Researchers recently discovered two new backdoors implanted in the infrastructure of a European Ministry of Foreign Affairs (MFA) and its diplomatic missions, shedding light on the ongoing cyber espionage activities targeting high-profile entities. The Slovakian cybersecurity firm ESET identified these backdoors, named “LunarWeb” and “LunarMail,” and attributed them to the Turla cyberespionage group believed to have connections to Russian interests.

Turla, a long-standing cyber threat group associated with the Russian FSB, has been active since at least 2004, with a history of targeting governments and diplomatic organizations across Europe, Central Asia, and the Middle East. Noteworthy breaches by Turla include infiltrations of the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014, showcasing the group’s sophisticated capabilities.

The Lunar toolset, in use since 2020, is believed to be an extension of Turla’s arsenal based on the similarities in tactics, techniques, and procedures found in past cyber operations. The deployment of LunarWeb and LunarMail signifies a strategic effort by Turla to gather intelligence and maintain covert access to sensitive diplomatic networks.

LunarWeb, the first backdoor identified, operates stealthily within servers by mimicking legitimate web traffic patterns to avoid detection. Utilizing steganography, LunarWeb embeds malicious commands within innocuous images to evade security measures effectively. The versatility of LunarWeb’s loader, known as LunarLoader, allows it to adapt to various scenarios, including posing as trojanized open-source software.

On the other hand, LunarMail, the second backdoor discovered, targets individual workstations by infiltrating Outlook email platforms. By integrating itself within email communications, LunarMail operates discreetly amidst everyday digital correspondence, collecting information and communicating with a command and control server through the Outlook Messaging API. Capable of executing various commands, LunarMail employs steganography techniques within email attachments for covert communication channels.

The initial access vectors employed by Turla hackers may involve exploiting vulnerabilities or launching spearphishing campaigns. The abuse of Zabbix network monitoring software is also a potential avenue for compromise, according to researchers. The strategic nature of the intrusions within European MFA entities demonstrates the sophisticated and targeted approach adopted by the threat actors.

In a recent report by Mandiant, it was highlighted that Russian state-sponsored cyber threats pose a significant risk to elections in regions of interest to Russia, including the European Union, the United Kingdom, and the United States. The multifaceted approach of Russian cyber interference combines cyber intrusions with information operations to influence public perceptions and create discord.

Overall, the discovery of the LunarWeb and LunarMail backdoors underscores the continuous threat posed by state-aligned cyber espionage groups like Turla. As cyber threats continue to evolve and target critical infrastructure, proactive measures and increased cybersecurity vigilance are essential to safeguard against such malicious activities.

Lidhja e burimit