In a brand new reconnaissance marketing campaign, the Russian state-sponsored hacking crew Turla was once noticed focused on the Austrian Financial Chamber, a NATO platform, and the Baltic Protection Faculty.
This discovery comes from cybersecurity company Sekoia, which constructed upon earlier findings of Google’s TAG, which has been following Russian hackers carefully this yr.
Google warned about coordinated Russian-based danger crew job in late March 2022, whilst in Would possibly, they noticed two Turla domains utilized in ongoing campaigns.
Sekoia used this data to analyze additional and located that Turla focused the federal group in Austria and the army school within the Baltic area.
Who’s Turla
Turla is a Russian-speaking cyber-espionage danger crew this is believed to have robust ties to Russian Federation’s FSB carrier. It’s been operational since no less than 2014, compromising a variety of organizations in a couple of nations.
They’ve up to now targeted Microsoft Exchange servers international to deploy backdoors, hijacked the infrastructure of other APTs to accomplish espionage within the Center East, and performed watering hole attacks towards Armenian objectives.
Extra lately, Turla was once noticed the use of quite a few backdoors and far flung get right of entry to trojans against EU governments and embassies and necessary analysis amenities.
Ecu objectives
In step with Sekoia, the IPs shared through Google’s TAG result in the domain names “baltdefcol.webredirect[.]org” and “wkoinfo.webredirect[.]org,” which respectively typo-squat “baltdefcol.org” and “wko.at.”
The primary goal, BALTDEFCOL, is an army school situated in Estonia and operated through Estonia, Latvia, and Lithuania, serving as a middle for strategic and operational analysis within the Baltic.
The school additionally organizes meetings attended through high-ranking officials of NATO and quite a lot of Ecu nations, so it holds a different importance for Russia within the ongoing warfare in Ukraine and the tensions at the Russian border.
WKO (Wirtschaftskammer Österreich) is the Austrian Federal Financial Chamber, which serves as a world advisor on law and financial sanctions.
Austria has maintained a impartial stance regarding the sanctions towards Russia. On the other hand, Turla wish to be some of the first to be informed if the rest adjustments on that entrance.
Sekoia additionally spotted a 3rd typo-squat area, “jadlactnato.webredirect[.]org,” which makes an attempt to move because the e-learning portal of the NATO Joint Complex Dispensed Finding out platform.
Acting reconnaissance
The typosquatting domain names are used to host a malicious Phrase file named “Warfare Bulletin 19.00 CET 27.04.docx,” present in quite a lot of directories of those websites.
This record comprises an embedded PNG (brand.png), which is retrieved when the file is loaded. The Phrase record does no longer include any malicious macros or conduct, making Sekoia imagine that the PNG is used to accomplish reconnaissance.
“Due to the HTTP request finished through the file to its personal managed server, the attacker can get the model and the kind of Phrase utility utilized by the sufferer – which can also be a captivating information to ship a adapted exploit for the particular Microsoft Phrase model,” explains Sekoia’s report
Moreover, Turla positive factors get right of entry to to the sufferer’s IP cope with, which might be useful in next assault stages.
To permit defenders hit upon this job, Sekoia has equipped the next Yara rule:
