Security news that informs and inspires

Russian APTs Turla and Sofacy Sharing Code and Targets

MONTREAL--Two of the more active and venerable Russian-speaking APT groups appear to be learning from one another, using code that’s almost identical, and going after a subset of the same targets in recent campaigns, a development that suggests similar backing and tasking, if not outright cooperation.

The groups, known as Turla and Zebrocy, respectively, both have been active for many years, but generally have targeted different types of organizations and stuck to different geographical areas. Turla is among the older active attack groups, and its operations generally have focused on organizations in the eastern hemisphere, especially former Soviet republics in central Asia. Recently, though, the Turla group has been seen attacking targets in countries in the west, including the United States, Paraguay, Brazil, and Venezuela, according to new research by Kaspersky Lab presented at the Virus Bulletin conference here Thursday.

Turla and Zebrocy, which is a subset of the group known as Fancy Bear or APT 28, are both using a specific technique in their spear-phishing campaigns that delivers an .LNK file that includes nearly identical PowerShell code in both campaigns. The Zebrocy group used the technique first, and then researchers discovered samples of Turla’s KopiLuwak malware that included a nearly line-by-line copy of the PowerShell code. It’s not clear whether the two groups shared the code or whether the Turla operators got hold of it in some other way.

“We do see Turla and Sofacy targeting the same boxes, so it could be from collection on the victim side,” said Kurt Baumgartner, a member of Kaspersky’s Global Research and Analysis Team, who delivered a talk on the research at the conference.

Both Turla and Zebrocy are among the top tier of active APT groups in terms of technical proficiency and activity. The Fancy Bear team, which is an umbrella name for several smaller groups associated with Russian intelligence, has been blamed for the compromise of the Democratic National Committee in 2016 and also has been associated with many other politically motivated attacks. Each group has had its own set of tools, techniques, and targets, but those have begun to overlap in recent months. Though Turla has begun targeting western organizations recently, the group still has stuck mainly to political and foreign affairs targets in the former Soviet republics.

“They’re oddly turning toward some open source code. Carbon is an elegant and complete platform that’s been around for years."

“They rotate around these countries and it often coincides with geopolitical events,” Baumgartner said.

While Turla has begun to change and expand its targets, the group also has been making upgrades and modifications to its toolset. Turla has several separate malware frameworks at its disposal, including a platform known as Carbon, another called Mosquito, and a third known as White Bear. Each has different capabilities and functions, and Baumgartner said the Turla team recently has begun making some interesting changes to these tools.

“They’re oddly turning toward some open source code. Carbon is an elegant and complete platform that’s been around for years. They’re making incremental changes to it and still sending it out,” he said. “They’ve been paring it back and not relying as heavily on things like the kernel mode rootkit, maybe because it’s not necessary anymore. It seems like the really talented developers who wrote some of this stuff aren’t around anymore.”

Baumgartner and Mike Scott, a principal threat researcher on Kaspersky’s GReAT team, also found some indications that support the previous theory that Turla was attacking WiFi networks to install the Mosquito malware on victims’ machines. What they found suggests that the operators were executing these attacks locally rather than remotely. The attack used a man-in-the-middle technique to send victims to a URL that would download a fake Adobe Flash installer. A subset of the installers used in that attack had functionality that would dump all of the WiFi profile information on a compromised machine, along with IPconfig and network data that would allow the attackers to impersonate a legitimate WiFi gateway that the victim is already using.

“It allows them to know exactly what the gateway looks like. It lends more credence to the idea that they were doing this locally,” Baumgartner said.