Threat Management, Threat Management, Threat Intelligence, Malware

Researchers: Turla and Zebrocy APT actors shared code, targets in 2018

Researchers have identified several shared commonalities between reputed Russian APT outlets Turla and Zebrocy, both known for their global, malware-based cyber espionage operations.

Such discoveries help bolster the efforts of cyber investigators who seek to map out malicious ecosystems or attribute attacks to foreign actors. In this case, researchers from Kaspersky Lab are reporting that Turla, aka Venomous Bear/Uroburos, and Zebrocy, a subset of Sofacy/Fancy Bear/APT 28, have both recently been attacking sensitive political targets such as government research and security bodies, diplomatic missions and military affairs, with a heavy emphasis on Central Asia.

Moreover, the researchers noted in an Oct. 4 blog post that a mid-2018 Turla phishing campaign targeting Syria and Afghanistan relied used PowerShell code that was nearly identical to code used in Zebrocy operations. Reportedly, the code was used to decode and execute a KopiLuwak malware payload when victims opened malicious LNK file attachments.

"Turla is one of the oldest, most enduring and capable known threat actors, renowned for constantly shedding its skin and trying out new innovations and approaches," said Kurt Baumgartner, principal security researcher on Kaspersky Lab's GReAT team, in a company press release.

Baumgartner said that while other Russian threat actors like Cozy Bear and Fancy tend to focus the brunt of their attacks on the West, Turla of late has been "quietly deploying its operations towards the East, where their activity and, more recently, even their delivery techniques began to overlap with Sofacy’s Zebrocy subset. Our research suggests Turla’s code development and implementation is ongoing, and organizations that believe they could be a target should prepare for this."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.