Turla Hackers Target Ukraine Government
Recent findings from Google’s Threat Analysis Group (TAG) confirmed that the Russian-sponsored hacker group, Turla, has begun attacking Ukrainian organizations.
Known for their unorthodox tactics, Turla has committed a list of attacks with unassuming methods from using backdoor trojans with their own APIs – to controlling malware using comments on Britney Spears’ Instagram photos.
TAG’s report of recent cyber activities in Eastern Europe documented that hackers from the Turla Russian APT group have deployed their first Android malware in aiding the war effort.
Masking their exploit as a DDoS attack tool, they hosted it on a spoof domain for the Ukrainian Azov Regiment, dubbed cyberazov[.]com.
Analysts believe Turla’s operators might have used the StopWar Android app, an app developed by pro-Ukrainian developers (hosted at stopwar[.]pro) to create their own spoofed ‘Cyber Azov’ DDoS application.
Before this, Turla has never been linked to the distribution of Android malware. While the application was not distributed through the Google Play Store, it was hosted on a hacker-controlled domain and issued through links on third-party messaging services. It would then execute Denial of Service (DoS) attacks on a number of Russian websites. However, the ‘DoS’ consisted of only one GET request to the target website, which is insufficient to do any actual damage.
Turla Hackers Target 100 Countries
Google TAG believes this attack posed no major threat to Android users so far, as the actual number of times the malicious Cyber Azov app has been installed is so small.
Still, there is an expectation that more is yet to come from Turla, as the group has been orchestrating espionage campaigns against over 100 countries, targeting and stealing classified data from their governments, research facilities, and embassies since 1996.
Turla has also used monikers like Venomous Bear and Waterbug – names synonymous with Russia’s Federal Security Service (FSB). To this day, they are considered prime suspects behind attacks on NASA, the U.S Central Command, the Pentagon, the Finnish Foreign Ministry, and Eastern European Ministries of Foreign Affairs.
They have even hijacked Iranian APT OilRig, using them in their own campaigns to pass off their attacks as the work of Iranian state hackers.
As of now, the group is being closely monitored, as they’ve moved from their previous attack in May – in which they have observed issuing credential phishing emails in attacks against Ukrainian defense and cybersecurity organizations.