therecord.media
Open in
urlscan Pro
2606:4700::6812:1c78
Public Scan
URL:
https://therecord.media/turla-hackers-targeting-ukraine-defense
Submission: On July 20 via api from TR — Scanned from DE
Submission: On July 20 via api from TR — Scanned from DE
Form analysis
1 forms found in the DOM<form><span class="text-black text-sm icon-search"></span><input type="text" name="s" placeholder="Search…" value=""><button type="submit">Go</button></form>
Text Content
This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy. Accept * Leadership * Cybercrime * Nation-state * People * Technology * Mobile App * About * Podcast * Contact Go SUBSCRIBE TO THE RECORD Subscribe Image: Tanguy Sauvin via Unsplash/The Record Daryna AntoniukJuly 19th, 2023 * Briefs * Malware * * * * * Get more insights with the Recorded Future Intelligence Cloud. Learn more. RUSSIA’S TURLA HACKERS TARGET UKRAINE’S DEFENSE WITH SPYWARE This article was updated at 3:58 p.m. on July 19. The Russian hacking group Turla is attacking Ukrainian defense forces with spying malware, according to new research from the country’s computer emergency response team (CERT-UA). Turla, a cyberespionage group also known by the names Waterbug and Venomous Bear, is closely affiliated with the FSB Russian intelligence agency. The group has been linked to numerous high-profile cyberattacks, including on the German Bundestag and the Ukrainian Parliament in 2014. In a report published on Wednesday, CERT-UA said it had observed the group targeting Ukrainian defense forces with Capibar and Kazuar spyware. What makes Capibar special is that it compromises Microsoft Exchange servers using a PowerShell tool to turn a legitimate server into a malware control center. To inject the malware into the victim's system, hackers send emails with malicious attachments. When these attachments are opened, they trigger a PowerShell command. Under certain circumstances, a “highly advanced and multi-functional backdoor” known as Kazuar is downloaded onto compromised computers. This backdoor is capable of extracting sensitive authentication information, including passwords, bookmarks, cookies, and databases from services like KeePass, Azure, Google Cloud, and Amazon Web Services. Among the emails that CERT-UA has received for analysis, there are fake utility bills that appear to be sent from Ukrainian energy companies. The threat actor aims to exfiltrate files containing messages from the popular Signal desktop messaging app, which would allow the actor to read private Signal conversations, as well as documents, images, and archive files on targeted systems, according to Microsoft Threat Intelligence. CERT-UA did not disclose how effective the use of Turla’s spyware was and how many victims it infected. The agency has been tracking the group since 2022. Last year, the Google-owned cybersecurity firm Mandiant spotted Turla taking over a cybercriminal botnet to get into its victims' systems. Researchers discovered that a user in Ukraine had inserted a USB drive into their computer, inadvertently infecting it with an outdated banking trojan called Andromeda. The malware subsequently downloaded and installed two tools Mandiant had previously tied to Turla. * * * * * Tags * spyware * Turla * Russia * Ukraine DARYNA ANTONIUK Daryna Antoniuk is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post. Previous articleNext article BlackCat, Clop claim ransomware attack on cosmetics maker Estée Lauder CISA works with Microsoft to expand cloud logging after U.S. gov’t hack controversy * Russia’s Turla hackers target Ukraine’s defense with spywareJuly 19th, 2023 * BlackCat, Clop claim ransomware attack on cosmetics maker Estée LauderJuly 19th, 2023 * Cloudflare reports surge in sophisticated DDoS attacksJuly 19th, 2023 * Russian medical lab suspends some services after ransomware attackJuly 18th, 2023 * Legislators: HHS is failing to adequately protect health records from law enforcementJuly 18th, 2023 * Ukraine police bust another bot farm accused of pro-Russia propaganda, internet fraudJuly 18th, 2023 * Google fixes ‘Bad.Build’ vulnerability affecting Cloud Build serviceJuly 18th, 2023 * Alleged Ukrainian scareware developer arrested after a decade on the runJuly 17th, 2023 * By criminals, for criminals: AI tool easily generates ‘remarkably persuasive’ fraud emails July 17th, 2023 PUTIN’S POTENTIAL SUCCESSORS PART 2: ALEKSEY DYUMIN Putin’s Potential Successors Part 2: Aleksey Dyumin CHINA'S TARGETING OF INTERNATIONAL COMPANIES IN GEOPOLITICAL COMPETITION China's Targeting of International Companies in Geopolitical Competition THE ESCALATING GLOBAL RISK ENVIRONMENT FOR SUBMARINE CABLES The Escalating Global Risk Environment for Submarine Cables NORTH KOREA’S CYBER STRATEGY North Korea’s Cyber Strategy BLUEDELTA EXPLOITS UKRAINIAN GOVERNMENT ROUNDCUBE MAIL SERVERS TO SUPPORT ESPIONAGE ACTIVITIES BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities * * * * * Privacy Policy © Copyright 2023 | The Record from Recorded Future News