Turla, also known as Waterbug and Venomous Bear, is closely affiliated with the FSB Russian intelligence agency and has been linked to prominent cyberattacks in the past. The attack involves two types of spyware, Capibar and Kazuar, with Capibar compromising Microsoft Exchange servers to transform legitimate servers into malware control centers through malicious email attachments that trigger PowerShell commands.
Kazuar, described as a “highly advanced and multi-functional backdoor,” is subsequently downloaded onto compromised computers, allowing the extraction of sensitive authentication data from various services like KeePass, Azure, Google Cloud, and Amazon Web Services.
The threat actor behind Turla aims to exfiltrate files containing messages from the widely used Signal desktop messaging app, granting access to private conversations, documents, images, and archive files on targeted systems. The cyberespionage activities of Turla have been under the observation of Ukraine’s computer emergency response team (CERT-UA) since 2022.
Despite the vigilance of CERT-UA, the effectiveness of Turla’s spyware and the number of victims remain undisclosed. The group has a history of complex cyber infiltration tactics, such as taking over a cybercriminal botnet last year to infiltrate victims’ systems.
This incident was detected when a user in Ukraine unknowingly infected their computer by inserting a USB drive containing an outdated banking trojan called Andromeda, followed by the installation of two tools previously associated with Turla by cybersecurity firm Mandiant, which is owned by Google. The ongoing attacks highlight the persistent threat posed by Turla to Ukraine’s defense and underscore the need for enhanced cybersecurity measures to counter cyberespionage and protect sensitive information.
- Цільові атаки Turla (UAC-0024, UAC-0003) з використанням шкідливих програм CAPIBAR та KAZUAR (CERT-UA#6981)