Russian cyber intelligence The group known as Turla became infamous in 2008 when the hackers behind agent.btz, a malicious piece of malware that spread through US Department of Defense systems, gained widespread access through via infected USB drives inserted by unsuspecting Pentagon personnel. Now, 15 years later, the same team seems to be trying a new twist on that trick: hijacking an infected USB stick. is different hackers to carry their infection and surreptitiously choose their spying targets.
Today, cybersecurity company Mandiant disclosure that it detected an incident in which, it said, Turla’s hackers—Many people believe that working in the service of the Russian intelligence agency FSB—gain access to victim networks by registering expired domains of nearly a decade old cybercriminal malware that spreads via infected USB drives. As a result, Turla was able to take over the command and control servers for that hermit crab-type malware and screen its victims for worthy espionage targets.
That hijacking technique appears to be designed to keep Turla undetected, hiding within the footprints of other hackers while sifting through a vast collection of networks. And it shows how the methods of the Russian group have evolved and become much more sophisticated over the past decade and a half, said John Hultquist, head of intelligence analysis at Mandiant. “Since the malware has proliferated over USB, Turla was able to take advantage of that without exposing herself. Instead of using their own USB tools like agent.btz, they can sit on top of someone else’s stuff,” says Hultquist. “They are piggybacking on other people’s activities. It’s a really smart way of doing business.”
Mandiant’s discovery of Turla’s new technique first came to light last September, when the company’s incident responders discovered a curious vulnerability to a network in Ukraine, a country that became the primary focus of all the Kremlin’s intelligence services after Russia’s disastrous invasion last February. Several computers on that network became infected after someone plugged a USB drive into one of their ports and double-clicked a malicious file on the drive disguised as a folder, installed a piece of malware. The virus is called Andromeda.
Andromeda is a relatively common banking trojan that cybercriminals have been using to steal victim credentials since early 2013. But on one of the infected machines, Mandiant analysts found that Andromeda sample silently downloaded two other more interesting malware. First, a reconnaissance tool called the Kopiluwak, previously used by Turla; The second malware, a backdoor called Quietcanary that compresses and sucks carefully selected data from the target computer, has been exclusively used by Turla in the past. “It’s a red flag for us,” said Gabby Roncone, Mandiant threat intelligence analyst.
When Mandiant looked at the command and control servers for the Andromeda malware that started that infection chain, their analysts found that the domain used to control the Andromeda sample—its name was a the anti-virus industry’s vulgar mockery—actually expired and was re-registered in early 2022. Looking at other Andromeda models and their command-and-control domains, Mandiant found that at least two more expired domains have been re-registered. In total, those domains have been linked to hundreds of Andromeda infections, all of which Turla can orchestrate to find people worth tracking down.
