• A report by Symantec mentions that the Russian-based threat group also used new sets of tools in their attacks.
  • Turla has been reported to carry out cyberattacks against various governments, IT organizations and educational institutions around the world.

Russian-based APT group Turla a.k.a. Waterbug is believed to have carried out attacks using infrastructure belonging to another cyber-espionage group. According to a report by security firm Symantec, Turla used OilRig aka APT34’s infrastructure in one of its attack campaigns. Symantec also described three recent campaigns carried out by the group, which involved new tools in their attacks.

Turla has been reported to mainly target governments, IT organizations and educational institutions across the world.

The big picture

  • In its report, Symantec notes that the group extensively used backdoors in the three campaigns.
  • The first campaign involved deploying a new backdoor known as Neptun that were installed on Microsoft Exchange servers while the second campaign involved the use of Meterpreter, a publicly available backdoor along with two other backdoors.
  • However, the third campaign featured a custom Remote Procedure Call (RPC) backdoor which used bits of code from a tool known as PowerShellRunner.
  • OilRig’s infrastructure was reportedly used in the first campaign on top of deploying Neptun in the attack.
  • Coming to the attacks, Symantec says that Turla targeted 13 organizations across 10 different countries since 2018.

Living-off-the-land technique used

Symantec suggests that the Russian-based group has moved towards using living-off-the-land attacks.

“Waterbug’s most recent campaigns have involved a swath of new tools including custom malware, modified versions of publicly available hacking tools, and legitimate administration tools. The group has also followed the current shift towards ‘living off the land’ making use of PowerShell scripts and PsExec, a Microsoft Sysinternals tool used for executing processes on other systems,” the report stated.

Cyware Publisher