Researchers have observed a reconnaissance campaign launched by the Russian hacking group named Turla against the Baltic Defense College, a NATO platform, and the Austrian Economic Chamber.
Attacks on European entities
The campaign was spotted by cybersecurity firm Sekoia but the discovery is built upon previous findings by Google’s TAG.
- The first target (baltdefcol[.]org) is Baltic Defense College (aka BALTDEFCOL), a military college based in Estonia and operated by Latvia, Estonia, and Lithuania. It serves as a center for operational and strategic research in the Baltic.
- Another target (wko[.]at) is Wirtschaftskammer Österreich (WKO), the Austrian Federal Economic Chamber, which serves as an international consultant on economic and legislative sanctions.
- Additionally, a third typosquatted domain jadlactnato[.]webredirect[.]org was spotted, which tried to pass as an e-learning portal belonging to the NATO Joint Advanced Distributed Learning platform.
Google’s TAG shared the IP addresses that led to the domains (wkoinfo[.]webredirect[.]org and baltdefcol[.]webredirect[.]org), which are typosquatted variants of baltdefcol[.]org and wko[.]at.
What happens in the campaign?
- Hackers were using typosquatting domains for hosting a malicious Word document identified as ‘War Bulletin 19.00 CET 27.04[.]docx,’ found in different directories of the targeted sites.
- This file has an embedded PNG, which is fetched when the document is loaded.
- The Word file does not have malicious macros, suggesting that the PNG is used for reconnaissance.
Conclusion
It seems that the Turla hacking group is focusing its recent attacks on reconnaissance. The group may be gathering information for carrying out phishing attacks in the future. Thus, organizations should be aware of these ongoing reconnaissance attacks by Russian hackers and take part in threat intel sharing for the benefit of the entire security community.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_415475071.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/7a33_shutterstock_1118098829.jpeg)
