Pages

27 May 2023

The Underground History of Russia’s Most Ingenious Hacker Group

ANDY GREENBERG

ASK WESTERN CYBERSECURITY intelligence analysts who their "favorite" group of foreign state-sponsored hackers is—the adversary they can't help but grudgingly admire and obsessively study—and most won't name any of the multitudes of hacking groups working on behalf of China or North Korea. Not China's APT41, with its brazen sprees of supply chain attacks, nor the North Korean Lazarus hackers who pull off massive cryptocurrency heists. Most won't even point to Russia's notorious Sandworm hacker group, despite the military unit's unprecedented blackout cyberattacks against power grids or destructive self-replicating code.

Instead, connoisseurs of computer intrusion tend to name a far more subtle team of cyberspies that, in various forms, has silently penetrated networks across the West for far longer than any other: a group known as Turla.

Last week, the US Justice Department and the FBI announced that they had dismantled an operation by Turla—also known by names like Venomous Bear and Waterbug—that had infected computers in more than 50 countries with a piece of malware known as Snake, which the US agencies described as the "premiere espionage tool" of Russia's FSB intelligence agency. By infiltrating Turla's network of hacked machines and sending the malware a command to delete itself, the US government dealt a serious setback to Turla's global spying campaigns.

But in its announcement—and in court documents filed to carry out the operation—the FBI and DOJ went further, and officially confirmed for the first time the reporting from a group of German journalists last year which revealed that Turla works for the FSB's Center 16 group in Ryazan, outside Moscow. It also hinted at Turla's incredible longevity as a top cyberspying outfit: An affidavit filed by the FBI states that Turla's Snake malware had been in use for nearly 20 years.

In fact, Turla has arguably been operating for at least 25 years, says Thomas Rid, a professor of strategic studies and cybersecurity historian at Johns Hopkins University. He points to evidence that it was Turla—or at least a kind of proto-Turla that would become the group we know today—that carried out the first-ever cyberspying operation by an intelligence agency targeting the US, a multiyear hacking campaign known as Moonlight Maze.

Given that history, the group will absolutely be back, says Rid, even after the FBI's latest disruption of its toolkit. “Turla is really the quintessential APT,” says Rid, using the abbreviation for “advanced persistent threat,” a term the cybersecurity industry uses for elite state-sponsored hacking groups. “Its tooling is very sophisticated, it’s stealthy, and it’s persistent. A quarter-century speaks for itself. Really, it’s adversary number one.”

Throughout its history, Turla has repeatedly disappeared into the shadows for years, only to reappear inside well-protected networks including those of the US Pentagon, defense contractors, and European government agencies. But even more than its longevity, it's Turla's constantly evolving technical ingenuity—from USB worms, to satellite-based hacking, to hijacking other hackers' infrastructure—that's distinguished it over those 25 years, says Juan Andres Guerrero-Saade, who leads threat intelligence research at the security firm SentinelOne. “You look at Turla, and there are multiple phases where, oh my god, they did this amazing thing, they pioneered this other thing, they tried some clever technique that no one had done before and scaled it and implemented it,” says Guerrero-Saade. “They're both innovative and pragmatic, and it makes them a very special APT group to track.”

Here's a brief history of Turla's two-and-a-half decades of elite digital spying, stretching back to the very beginning of the state-sponsored espionage arms race.
1996: Moonlight Maze

By the time the Pentagon began investigating a series of intrusions of US government systems as a single, sprawling espionage operation, it had been going on for at least two years and was siphoning American secrets on a massive scale. In 1998, federal investigators discovered that a mysterious group of hackers had been prowling the networked computers of the US Navy and Air Force, as well as those of NASA, the Department of Energy, the Environment Protection Agency, the National Oceanic and Atmospheric Administration, a handful of US universities, and many others. One estimate would compare the hackers' total haul to a stack of papers three times the height of the Washington Monument.

From early on, counterintelligence analysts believed that the hackers were Russian in origin, based on their real-time monitoring of the hacking campaign and the types of documents they targeted, says Bob Gourley, a former US Defense Department intelligence officer who worked on the investigation. Gourley says that it was the hackers’ apparent organization and persistence that made the most lasting impression on him. “They’d reach a wall, and then someone with different skills and patterns would take over and break through that wall,” Gourley says. “This was not just a couple of kids. This was a well-resourced, state-sponsored organization. It was the first time, really, where a nation-state was doing this.”

Investigators found that when the Moonlight Maze hackers—a codename given to them by the FBI—exfiltrated data from their victims' systems, they used a customized version of a tool called Loki2, and would continually tweak that piece of code over the years. In 2016, a team of researchers including Rid and Guerrero-Saade would cite that tool and its evolution as evidence that Moonlight Maze was in fact the work of an ancestor of Turla: They pointed to cases where Turla's hackers had used a unique, similarly customized version of Loki2 in its targeting of Linux-based systems fully two decades later.
2008: Agent.btz

Ten years after Moonlight Maze, Turla shocked the Defense Department again. The NSA discovered in 2008 that a piece of malware was beaconing out from inside the classified network of the DOD's US Central Command. That network was “air-gapped”—physically isolated such that it had no connections to internet-connected networks. And yet someone had infected it with a piece of self-spreading malicious code, which had already copied itself to an untold number of machines. Nothing like it had ever been seen before on US systems.

