Mandiant uncovers new Russian attacks against Ukraine by Turla
Research from Mandiant has uncovered new Russian attacks against Ukraine.
Mandiant published research of a new espionage operation targeting Ukraine that Mandiant suspects is being conducted by the Russian cyber espionage group, Turla Team.
This is Mandiant's first observation of suspected Turla targeting Ukrainian entities since the onset of Russias invasion.
According to the company, what is novel about this instance is that the group currently tracked as UNC4210 re-registered expired Command & Control (C2) domains that were once used (dating back to the 2010s) by financially motivated threat groups to distribute the ANDROMEDA malware.
ANDROMEDA was a common commodity malware that was widespread in the early 2010’s. The particular version whose C2 was hijacked by UNC4210 was first uploaded to VirusTotal in 2013 and spreads from infected USB keys. Mandiant Managed Defense continues to observe ANDROMEDA malware infections across a wide variety of industries, however, Mandiant has only observed suspected Turla payloads delivered in Ukraine.
Mandiant suspects that by using older malware and infrastructure, Turla's operation was more likely to be overlooked by defenders triaging a wide variety of alerts.
Upon registering these C2s in January 2022, Turla Team began profiling victims to selectively deploy the KOPILUWAK reconnaissance utility, and then the QUIETCANARY backdoor in September 2022. Based on Mandiant's investigation, its believe that the ANDROMEDA domains reported back basic system information and IP addresses on the victims that allowed UNC4210 to determine whether to send the Turla payload to the victim or to do nothing. As part of the espionage, Turla was collecting MS Office documents, PDFs, text files and LNK files.
John Hultquist, head of threat intelligence at Mandiant, says removable media remains a powerful if indiscriminate tool for cybercriminals and state actors alike.
"Turla, which has been linked to the FSB, famously used removable media before in a widespread incident that led to loud, mass proliferation across DoD systems over a decade ago," he says.
"The proliferation of Agent.BTZ, clearly beyond the intent of the service, led to unprecedented response and exposure of the FSB operations.
"This incident is familiar, but the new spin is the actors are not releasing their own USB malware into the wild," Hultquist says.
"Now they are taking advantage of another actors work by taking over their command and control," he says.
"By doing so Turla removes itself from the high-profile dirty work of proliferation but still gets to select victims of interest.
"Accesses obtained by cybercriminals are an increasingly leveraged tool for Russian intelligence services who can buy or steal them for their own purposes."
As older ANDROMEDA malware continues to spread from compromised USB devices, these re-registered domains pose a risk as new threat actors can take control and deliver new malware to victims. This novel technique of claiming expired domains used by widely distributed, financially motivated malware can enable follow-on compromises at a wide array of entities. Further, older malware and infrastructure may be more likely to be overlooked by defenders triaging a wide variety of alerts.