The Turla cyberespionage group, which has been in operation for the better part of a quarter century and is connected to the infamous Moonlight Maze attack on the Pentagon and other agencies, recently has been deploying a small previously undodcumented backdoor against targets in the United States, Germany, and Afghanistan.
The backdoor, kmnown as TinyTurla, is quite simple and researchers believe it likely serves as a backup persistence mechanism for the group to maintain access to compromised machines. Researchers with Cisco Talos discovered the backdoor and believe it has been in use since at least last year. Most recently, the backdoor has been deployed against targets in Afghanistan during the turmoil surrounding the shift in power after the U.S. military withdrawal. Talos discovered that the backdoor was using some infrastructure that was known to have been used in other Turla operations in the past.
“Based on forensic evidence and the fact that it was using formerly attributed infrastructure from the Penguin Turla malware, Talos assesses with moderate confidence that this was used to target the previous Afghan government,” Talos researchers wrote in a new analysis of the backdoor.
Turla, which is also known by a long list of other names, including Snake and Uroburos, is one of the more venerable and prolific known APT groups and is connected to many high-level operations during the last two decades. The most well-known of those intrusions is the Moonlight Maze operation, which involved compromises of NASA, the Pentagon, the Department of Energy, and other agencies in the late 1990s. That operation involved the theft of military data, maps, technical documents, and kicked off a massive government investigation that lasted several years. Researchers have not directly attributed Moonlight Maze to Turla, but the connective tissue is strong.
It wasn’t until much later, in 2014, that Turla was properly identified by researchers and its more recent operations and tools were exposed. The group has a broad array of attack tools at its disposal and is known to use zero day exploits in some of its operations. Turla is a Russian group and it often operates in alignment with the Russian government’s political interests and objectives. The group is highly focused on espionage activity and has significant financial and technical resources at its disposal.
"They used the same infrastructure as they used for other attacks that have been clearly attributed to their Penguin Turla Infrastructure."
Many of Turla’s malicious tools are known to researchers, but the Windows backdoor that Talos discovered had not been documented previously. It masquerades as a Windows service and would not necessarily be simple for defenders to identify as malicious.
“The adversaries installed the backdoor as a service on the infected machine. They attempted to operate under the radar by naming the service ‘Windows Time Service,’ like the existing Windows service. The backdoor can upload and execute files or exfiltrate files from the infected system. In our review of this malware, the backdoor contacted the command and control (C2) server via an HTTPS encrypted channel every five seconds to check if there were new commands from the operator,” Talos said.
Although Turla is near the top of the heap of APT groups, it comprises humans, and humans get lazy and make mistakes sometimes. And those mistakes can help researchers track their activities and identify their operations, as Talos did in this case.
“During their campaigns, they are often using and re-using compromised servers for their operations, which they access via SSH, often protected by TOR. One public reason why we attributed this backdoor to Turla is the fact that they used the same infrastructure as they used for other attacks that have been clearly attributed to their Penguin Turla Infrastructure,” Talos said.