Notorious Russian Spies Piggybacked on Other Hackers’ USB Infections

The Russian cyberespionage group known as Turla became famous in 2008 as the hackers behind agent.btz, a malicious piece of software that spread through the US Department of Defense. After 15 years, the same group appears to be trying a new trick: hijacking the infections of other hackers to piggyback on their infections and stealthily choose their targets.

According to Mandiant, Turla's hackers gained access to victim networks by Registering the expired domain of nearly decade-old cybercriminal software. Turla was able to take over the command-and-control server and use it to look for espionage targets.

Turla may be able to stay undetected, hiding inside other hackers' footprints while combing through a vast collection of networks. John Hultquist, who leads intelligence analysis at Mandiant, said that it shows how the Russian group's methods have evolved over the past decade and a half. Turla is able to leverage that because it already exists. They can sit on someone else's computer instead of using their own. They're piggybacking on other people's work. It is a great way of doing business.

In September of last year, Mandiant's incident responders discovered a curious breach of a network in Ukraine, a country that has become a primary focus of all Kremlin intel services. Several computers on that network were affected by a malicious file on a drive that was inserted into one of their ports and then double-clicked on to install a piece of malicious software.

Since the beginning of the year, crooks have been stealing victims' credentials with the help of Andromeda. Mandiant's analysts noticed that the Andromeda sample quietly downloaded two other pieces of software. Turla has used both the first and second piece of software, Quietcanary, in the past. That was a red flag for Mandiant.

When Mandiant looked at the command-and-control server, they found that the domain used to control the sample had expired and was re registered in early 2022. Mandiant noticed that there were at least two more expired domains that had been re registered. Turla was able to find subjects worthy of their espionage by looking through the hundreds of domains connected to the infections.