Skip to main content
Jan 6, 2023 - Technology

Suspected Russian hackers repurpose old malware to target Ukraine

Sam Sabin
Illustration of a hand in gloves and a winter jacket on a computer mouse

Illustration: Sarah Grillo/Axios

A Russian cyber espionage group is suspected of repurposing another malware campaign's old infrastructure to spy on a Ukrainian computer network.

Driving the news: Researchers at Google-owned Mandiant recently discovered an espionage campaign where Turla Team, a Russian government-linked cyber espionage group, is suspected of re-registering domain names used nine years ago in a previously unconnected attack to spread a banking trojan malware via infected USB drives.

  • Some of the infected computers were on a Ukrainian network onto which the new hackers later installed additional malware and backdoors.

The big picture: The campaign highlights an evolution in Russian state-sponsored hackers' tactics, allowing them to rely on others' leftovers to remain undetected on victim networks.

  • Russian government hackers are known to test out new tricks in Ukraine.

What they're saying: "Now they are taking advantage of another actor’s work by taking over their command and control," John Hultquist, head of threat intelligence at Mandiant, said in a statement.

Details: Mandiant researchers first stumbled upon the campaign in September while investigating a breach on an unnamed Ukrainian computer network.

  • Researchers concluded that the hackers re-registered an old domain name in January 2022 and spent a few months combing through infected devices to determine which victims they now had access to.
  • From there, the new hackers installed two new malware strains that Turla Team is known to have used in past campaigns onto selected Ukrainian computers.
  • In total, Turla is suspected of re-registering three domain names linked to hundreds of device infections.

Between the lines: Mandiant observed the group downloading Turla-connected malware onto only a single network — the Ukrainian one — "suggesting a high level of specificity in choosing which victims received a follow-on payload," per the report.

The intrigue: This is the first time Mandiant has spotted Turla targeting Ukrainian organizations since the Russian invasion in February.

  • However, Turla has practiced a similar disguise before: In 2019, British intelligence warned that the group was using Iranian hackers' servers to masquerade attacks on dozens of countries.

Sign up for Axios’ cybersecurity newsletter Codebook here.

Go deeper