Suspected Russian hackers repurpose old malware to target Ukraine
- Sam Sabin, author of Axios Codebook

Illustration: Sarah Grillo/Axios
A Russian cyber espionage group is suspected of repurposing another malware campaign's old infrastructure to spy on a Ukrainian computer network.
Driving the news: Researchers at Google-owned Mandiant recently discovered an espionage campaign where Turla Team, a Russian government-linked cyber espionage group, is suspected of re-registering domain names used nine years ago in a previously unconnected attack to spread a banking trojan malware via infected USB drives.
- Some of the infected computers were on a Ukrainian network onto which the new hackers later installed additional malware and backdoors.
The big picture: The campaign highlights an evolution in Russian state-sponsored hackers' tactics, allowing them to rely on others' leftovers to remain undetected on victim networks.
- Russian government hackers are known to test out new tricks in Ukraine.
What they're saying: "Now they are taking advantage of another actor’s work by taking over their command and control," John Hultquist, head of threat intelligence at Mandiant, said in a statement.
Details: Mandiant researchers first stumbled upon the campaign in September while investigating a breach on an unnamed Ukrainian computer network.
- Researchers concluded that the hackers re-registered an old domain name in January 2022 and spent a few months combing through infected devices to determine which victims they now had access to.
- From there, the new hackers installed two new malware strains that Turla Team is known to have used in past campaigns onto selected Ukrainian computers.
- In total, Turla is suspected of re-registering three domain names linked to hundreds of device infections.
Between the lines: Mandiant observed the group downloading Turla-connected malware onto only a single network — the Ukrainian one — "suggesting a high level of specificity in choosing which victims received a follow-on payload," per the report.
The intrigue: This is the first time Mandiant has spotted Turla targeting Ukrainian organizations since the Russian invasion in February.
- However, Turla has practiced a similar disguise before: In 2019, British intelligence warned that the group was using Iranian hackers' servers to masquerade attacks on dozens of countries.
Sign up for Axios’ cybersecurity newsletter Codebook here.