The FSB-linked cyber-espionage group Turla has learned to attack targets that have previously been infected by other hackers. Cybersecurity company Mandiant draws attention to this.
Mandiant first discovered the new Turla equipment in September 2022, when experts noticed a gap in one of the systems in Ukraine. Several computers on the network were infected after someone inserted a USB drive into one of their ports and double-clicked a malicious file on the drive that was disguised as a folder, installing a piece of malware called Andromeda.
Andromeda is a relatively common banking Trojan that has been used by cybercriminals to steal victims' credentials since 2013. But on one of the infected devices, Mandiant analysts saw that the Andromeda sample silently downloaded two other, more unusual pieces of malware. The first, a reconnaissance tool called Kopiluwak, was previously used by Turla; the second was a piece of malware known as Quietcanary, which compresses and pumps carefully selected data from the target computer, and was also used exclusively by Turla in the past. “That was a wake-up call for us,” says Mandiant threat analyst Gabby Roncone.
This infection technique appears to be designed to allow Turla to remain undetected by hiding behind other hackers. This shows that the methods of the Russian group have changed and become much more sophisticated over the past decade and a half, says John Hultquist, head of intelligence analysis at Mandiant:
“Because the malware was already distributed via USB, Turla can exploit this without revealing itself. Instead of using their own USB tools like agent.btz, they can use someone else's. They use other people's operations. It's a really smart way to do business."