Researchers have identified several shared commonalities between reputed Russian APT outlets Turla and Zebrocy, both known for their global, malware-based cyber espionage operations.
Such discoveries help bolster the efforts of cyber investigators who seek to map out malicious ecosystems or attribute attacks to foreign actors. In this case, researchers from Kaspersky Lab are reporting that Turla, aka Venomous Bear/Uroburos, and Zebrocy, a subset of Sofacy/Fancy Bear/APT 28, have both recently been attacking sensitive political targets such as government research and security bodies, diplomatic missions and military affairs, with a heavy emphasis on Central Asia.
Moreover, the researchers noted in an Oct. 4 blog post that a mid-2018 Turla phishing campaign targeting Syria and Afghanistan relied used PowerShell code that was nearly identical to code used in Zebrocy operations. Reportedly, the code was used to decode and execute a KopiLuwak malware payload when victims opened malicious LNK file attachments.
“Turla is one of the oldest, most enduring and capable known threat actors, renowned for constantly shedding its skin and trying out new innovations and approaches,” said Kurt Baumgartner, principal security researcher on Kaspersky Lab’s GReAT team, in a company press release.
Baumgartner said that while other Russian threat actors like Cozy Bear and Fancy tend to focus the brunt of their attacks on the West, Turla of late has been “quietly deploying its operations towards the East, where their activity and, more recently, even their delivery techniques began to overlap with Sofacy’s Zebrocy subset. Our research suggests Turla’s code development and implementation is ongoing, and organizations that believe they could be a target should prepare for this.”