Russian hacking campaign targets G20 attendees with booby-trapped invites

Turla APT group is sending out invites to a real G20 event in Hamburg, targeting politicians, policy makers and other experts for the purposes of espionage.
Written by Danny Palmer, Senior Writer

The attackers are targeting organisations and individuals who could be attending a real G20 event in Hamburg.

Image: iStock

A Russian hacking group is conducting a cyber-espionage campaign against politicians, policy makers, and journalists ahead of a G20 task force meeting.

The attackers are attempting to distribute a variant of the KopiLuwak backdoor Trojan to these G20 attendees, for the purposes of reconnaissance and as a staging post for more advanced attackers, say researchers at Proofpoint.

Turla, a well-known advanced persistent threat (APT) group, is believed to be behind the attacks.

Security professionals believe the group is state-sponsored and works to further the aims of the Russian government -- although President Vladimir Putin claims the country doesn't hack others, despite accusations of interference in the US presidential election.

The group previously abused satellites to cover their tracks and have attempted to distribute malware in the comments section of Britney Spears' Instagram page.

Now the group is attempting to spread the backdoor dropper to its G20 targets using spear-phishing emails containing a 'Save the Date' invitation for a G20 Task Force on the Digital Economy, which is set to take place in October.

The event is real, and the intended targets are individuals and organisations with an interest in the G20's Digital Economy Task Force, including diplomats, economics experts, and even the press.


The potentially-stolen lure document used as part of the attack.

Image: Proofpoint

Researchers say they're "moderately confident" the invite is legitimate, which may indicate "that an entity with access to the invitation was already compromised" -- meaning the document has been obtained via a separate, but related, hack.

The document acts as a decoy, which disguises a JavaScript dropper used for installing a JS decryptor onto an infected machine and then goes onto decrypt and execute the KopiLuwak back door, a particularly robust tool associated with the Turla group.

Named Scr.js, the JS dropper puts the backdoor in place, in addition to setting up scheduled tasks in order to maintain the persistent threat. The backdoor communicates with what appear to be legitimate, but compromised, servers, acting as command and control for the malware.

The decoy document and its associated malware droppers were discovered by Proofpoint researcher Darien Huss, who found them on a public malware repository.

While no attacks using this dropper have so far been spotted in the wild, ultimately the campaign is designed to give attackers access to the PCs of very high profile targets associated the G20 taskforce, with the ability to monitor and steal what could be extremely sensitive information associated with governments and policy bodies.

In addition to exfiltrating data, KopiLuwak is capable of downloading additional payloads and has the ability to execute arbitrary commands. Researchers say that for most Windows operating systems, the potential impact would be high, especially given the nature of those being targeted.

Proofpoint has notified CERT-Bund, the federal computer emergency response team of Germany, about the Turla campaign ahead of next month's Hamburg meeting.

Related coverage

Russian malware controls hiding in plain sight -- on Britney Spears' Instagram page

The hacking group was able to direct malware by leaving comments on a specific Instagram post.

Tracking Turla: Hackers abuse satellite signals high in the sky

A sophisticated hacking group is using satellites in a novel manner to disguise their tracks.


Editorial standards