Turla is a Russian-speaking cyber-espionage threat group with extensive ties to the Russian Federation’s FSB service since 2014. The group targets a wide range of organizations. They have already deployed backdoors on Microsoft Exchange servers around the world, hijacked the infrastructure of other APTs to conduct espionage in the Middle East, and carried out watering hole operations against Armenian targets. Turla was recently detected by deploying backdoors and Remote Access Trojans (RATs) against EU governments, embassies, and major research institutions. According to Sekoia, the IPs shared by Google’s TAG link to different targets. The first target is BALTDEFCOL, a military college in Estonia that is jointly operated by Estonia, Latvia, and Lithuania and serves as a hub for Baltic strategic and operational research. The college also hosts conferences attended by high-ranking NATO and European officers. The second target is WKO (Wirtschaftskammer sterreich), an Austrian Federal Economic Chamber that advises governments on legislation and economic sanctions around the world. The last target is the e-learning portal of the NATO Joint Advanced Distributed Learning platform. The typosquatting domains are hosting a malicious Word document called “War Bulletin 19.00 CET 27.04.docx,” which may be located in various directories of these websites. The file contains an embedded PNG (logo.png), which is retrieved when the document is loaded. Sekoia believes the PNG is used for reconnaissance, as the Word file has no malicious macros. “Thanks to the HTTP request done by the document to its own controlled server, the attacker can get the version and the type of Word application used by the victim – which can be an interesting info to send a tailored exploit for the specific Microsoft Word version,” reads Sekoia’s report.