Category Archives: Turla

Cozy Bear kept moving after 2016 election, ESET says

Posted on by

One of the Kremlin-linked hacking groups that breached the Democratic National Committee in 2016 has remained active in the years that followed, even if it’s been less visible. Cozy Bear, also known as APT29 and the Dukes, began using different malicious software and new hacking techniques after 2016, according to findings published Thursday by the Slovakian security firm ESET. There wasn’t much public evidence of the group’s activity, but researchers say it did not go quiet after interfering in the U.S. presidential election. The hackers targeted U.S. think tanks in 2017, defense contractors in 2018 and three European countries’ ministries of foreign affairs. (The U.S. security firm FireEye suggested in November that Cozy Bear was showing signs of activity.) “Our new research shows that even if an espionage group disappears from public reports for many years, it may not have stopped spying,” ESET said in its report. “The Dukes were able […]

The post Cozy Bear kept moving after 2016 election, ESET says appeared first on CyberScoop.

Continue reading Cozy Bear kept moving after 2016 election, ESET says

APT trends report Q3 2019

Posted on by

The quarterly summaries of APT activity are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private reports. This is our latest installment, focusing on activities that we observed during Q3 2019. Continue reading APT trends report Q3 2019

COMpfun successor Reductor infects files on the fly to compromise TLS traffic

Posted on by

In April 2019, we discovered new malware that compromises encrypted web communications in an impressive way. We called these new modules ‘Reductor’ after a .pdb path left in some samples. Continue reading COMpfun successor Reductor infects files on the fly to compromise TLS traffic

APT trends report Q2 2019

Posted on by

The quarterly summaries of APT activity are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private reports. This is our latest installment, focusing on activities that we observed during Q2 2019. Continue reading APT trends report Q2 2019

Turla APT Returns with New Malware, Anti-Censorship Angle

Posted on by

A dropper called “Topinambour” is the first-stage implant, which in turn fetches a spy trojan built in several coding languages. Continue reading Turla APT Returns with New Malware, Anti-Censorship Angle

Russia’s Turla group goes trolling with code labeled “TrumpTower”

Posted on by

It’s a common practice: Researchers digging through malware find legitimate clues that point to its authors or data that are false flags meant to throw researchers off the right path. In the case of the Turla hacking group, which is reportedly tied to Russia’s FSB intelligence service, it is unclear why the group decided to name one of its code strings “TrumpTower” or another “RocketMan!” – presumably a reference to U.S. President Donald Trump’s nickname for North Korean dictator Kim Jong Un. Regardless of whether or not Turla was trolling, it’s clear to researchers from cybersecurity company Kaspersky that the new code was built for an ongoing hacking campaign aimed at a narrow set of unnamed government organizations. To deliver the malicious code to its targets, Turla used legitimate software downloaders, such as tools to evade internet censorship, that were infected with a “dropper” to install the malware. While not saying where the targeting […]

The post Russia’s Turla group goes trolling with code labeled “TrumpTower” appeared first on CyberScoop.

Continue reading Russia’s Turla group goes trolling with code labeled “TrumpTower”

What happens when one APT hijacks another’s infrastructure

Posted on by

Like any group of spies or soldiers, state-sponsored hacking groups are acutely interested in what their peers are using. Servers, domains and other digital tools can be contested resources just like others in in espionage or warfare. And there’s no guarantee that any group can keep a tight grip on its own internet infrastructure. In documenting how Turla, a Russia-linked outfit, hijacked the server of OilRig, a group associated with Iran, new research from Symantec shows what that overlap looks like in action. “This is the first time Symantec has observed one actor hijack another’s infrastructure,” said Alexandrea Berninger, senior cyber intelligence analyst at Symantec. “Although we don’t expect this to become a common tactic, we do expect to see deceptive operations like this amongst the most capable threat actor groups.” The apparently hostile takeover took place in January 2018, when a computer in a Middle Eastern government organization downloaded a variant of the […]

The post What happens when one APT hijacks another’s infrastructure appeared first on CyberScoop.

Continue reading What happens when one APT hijacks another’s infrastructure

APT review of the year

Posted on by

What were the most interesting developments in terms of APT activity throughout the year and what can we learn from them? Not an easy question to answer. Still, with the benefit of hindsight, let’s try to approach the problem from different angles to get a better understanding of what went on. Continue reading APT review of the year