According to the cybersecurity company Sekoia, a Russian state-sponsored hacking group called Turla was targeting the Austrian Economic Chamber, a NATO platform, and the Baltic Defense College in a new reconnaissance campaign. Sekoia’s report is based on prior findings by Google’s Threat Analysis Group (TAG), which has been closely watching Russian hackers this year. In March 2022, Google issued a warning regarding coordinated Russian-based threat group activities and in May they discovered two Turla domains being utilized in ongoing efforts. Based on that information, Sekoia discovered that Turla was targeting an Austrian federal organization, as well as a military institution in the Baltic region.
Turla is a Russian-speaking cyber-espionage threat group with extensive ties to the Russian Federation’s FSB service since 2014. The group targets a wide range of organizations. They have already deployed backdoors on Microsoft Exchange servers around the world, hijacked the infrastructure of other APTs to conduct espionage in the Middle East, and carried out watering hole operations against Armenian targets. Turla was recently detected by deploying backdoors and Remote Access Trojans (RATs) against EU governments, embassies, and major research institutions. According to Sekoia, the IPs shared by Google’s TAG link to different targets. The first target is BALTDEFCOL, a military college in Estonia that is jointly operated by Estonia, Latvia, and Lithuania and serves as a hub for Baltic strategic and operational research. The college also hosts conferences attended by high-ranking NATO and European officers. The second target is WKO (Wirtschaftskammer sterreich), an Austrian Federal Economic Chamber that advises governments on legislation and economic sanctions around the world. The last target is the e-learning portal of the NATO Joint Advanced Distributed Learning platform. The typosquatting domains are hosting a malicious Word document called “War Bulletin 19.00 CET 27.04.docx,” which may be located in various directories of these websites. The file contains an embedded PNG (logo.png), which is retrieved when the document is loaded. Sekoia believes the PNG is used for reconnaissance, as the Word file has no malicious macros. “Thanks to the HTTP request done by the document to its own controlled server, the attacker can get the version and the type of Word application used by the victim – which can be an interesting info to send a tailored exploit for the specific Microsoft Word version,” reads Sekoia’s report.