APT28 Gets the Spotlight, But Turla Remains Russia’s Elite Hacking Unit
Over the past two years, the Russian cyberespionage group known as APT28, Sofacy or Fancy Bear, has been the focus of many press reports, threat analyses, Western intelligence investigations and, more recently, U.S. prosecution efforts. Yet despite all the varied attacks attributed to it and it’s alleged association with the Russian GRU military intelligence agency, APT28 is not the most advanced hacker unit serving Russian interests. That honor goes to Turla, a group that has continued its stealthy operations against diplomatic, foreign affairs and scientific organizations around the world while APT28 and APT29 (CozyDuke) stole the spotlight.
Turla, also called Venomous Bear, Waterbug and Uroboros, is a shadowy APT threat that has been active for a very long time. In fact, researchers believe the roots of the group go back more than 20 years to operation Moonlight Maze, one of the first documented cyberespionage campaigns that led to data leaks from U.S. military, research and university networks in 1996.
Turla is known for highly sophisticated operations, including hijacking telecommunications satellites and ISP infrastructure to control malware, putting it on par in many ways with the Equation group, the security industry’s name for the NSA’s Tailored Access Operations hacking unit.
“Noting that Turla was absent from the milestone DNC hack event where Sofacy and CozyDuke were both present, but Turla was quietly active around the globe on other projects, provides some insight as to ongoing motivations and ambitions of this group,” researchers from antivirus maker Kaspersky Lab said in a new report. “It is interesting that data related to these organizations has not been weaponized and found online while this Turla activity quietly carries on.”
Turla’s target selection is influenced by Russia’s geopolitical interests, which is why it’s suspected of direct ties to the Russian government, just like APT28 and APT29. The group is very good at hiding its tracks, planting false flags and remaining undetected for long periods of time. It runs several cyberespionage campaigns with different malware and often relies on legitimate, dual-use tools and scripting languages such as PowerShell and JavaScript.
Two of the group’s tools are known as Mosquito and Carbon and are used to spy primarily on diplomatic and foreign affairs targets. Another two, called WhiteAtlas and WhiteBear are also used against foreign affairs organizations, but also against scientific and technical centers, as well as organizations outside the political spectrum. Finally, Turla activity that involves a JavaScript backdoor called KopiLuwak focuses on scientific and energy research organizations, but also impacted a communications organization in Afghanistan.
“Much of our 2018 research focused on Turla’s KopiLuwak javascript backdoor, new variants of the Carbon framework and meterpreter delivery techniques,” the Kaspersky researchers said. “Also interesting was Mosquito’s changing delivery techniques, customized PoshSec-Mod open-source powershell use, and borrowed injector code. We tied some of this activity together with infrastructure and data points from WhiteBear and Mosquito infrastructure and activity in 2017 and 2018.
“This highly selective but wider targeting set most likely will continue into 2019,” the researchers concluded.
The various Russian APT actors, including Turla, appear to collaborate and share tools to some extent. For example, Kaspersky noted that Turla has borrowed spearphishing techniques from another group known as Zebrocy or Earworm, and in a new report released this week, security researchers from Symantec note that Zebrocy had collaborated with APT28 in the past.
“During 2016, Symantec observed some overlap between the command and control (C&C) infrastructure used by Earworm and the C&C infrastructure used by Grizzly Steppe (the U.S. government code name for APT28 and related actors), implying a potential connection between Earworm and APT28,” the Symantec researchers said. “However, Earworm also appears to conduct separate operations from APT28 and thus Symantec tracks them as a distinct group.”
Pingback: Backdoor Links 2016 Ukrainian Blackout to Sandworm APT and NotPetya - Security Boulevard