Before public reporting, infrastructure linked to the Russia-based Turla APT group was found in an organization possibly located in Albania. A file containing the IP address 91[.]193[.]18[.]120, which is a key indicator of compromise recently described by Cisco Talos as a command and control server used in parallel with the “TinyTurla-NG” (TTNG) backdoor, was manually uploaded to the VirusTotal web interface by a user located in Albania on March 26.
The file is a list of IP addresses in a plain text file named “Firewall_Bllok_IP.txt.txt”. All IP addresses within are currently listed as malicious, and all but one IP address are registered on multiple Antivirus vendors. The file has no further OSINT links, further suggesting authenticity.
The upload time falls within two Cisco reports regarding Tiny Turla activity, but prior to IP address 91[.]193[.]18[.]120 being made public. The targeting of Albania aligns with the regional interests of the APT campaign first described mid-February. This new activity provides additional intelligence into the possible scope of Russia-based APT operations, which has also included Poland in this campaign.
Baltic and Eastern European-based organizations with links to government are likely to continue to be high-value targets for cyberattacks throughout 2024 as they provide espionage channels for APT groups aligned to Russian interests in the broader context of the war in Ukraine.
