Russia-linked Turla APT hacked European government organization

Russia-linked APT Turla has hacked into the systems of an undisclosed European government organization according to Accenture.

According to a report published by Accenture Cyber Threat Intelligence (ACTI), Russia-linked cyber-espionage group Turla has hacked into the systems of an undisclosed European government organization.

The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

The attack against the undisclosed European government organization is in line with the APT’s espionage motivation, the attacker utilized a combination of remote procedure call (RPC)-based backdoors, such as HyperStack and remote administration trojans (RATs), such as Kazuar and Carbon. ACTI researchers observed the attacks between June and October 2020. 

“Notably, Accenture researchers recently identified novel command and control (C&C) configurations for Turla’s Carbon and Kazuar backdoors on the same victim network.” reads the report published by Accenture. “The Kazuar instances varied in configuration between using external C&C nodes off the victim network and internal nodes on the affected network, and the Carbon instance had been updated to include a Pastebin project to receive encrypted tasks alongside its traditional HTTP C&C infrastructure.”

HyperStack is one of several RPC backdoors in the Turla’s arsenal that was first observed in 2018, it is a custom implant developed by the ATP group.

HyperStack leverages named pipes to execute remote procedure calls (RPC) from the command end control to the device running the HyperStack client. Lateral movements are implemented attempting to connect to another remote device’s IPC$ share, either using a null session or default credentials.

“IPC$ is a share that facilitates inter-process communication (IPC) by exposing named pipes to write to or read from. If the implant’s connection to the IPC$ is successful, the implant can forward RPC commands from the controller to the remote device, and likely has the capability to copy itself onto the remote device.” continues the report.

Turla uses a variety of command and control (C&C) implementations for each compromise in an attempt to be resilient to countermeasures implemented by the defenders. The Russia-linked APT group has relied on bot compromised web servers as C&C and legitimate web services like Pastebin as C2. One of the Kazuar sample analyzed by the experts was configured to receive commands sent through likely internal nodes in the government’s network.

Turla continues to extensively use the modular Carbon backdoor framework with advanced peer-to-peer capability. One of the Carbon backdoor analyzed by the researchers used the traditional threat actor-owned C&C infrastructure with tasks served from Pastebin. ACTI analysts discovered a Carbon installer that dropped a Carbon Orchestrator, two communication modules, and an encrypted configuration file.

ACTI also shared Indicators of Compromise (IoCs) for this attack to allow Government entities to check for evidence of compromise within their networks.

“Turla will likely continue to use its legacy tools, albeit with upgrades, to compromise and maintain long-term access to its victims because these tools have proven successful against Windows-based networks,” concludes Accenture.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Turla)

[adrotate banner=”5″]

[adrotate banner=”13″]