Skip to content Skip to footer

Russian Turla Hackers Target Polish NGOs with New TinyTurla-NG Backdoor

Cisco Talos, a cybersecurity company, has uncovered a new called TinyTurla-NG that has been used by the Russia-linked Turla threat actor in a targeted three-month-long campaign against Polish non-governmental organizations in December 2023. TinyTurla-NG is similar to TinyTurla, which was first documented by the company in September 2021 and has been used by the adversarial collective in their intrusions aimed at the U.S., Germany, and Afghanistan since at least 2020. Turla, also known as Iron Hunter, Pensive Ursa, Secret Blizzard (formerly Krypton), Snake, Uroburos, and Venomous Bear, is a Russian state-affiliated threat actor linked to the Federal Security Service (FSB).

The latest campaign involving TinyTurla-NG began on December 18, 2023, and is said to have continued until January 27, 2024. However, based on the compilation dates, the activity may have started in November 2023. The campaign is highly targeted and focused on a small number of organizations, mainly in Poland. The is distributed to victim environments via compromised -based websites that act as command-and-control (C2) endpoints to fetch and execute instructions. This enables the to run commands via PowerShell or Command Prompt (cmd.exe) and download/upload files.

TinyTurla-NG also serves as a conduit to deliver PowerShell scripts called TurlaPower-NG that are intended to exfiltrate key material used to secure the password databases of popular password management software in the form of a ZIP archive. The has been found to employ compromised -based websites as command-and-control (C2) endpoints to fetch and execute instructions, enabling it to run commands via PowerShell or Command Prompt (cmd.exe) and download/upload files.

The campaign is highly compartmentalized, with only a few compromised websites acting as C2s and contacting a few samples. It takes work to pivot from one sample/C2 to others using the same infrastructure, which would give us confidence they are related. The motivation behind this campaign is not yet clear, but it is a highly targeted and focused operation.

The disclosure comes at a time when and OpenAI have revealed that nation-state actors from Russia are exploring generative artificial intelligence () tools, including large language models (LLMs) like ChatGPT, to understand satellite communication protocols, imaging technologies, and seek support with scripting tasks.

Want to read more? Check out the original article available at The Hacker News!

Read More

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

You've enjoyed all the power you've been given, haven't you? I wonder how you'd take to working in a pocket calculator.Master Control Program

Deitasoft © 2024. All Rights Reserved.