A recent cyberespionage campaign has been uncovered by Cisco Talos, linking the attack to the notorious Russia-based advanced persistent threat group (APT) known as Turla. This attack specifically targets Polish non-governmental organizations (NGOs), indicating a widening scope of Turla’s attacks in support of the Ukrainian war effort.
The Turla APT has been known by several aliases, including Snake, Urobouros, Venomous Bear, or WaterBug. According to a blog post published by Cisco Talos, Turla’s attack employs a new form of backdoor called “TinyTurla-NG.” This newly developed backdoor comes with modular capabilities, which indicate a shift in the tactics of the APT. The post also stated that TinyTurla-NG behaves as a “last-chance” backdoor, left behind to be used if previously established unauthorized access points have been detected or failed. This shows that Turla is continuously adapting to avoid detection and blocking of its malicious activities.
The newly discovered backdoor also deploys various PowerShell scripts and arbitrary commands, allowing attackers to execute specific actions as required. Furthermore, it has added capabilities for executing commands via PowerShell or Windows Command Line Interface.
In addition to TinyTurla-NG, Turla has also introduced a new PowerShell-based implant called TurlaPower-NG, specifically designed for exfiltrating files of interest to the attackers. In the recent attacks on Polish NGOs, this implant was used to secure password databases from management software, indicating Turla’s concerted effort to steal login credentials from its victims.
Despite the advancements in their tactics, Turla’s reliance on old techniques is still evident. The group continues to employ compromised WordPress-based websites for command-and-control (C2) operations, utilizing older versions of the WordPress software to enable the upload of PHP files containing the C2 code.
The earliest compromise date of this latest campaign was discovered to be Dec. 18, 2020, and it remained active until as recently as Jan. 27, 2021. However, indications suggest that the campaign may have started as early as November.
Cisco Talos, in response to this campaign, has provided a list of indicators of compromise (IoCs) and recommended security solutions to help organizations defend against the sophisticated APT threats posed by Turla. A layered defense model is advised, which allows for the detection and blocking of malicious activity from the initial compromise to the final payload deployment. The researchers urge organizations to be proactive in detecting and protecting themselves against highly motivated and sophisticated adversaries across multiple attack surfaces.
In conclusion, the Turla APT’s recent campaign targeting Polish NGOs demonstrates the group’s evolving tactics and its ongoing efforts to support the interests of the Russian government. As the cybersecurity landscape continues to evolve, it is imperative for organizations to remain vigilant and implement robust defenses to protect against such targeted and highly sophisticated attacks.