Computer code used by hackers tied to Russia’s FSB intelligence agency has haunted governments around the world for years.
The hackers’ tools have been associated with a damaging breach of U.S. military networks in the mid-to-late 1990s, and used in a cunning hijacking of Iranian infrastructure more than two decades later.
Now, malware analysts have surfaced a new piece of code that they say the Russian hacking group, dubbed Turla, is using to spy on government and think tank websites in the Eurasian country of Armenia.
The Turla operatives set up malicious web infrastructure known as a “watering hole” in an apparent attempt to surveil Armenian government officials last year.
“It is likely that the Turla operators already know who they want to target and may even know the ranges of IP addresses they generally use” before carrying out an operation, said Matthieu Faou, malware researcher at ESET, the antivirus firm that discovered the campaign.
ESET knows of just two victims who were infected by the campaign last year, which is in keeping with Turla’s highly selective hacking.
Turla’s hackers are meticulously tracking whom they want to infect. A user isn’t served malicious code on their first visit to a compromised website, as the attackers whittle down the web traffic to something that interests them. The websites of the consular section of Armenia’s embassy in Moscow, along with an Armenian foreign policy think tank, were infected. The Armenian Embassy in Moscow did not respond to a request for comment.
“Given the nature of the compromised websites, it confirms that Turla is almost exclusively doing cyber-espionage for political motives,” Faou told CyberScoop. He believes the hacks were carried out by a technical team within Turla, which then handed off access to the infected machines to higher-ups within the organization.
Russia holds considerable economic and diplomatic influence in Armenia, a former Soviet country where popular protests toppled a longtime president in 2018.
The espionage campaign is part of a broader pattern of Moscow using its cyber capabilities to project power in a region that it considers its backyard. Last year in Georgia, which borders Armenia, the GRU launched a series of cyberattacks on government websites, according to the U.S. and its allies. Moscow has denied the charges.
But when subtlety rather than brute force is required, analysts say that Moscow calls on Turla.
Widely believed to be working on behalf of FSB, the successor to the KGB, Turla has used its own malware to conduct pinpoint spying operations for years, showing restraint where other Russian groups, such as the GRU-linked Sandworm, have been reckless.
Adrian Nish, head of threat intelligence at BAE Systems, describes Turla as “the most capable and competent of the Russian threat groups.”
“They are, to some extent, the most professional in the sense that it is pure espionage that they’re involved in” rather than hack and leak or destructive operations, Nish told CyberScoop.
A spokesperson for the Russian Embassy in Washington, D.C., did not respond to a request for comment on the ESET research.