says Hultquist. “Then you started picking and choosing which targets are worth your time and exposure.”
In fact, Mandiant only found that single case in Ukraine of the Andromeda hijacked infection distributing Turla malware. But the company suspects there were likely more. Hultquist cautions that there’s no reason to believe that the stealthy targeted espionage piggybacking on Andromeda’s USB infections would be limited to just one target, or even just Ukraine. “Turla has a global intelligence-gathering mandate,” he says.
Turla has a long history of using clever tricks to hide control of its malware and even hijack control of other hackers, as Mandiant saw in this most recent case. Cybersecurity firm Kaspersky revealed in 2015 that Turla had took control of satellite internet connections to obscure the location of its command and control servers. In 2019, the British intelligence agency GCHQ warned that Turla had quietly commandeered the servers of Iranian hackers to hide and confuse detectives trying to identify them.
These innovative techniques have made the group a particular obsession for many computer security researchers, and they have traced his fingerprints to the Moonlight Maze, one of the first state-sponsored hacking campaigns, discovered in the late 1990s. Turla’s agent.btz thumbdrive malware represented another historic moment for the group: It led to a Pentagon initiative called Operation Buckshot Yankee, designed to dramatically improve Department of Defense cybersecurity after the embarrassing USB-based breach of the group.
Mandiant’s discovery of another stealthier USB-based hacking technique in Turla’s hands should serve as a reminder that even now, 15 years later, that USB-based intrusion vector has all but disappeared. As it turns out, plug an infected drive into your USB port today, and you could be offering an invitation not only to prying cybercriminals, but to a much more sophisticated breed of operatives who lurk behind them.