The NSA came to believe that the code, which would later be dubbed Agent.btz by researchers at the Finnish cybersecurity firm F-Secure, had spread from USB thumb drives that someone had plugged into PCs on the air-gapped network. Exactly how the infected USB sticks got into the hands of DOD employees and penetrated the US military's digital inner sanctum has never been discovered, though some analysts speculated they may have simply been scattered in a parking lot and picked up by unsuspecting staffers.

The Agent.btz breach of Pentagon networks was pervasive enough that it sparked a multiyear initiative to revamp US military cybersecurity, a project called Buckshot Yankee. It also led to the creation of US Cyber Command, a sister organization of the NSA tasked with protecting DOD networks that today also serves as the home of the country's most cyberwar-oriented hackers.

Years later, in 2014, researchers at the Russian cybersecurity firm Kaspersky would point to technical connections between Agent.btz and Turla's malware that would come to be known as Snake. The espionage malware—which Kaspersky at the time called Uroburos, or simply Turla—used the same file names for its log files and some of the same private keys for encryption as Agent.btz, the first clues that the notorious USB worm had in fact been a Turla creation.

2015: Satellite Command-and-Control

By the mid-2010s, Turla was already known to have hacked into computer networks in dozens of countries around the world, often leaving a version of its Snake malware on victims' machines. It was revealed in 2014 to be using “watering-hole” attacks, which plant malware on websites with the goal of infecting their visitors. But in 2015, researchers at Kaspersky uncovered a Turla technique that would go much further toward cementing the group's reputation for sophistication and stealth: hijacking satellite communications to essentially steal victims' data via outer space.

In September of that year, Kaspersky researcher Stefan Tanase revealed that Turla's malware communicated with its command-and-control servers—the machines that send commands to infected computers and receive their stolen data—via hijacked satellite internet connections. As Tanase described it, Turla's hackers would spoof the IP address for a real satellite internet subscriber on a command-and-control server set up somewhere in the same region as that subscriber. Then they would send their stolen data from hacked computers to that IP so that it would be sent via satellite to the subscriber, but in a way that would cause it to be blocked by the recipient's firewall.

Because the satellite was broadcasting the data from the sky to the entire region, however, an antenna connected to Turla's command-and-control server would also be able to pick it up—and no one tracking Turla would have any way of knowing where in the region that computer might be located. The entire, brilliantly tough-to-trace system cost less than $1,000 a year to run, according to Tanase. He described it in a blog post as “exquisite.”
2019: Piggybacking on Iran

Plenty of hackers use “false flags,” deploying the tools or techniques of another hacker group to throw investigators off their trail. In 2019, the NSA, the Cybersecurity and Infrastructure Security Agency (CISA), and the UK's National Cybersecurity Center warned that Turla had gone much further: It had silently taken over another hacker group's infrastructure to commandeer their entire spying operation.

In a joint advisory, the US and UK agencies revealed that they'd seen Turla not only deploy malware used by an Iranian group known as APT34 (or Oilrig) to sow confusion, but that Turla had also managed to hijack the command-and-control of the Iranians in some cases, gaining the ability to intercept data that the Iranian hackers had been stealing and even sending their own commands to the victim computers the Iranians had hacked.

Those tricks significantly raised the bar for analysts seeking to pin any intrusion on a particular group of hackers, when in fact Turla or a similarly devious group might have been secretly pulling puppet strings from the shadows. “Avoid possible misattribution by being vigilant when examining activity that appears to originate from the Iranian APT,” the CISA advisory warned at the time. “It may be the Turla group in disguise.”
2022: Hijacking a Botnet

Cybersecurity firm Mandiant reported earlier this year that it had spotted Turla carrying out a different variant of that hacker-hijacking trick, this time taking over a cybercriminal botnet to sift through its victims.

In September 2022, Mandiant found that a user on a network in Ukraine had plugged a USB drive into their machine and infected it with the malware known as Andromeda, a decade-old banking trojan. But when Mandiant looked more closely, they found that that malware had subsequently downloaded and installed two tools Mandiant had previously tied to Turla. The Russian spies, Mandiant discovered, had registered expired domains that Andromeda's original cybercriminal administrators had used to control its malware, gaining the ability to control those infections, and then searched through hundreds of them for ones that might be of interest for espionage.

That clever hack had all the hallmarks of Turla: the use of USB drives to infect victims, as it had done with Agent.btz in 2008, but now combined with the trick of hijacking a different hacker group's USB malware to commandeer their control, as Turla had done with Iranian hackers a few years earlier. But researchers at Kaspersky nonetheless warned that the two tools found on the Ukrainian network that Mandiant had used to tie the operation to Turla may actually be signs of a different group it calls Tomiris—perhaps a sign that Turla shares tooling with another Russian state group, or that it's now evolving into multiple teams of hackers.
2023: Beheaded By Perseus

Last week, the FBI announced that it had struck back against Turla. By exploiting a weakness in the encryption used in Turla's Snake malware and remnants of code that the FBI had studied from infected machines, the bureau announced it had learned to not only identify computers infected with Snake, but also send a command to those machines that the malware would interpret as an instruction to delete itself. Using a tool it had developed, called Perseus, it had purged Snake from victims' machines around the world. Along with CISA, the FBI also released an advisory that details how Turla's Snake sends data through its own versions of the HTTP and TCP protocols to hide its communications with other Snake-infected machines and Turla's command-and-control servers.

That disruption will no doubt undo years of work for Turla's hackers, who have been using Snake to steal data from victims around the world since as early as 2003, even before the Pentagon discovered Agent.btz. The malware's ability to send well-concealed data covertly between victims in a peer-to-peer network made it a key tool for Turla's espionage operations.

No comments:

Post a Comment