A suspected Russian threat group is believed to have begun targeting victims in Ukraine, piggybacking off previously deployed malware to install backdoors of its own and siphon off data, cybersecurity watchdog Mandiant reports.
It first spotted the suspected Turla Team threat group going after victims who had already succumbed to a revamped version of Andromeda when it was deployed on infected USB sticks in 2021.
The follow-up attack consists of the reconnaissance program Kopiluwak – which Mandiant says was downloaded by unsuspecting targets in Ukraine seven times between September 6 and 8 last year – and QuietCanary, which was then used to siphon off sensitive data on at least two occasions.
Mandiant says this is the first time it has spotted Turla targeting organizations in Ukraine since Russia invaded in February, but nevertheless believes the threat group has links to the Kremlin intelligence agency, the FSB, and also has a history of using portable devices to spread malware.
“Removable media remains a powerful if indiscriminate tool for cybercriminals and state actors alike,” said Mandiant’s head of threat intelligence John Hultquist. “Turla, which has been linked to the FSB, famously used removable media before in a widespread incident that led to loud, mass proliferation across systems over a decade ago.”
But what makes this particular attack notable is Turla appearing to be profiting from previous malware attacks using the Andromeda strain – which Mandiant says dates back almost a decade – to breach target defenses and extract useful or valuable information.
"This incident is familiar, but the new spin is the actors aren’t releasing their own USB malware into the wild,” said Hultquist. “Now they are taking advantage of another actor’s work by taking over their command and control. By doing so Turla removes itself from the high-profile dirty work of proliferation but still gets to select victims of interest.”
Turla profiled these victims before deploying Kopiluwak and QuietCanary – Mandiant believes that Andromeda domains then relayed system information and internet protocol addresses back to the threat actors, which allowed them to make an informed decision on whether to strike targets with a payload.
It believes that the motivation behind this most recently observed spate of cyberattacks was espionage, with Turla observed stealing Microsoft Office documents, PDFs, and other text-based files.
"Accesses obtained by cybercriminals are an increasingly leveraged tool for Russian intelligence services who can buy or steal them for their own purposes,” added Hultquist.
More from Cybernews:
Subscribe to our newsletter