Security Intelligence
Loading table of contents...
Russian Federal Security Service (FSB) hackers, known as Turla, have been observed hijacking the infrastructure of other threat actors to target Ukrainian entities.
The attacks began with a phishing email containing a malicious attachment designed to deploy either Amadey malware or the Cookbox backdoor.
Amadey is considered a malware botnet that has been used to achieve initial access payload delivery. In this case, Turla used it to deploy its custom reconnaissance tools and PowerShell droppers that ultimately installed the Tavdig and KazuarV2 backdoors. It’s unclear whether Turla hijacked Amadey or purchased legitimate access to the botnet.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
The Cookbox backdoor is associated with a Storm-1837, a different Russia-based threat actor that targets Ukrainian military drone pilots.
In both campaigns, Turla focused on targeting military devices linked to Starlink satellite communication systems, typically used by Ukrainian soldiers.
Source: Bleeping Computer
Analysis
Turla’s use of Storm-1837’s Cookbox backdoor makes sense given that the targets of the campaign are Ukrainian front-line devices connected via Starlink. These devices are likely used by Ukrainian drone operators, the primary target of Storm-1837. Thus, Storm-1837 would benefit from any information gleaned from these devices provided Turla shared it.
This collaboration indicates that Storm-1837 is likely another unit of hackers from the FSB, as Russian intelligence services are not known to cooperate with agencies outside their own. For example, APT 28 and APT 29, threat groups from two separate Russian agencies, compromised the Democratic National Convention in 2016. While one actor may have flown under the radar, the increased activity of both actors was detected resulting in both actors being kicked out of the network.
Regarding Amadey, it’s difficult to determine if Turla was using this tool as a client of Amadey or if the group hijacked it. There is no need for Turla to mask its activities in Ukraine as Russia is openly at war with the country, so using Amadey to disguise the campaign is unnecessary. Regardless, the Amadey loader proved to be capable of establishing initial access and subsequently downloading the Tavdig backdoor.
Turla has a history of leveraging other non-Russian threat actors' tools and infrastructure to obscure their operations and/or piggyback on successful campaigns. They have previously repurposed malware and used known vulnerabilities to inject themselves into active campaigns.
This approach allows Turla to mask its activities as part of a broader, unrelated threat, complicating attribution and defense efforts. Such tactics reflect their advanced skill set and strategic emphasis on stealth and persistence.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for advanced persistent threats like Turla. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these threats pose.
Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect encourages all organizations at risk of Russian cyber activities to review the U.S. Cybersecurity & Infrastructure Security Agency (CISA) ShieldsUp program, which provides robust guidance for preparing, responding to, and mitigating the impacts of Russian state-sponsored cyberattacks.
