Since Russia’s invasion of Ukraine in February, Moscow’s digital spies and hackers loyal to the Kremlin have attacked Ukrainian systems relentlessly in a bid to support the operation. But one group — known as Turla and widely regarded as one of Russia’s most capable — has been conspicuously absent from the conflict, until now.
On Thursday, researchers at Mandiant disclosed they discovered Turla targeting Ukrainian systems using run-of-the-mill commodity malware and by piggybacking on infrastructure used in earlier criminal operations.
Turla’s attack on Ukrainian systems began before the invasion, in December 2021, when an infected USB stick was inserted into a Ukrainian system and kicked off the campaign, the researchers found.
The stick contained a 2013 version of the Andromeda malware — a commercially available malware family — which began sending beacons to Turla’s command-and-control infrastructure, according to Mandiant. Turla appears to have repurposed that infrastructure from an earlier criminal campaign. Relying on expired domains previously used as part of a likely criminal hacking campaign, Turla re-registered these domains for its own operation.
Turla has in the past relied on malware spread via USB sticks, but in Ukraine, the group is taking a novel approach in obscuring its role. “The new spin is the actors aren’t releasing their own USB malware into the wild,” said John Hultquist, Mandiant’s head of threat intelligence. “Now they are taking advantage of another actor’s work by taking over their command and control. By doing so, Turla removes itself from the high-profile dirty work of proliferation but still gets to select victims of interest.”
First identified in the mid-1990s, Turla has a long history of making life miserable for the defenders of Western computer systems.
In 1996, the group is believed to have carried out a daring raid of computing systems belonging to NASA and the Pentagon that marked the first known state-on-state computer espionage campaign. In 2007, experts accused the group of breaking into some of the U.S. military’s most sensitive computer systems using an infected USB stick — an attack that reshaped the Pentagon’s approach to cybersecurity and spurred the creation of U.S. Cyber Command. More recently, the group was accused of targeting defense and cybersecurity groups in the Baltics.
Linked to Russia’s domestic intelligence and security service FSB, Turla is one of Russia’s most storied hacking units with a penchant for secrecy and masking their attacks. “We get glances of them and then they disappear on us,” Hultquist said in an interview with CyberScoop.
Hultquist described the group’s use of dormant command-and-control infrastructure as a “a great example of their ability to innovate and take advantage of others and get to their targets.”
Since invading, Russia doesn’t appear to have carried out the type of large-scale cyberattacks in Ukraine that many observers had expected, but Ukrainian officials have described a high volume of attacks aimed at supporting the Russian war effort.
Thursday’s report from Mandiant serves as a reminder that there may be significant Russian activity in cyberspace occurring under the radar. The operation described by Mandiant began in December 2021 and was not discovered until September of this year.
Mandiant did not disclose what entities in Ukraine that Turla targeted, but said it carried out “extensive profiling” of victims beginning in January allowing “the group to select specific victim systems and tailor their follow-on exploitation efforts to gather and exfiltrate information of strategic importance to inform Russian priorities.”
In other respects, the researchers painted a picture of Turla’s operation that resembles the shambolic nature of the broader Russian war effort.
The group relied on a reconnaissance utility known as “Kopiluwak” and a backdoor known as “Quietcanary” and downloaded these tools multiple times in succession, “which may suggest the group was operating with haste or less concern for operational security, experiencing some aspect of operational deficiency, or using automated tools,” Mandiant noted.
And in repurposing dormant criminal infrastructure for command-and-control, Turla also gave new life to the juvenile jokes of the criminal underground: Mandiant’s researchers found that one of the re-registered domains included a lewd reference advising the “lame AV industry” to perform a sex act on the attacker.