Such early red flags concerning the FireEye breach would lead to more investigations and discoveries that are still underway. The matter is so serious that an obligatory U.S. state hearing was held on Tuesday. Today, the latest reports reveal yet again that there are new indications of APT group activity. Russian hacking group Turla’s new malware campaign has arisen. This is the same group that has also been suspected in the SolarWinds breach, together with APT29 Cozy bear -the main suspect. It is important to remember that nation-state APTs, even though they may have different names, most probably work for the same cause under the directive of the nation-state.
Who Is Turla?
Turla is an APT, or Advanced Persistent Threat group. According to an article by The Guardian in 2014, they were behind “One of the most sophisticated and prolonged cyber-espionage campaigns ever seen”. The article states that they have targeted embassies in Eastern Bloc nations such as Poland, Germany, Belgium, Kazakhstan, and many more. According to the UK’s NCSC, they are also known under the aliases “Waterbug” or “VENOMOUS BEAR” and are most probably Russia-based. Furthermore, they usually target commercial organizations, the government, the military, and other sectors for “intelligence collection”. There are several Russian-based threat actors and campaigns, of which Turla in the 1990s, according to IronNet Cybersecurity, launched “one of the first widely known cyberespionage campaigns in history”. Turla has links with the Russian FSB (Intelligence service).
Turla’s IronPython
Russian-based APT Turla group is now deploying a new malware loader in a new campaign yet to be fully investigated, detailed in California-based cybersecurity company Palo Alto’s reports. According to the company, the code in question is called the “IronNetInjector”, which is a Python script. Further details reveal that “IronNetInjector is another toolset in Turla’s ever-growing arsenal” which is, “similar in structure to the previously used in-memory loading mechanism to execute malware with the help of Powershell scripts”. A Powershell script is something that has been seen in some powerful cybercriminal tools recently. This variant is most commonly used to load ComRAT, a very severe type of malware (Remote Access Trojan), that has even been used to breach the US military in the past.
Are Russian APTs Devising New Attack Tools?
According to Palo Alto’s research and testing, the reason this type of malware is becoming “attractive for malware authors” is because there is a trend of these malware authors moving towards a .NET infrastructure. Palo Alto states that “This general trend can be seen in recent years as detection of Powershell based threats became better, but also due to security mechanisms like AMSI introduced by Microsoft”. The IronPython scripts have been found on “software development hosting sites available for everybody to use” and are confirmed to be malicious. Palo Alto’s Unit 42 team has also confirmed that these scripts will allow for threat group Turla to run malware “on a victim’s system”. Given the group’s history, it is certain that nothing good-natured can be expected of them. How such new tools will be used remains to be seen.
Palo Alto’s Statements
Palo Alto has stated that they will be monitoring the progress of this new tool authored by malware creators to get “missing pieces of the puzzle”. The tool and its use are not new, Palo Alto states, “but the way Turla uses it is new”. Researchers stated that now the internet landscape allows for “more and more ready-made-malware” that the “bad guys” can develop, saving them time and inspiring new ideas that should help them avoid detection in the future.
