Turla Compromises, Infiltrates Iranian APT Infrastructure
The Russian-speaking APT stole the Neuron and Nautilus implants and accessed the Iranian APT’s C2 infrastructure. Continue reading Turla Compromises, Infiltrates Iranian APT Infrastructure
Category Archives: Turla
Russian hackers have been mooching off existing OilRig infrastructure
Russian-linked hackers known as the Turla group have been piggybacking on Iranian hackers’ tools and infrastructure for years now to run their own attacks, according to a joint announcement Monday from the National Security Agency and the U.K.’s National Cyber Security Centre. A two-year long investigation revealed that the Turla group, which has been linked to Russian intelligence, scanned for the presence of Iranian-built backdoors, then used them to try gaining a foothold in victim networks in at least 35 countries, largely in the Middle East, according to the NSA. This announcement again demonstrates how hackers will use other attackers’ techniques, creating the false impression that one espionage group is behind an operation when, in fact, it’s another. “Turla acquired access to Iranian tools and the ability to identify and exploit them to further their own aims,” the NCSC’s Director of Operations, Paul Chichester, said in a statement. Turla would run its own cyber-espionage operations using […]
The post Russian hackers have been mooching off existing OilRig infrastructure appeared first on CyberScoop.
Continue reading Russian hackers have been mooching off existing OilRig infrastructure
Cozy Bear kept moving after 2016 election, ESET says
One of the Kremlin-linked hacking groups that breached the Democratic National Committee in 2016 has remained active in the years that followed, even if it’s been less visible. Cozy Bear, also known as APT29 and the Dukes, began using different malicious software and new hacking techniques after 2016, according to findings published Thursday by the Slovakian security firm ESET. There wasn’t much public evidence of the group’s activity, but researchers say it did not go quiet after interfering in the U.S. presidential election. The hackers targeted U.S. think tanks in 2017, defense contractors in 2018 and three European countries’ ministries of foreign affairs. (The U.S. security firm FireEye suggested in November that Cozy Bear was showing signs of activity.) “Our new research shows that even if an espionage group disappears from public reports for many years, it may not have stopped spying,” ESET said in its report. “The Dukes were able […]
The post Cozy Bear kept moving after 2016 election, ESET says appeared first on CyberScoop.
Continue reading Cozy Bear kept moving after 2016 election, ESET says
APT trends report Q3 2019
The quarterly summaries of APT activity are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private reports. This is our latest installment, focusing on activities that we observed during Q3 2019. Continue reading APT trends report Q3 2019
COMpfun successor Reductor infects files on the fly to compromise TLS traffic
In April 2019, we discovered new malware that compromises encrypted web communications in an impressive way. We called these new modules ‘Reductor’ after a .pdb path left in some samples. Continue reading COMpfun successor Reductor infects files on the fly to compromise TLS traffic
APT trends report Q2 2019
The quarterly summaries of APT activity are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private reports. This is our latest installment, focusing on activities that we observed during Q2 2019. Continue reading APT trends report Q2 2019
Turla APT Returns with New Malware, Anti-Censorship Angle
A dropper called “Topinambour” is the first-stage implant, which in turn fetches a spy trojan built in several coding languages. Continue reading Turla APT Returns with New Malware, Anti-Censorship Angle
Russia’s Turla group goes trolling with code labeled “TrumpTower”
It’s a common practice: Researchers digging through malware find legitimate clues that point to its authors or data that are false flags meant to throw researchers off the right path. In the case of the Turla hacking group, which is reportedly tied to Russia’s FSB intelligence service, it is unclear why the group decided to name one of its code strings “TrumpTower” or another “RocketMan!” – presumably a reference to U.S. President Donald Trump’s nickname for North Korean dictator Kim Jong Un. Regardless of whether or not Turla was trolling, it’s clear to researchers from cybersecurity company Kaspersky that the new code was built for an ongoing hacking campaign aimed at a narrow set of unnamed government organizations. To deliver the malicious code to its targets, Turla used legitimate software downloaders, such as tools to evade internet censorship, that were infected with a “dropper” to install the malware. While not saying where the targeting […]
The post Russia’s Turla group goes trolling with code labeled “TrumpTower” appeared first on CyberScoop.
Continue reading Russia’s Turla group goes trolling with code labeled “TrumpTower”
Turla renews its arsenal with Topinambour
2019 has seen the Turla actor actively renew its arsenal. Its developers are still using a familiar coding style, but they’re creating new tools. Here we’ll tell you about several of them, namely “Topinambour” and its related modules. Continue reading Turla renews its arsenal with Topinambour
What happens when one APT hijacks another’s infrastructure
Like any group of spies or soldiers, state-sponsored hacking groups are acutely interested in what their peers are using. Servers, domains and other digital tools can be contested resources just like others in in espionage or warfare. And there’s no guarantee that any group can keep a tight grip on its own internet infrastructure. In documenting how Turla, a Russia-linked outfit, hijacked the server of OilRig, a group associated with Iran, new research from Symantec shows what that overlap looks like in action. “This is the first time Symantec has observed one actor hijack another’s infrastructure,” said Alexandrea Berninger, senior cyber intelligence analyst at Symantec. “Although we don’t expect this to become a common tactic, we do expect to see deceptive operations like this amongst the most capable threat actor groups.” The apparently hostile takeover took place in January 2018, when a computer in a Middle Eastern government organization downloaded a variant of the […]
The post What happens when one APT hijacks another’s infrastructure appeared first on CyberScoop.
Continue reading What happens when one APT hijacks another’s infrastructure