Russian cyber espionage group known as Turla rose to prominence in 2008 as the hackers behind agent.btz, a virulent piece of malware that spread through United States Department of Defense systems and gained widespread access through infected USB drives plugged in by unsuspecting employees of the Pentagon. Now, 15 years later, the same group seems to be putting a new spin on that trick: hijacking USB infections from other hackers piggyback on their infections and stealthily choose their spy targets.
Today, cybersecurity company Mandiant revealed that it found an incident where, it says, Turla’s hackers…widely believed to be employed by the Russian intelligence agency FSB—gained access to victim networks by recording the expired domains of nearly a decade-old cybercriminal malware that spread through infected USB drives. As a result, Turla was able to take over the command-and-control servers for that malware, hermit crab-style, and search the victims to find the ones worthy of the spy target.
That hijacking technique seems designed to keep Turla undetected, hiding in the footsteps of other hackers as she combs through a vast collection of networks. And it shows how the Russian group’s methods have evolved and become much more sophisticated over the past decade and a half, said John Hultquist, chief of intelligence analysis at Mandiant. “Since the malware has already spread via USB, Turla can take advantage of it without exposing itself. Instead of using their own USB tools like agent.btz, they can sit on someone else’s,” says Hultquist. “They piggyback on other people’s operations. It is a very smart way of doing business.”
Mandiant’s discovery of Turla’s new technique first came to light last September, when the company’s incident responders discovered a curious network breach in Ukraine, a country that has become a primary focus of all Kremlin intelligence agencies following the catastrophic invasion of Russia last February. Several computers on that network were infected after someone inserted a USB drive into one of their ports and double-clicked on a malicious file on the drive that was disguised as a folder, installing a piece of malware called Andromeda.
Andromeda is a relatively common banking Trojan that cybercriminals have been using since 2013 to steal victims’ credentials. But on one of the infected machines, Mandiant’s analysts saw that the Andromeda sample had quietly downloaded two other, more interesting pieces of malware. The first, a reconnaissance tool called Kopiluwak, has been used by Turla before; the second piece of malware, a backdoor known as Quietcanary that compressed and siphoned carefully selected data from the target computer, has been used exclusively by Turla in the past. “That was a red flag for us,” says Mandiant threat intelligence analyst Gabby Roncone.
When Mandiant looked at the command-and-control servers for the Andromeda malware that started the infection chain, the analysts saw that the domain used to control the Andromeda monster — whose name was a vulgar taunt of the antivirus industry – had actually expired and re-registered in early 2022. Looking at other Andromeda samples and their command-and-control domains, Mandiant saw that at least two more expired domains had been re-registered. In all, those domains were connected to hundreds of Andromeda infections, all of which Turla could search to find subjects worthy of their spying.
