Russia's elite hacking unit has been silent, but busy

While APT28 was making fun of the DNC through Western media, Turla APT remained active and hacking in the shadows.
Written by Catalin Cimpanu, Contributor

Turla, one of the codenames given by the cyber-security industry to one of Russia's oldest and most "talented" cyber-espionage unit, has been very active in the past three years, even though their operations have not received the same media coverage of other more flashy Russian hacking outfits.

According to new research presented yesterday at the Virus Bulletin security conference held in Montreal, Canada, the group has been behind dozens of hacks around the world, operating with revamped malware and a tendency towards runtime scripting and the usage of open source tools.

"Turla was absent from the milestone DNC hack event where Sofacy [APT28] and CozyDuke [APT29] were both present, but Turla was quietly active around the globe on other projects," said Kaspersky's GReAT team in a report published shortly after the presentation.

But while APT28 and APT29's loudmouth dissemination of the DNC hacked data has led to public inquiries into their ties to Russian intelligence agencies --which eventually led to several public indictments [1, 2, 3]-- Turla has remained the same mystery as it always was.

Considered by many to be Russia's elite hacking unit, Turla is believed to have ties to Moonlight Maze, one of the first government-backed hacking operations ever discovered, back in the 90s.

The Turla group is infamous for past operations that seem to be pulled out of Hollywood movie scripts. The group has been known to hijack and use telecommunications satellites to deliver malware to remote areas of the globe, has developed malware that hid its control mechanism inside Britney Spears' Instagram, and has hijacked the infrastructure of entire ISPs to redirect users to malware.

Turla hacks are rarely covered by news media, but they always go after strategic targets in the interest of the Russian state.

The group is always very careful in their operational security, not to reveal too many hints about its operators, and they've never relied on social media diversionary tactics like the ones used by APT28 -- who created and operated the Guccifer 2.0 hacker persona and the Fancy Bears HT Twitter account in an attempt to manipulate the media and take the blame for hacks, instead of the Russian state.

But while APT28 was busy feeding international media all sorts of Russian propaganda, Turla was occupied hacking government and foreign affairs organizations, universities, news media agencies, and scientific and energy research organizations.

In its recent report, Kasperksy has listed several of the group's hacks from the past three years, including a detailed description of its revamped hacking arsenal that includes the Mosquito, New Carbon, IcedCoffee, KopiLuwak, WhiteAtlas, and WhiteBear backdoors.

Image: Kaspersky Lab

According to the Moscow-based antivirus maker, Turla's Carbon and Mosquito operations focused on government and foreign affairs related organizations in Central Asia, while WhiteAtlas and WhiteBear activity also targeted foreign affairs-related organizations, but all over the globe, and not in a specific area.

On the other hand, the Turla operation relying on IcedCoffee, a JavaScript-based backdoor, was not widely deployed and was only used against diplomats, including Ambassadors, of European governments.

KopiLuwak, a similar JavaScript-based backdoor, was used against the same type of targets as IcedCoffee, but even on rarer occasions. Furthermore, in 2018, Kaspersky says this tool was also used against government-related scientific and energy research organizations, and a government-related communications organization in Afghanistan, showing a general shift in Turla operations from diplomatic cyber-espionage to the research sector.

From Russia with Code

Related Coverage

Cyber security: Nation-state cyber attacks threaten everyone, warns ex-GCHQ boss

Citing Russian cyber attacks and WannaCry, ex-GCHQ director Robert Hannigan says nation-state campaigns have become "a problem for everybody"

Edge computing: the cyber security risks you must consider

Edge computing could be an innovative new way to collect data, but it also opens up a world of additional security headaches.

Tesco Bank fined £16.4m over cyber attack

Regulator said the attack which saw hackers steal £2.25m from account holders was 'largely avoidable'.

Cyber security strategy must be a board-level issue

Hacking and data breaches are an ongoing threat, so why are so many execs ignoring the issue?

Here's what happens during a social engineering cyber-attack (TechRepublic)

BioCatch's VP Frances Zelazny explains each step of social engineering hacks, low-tech cyberattacks that have a big impact on business.

How weaponized AI creates a new breed of cyber-attacks (TechRepublic)

IBM security researchers discovered invasive and targeted artificial intelligence-powered cyber-attacks triggered by geolocation and facial recognition.

Editorial standards