Russian cyber actors are targeting national parliaments and ministries of foreign affairs, US agencies warn
The US Cyber Command on Thursday published a detailed report sharing information on two malware implants being used by Russian state-sponsored hacking groups to target national parliaments, ministries of foreign affairs, and embassies in various counties.
According to the , the US Cybersecurity and Infrastructure Security Agency (CISA) and Cyber Command's Cyber National Mission Force (CNMF) unit identified these malware samples and uploaded them to malware aggregation tool, VirusTotal.
The analysis of malware samples revealed that Russian cyber espionage group Turla had been using ComRAT malware in attacks against national parliaments and ministries with intent to steal sensitive data from victim networks.
Russian state-sponsored cyber actors have targeted ministries of foreign affairs & national parliaments to spy, steal data, & install malware. With our partners & , persistently enables cyber defense for the nation.— U.S. Cyber Command (@US_CYBERCOM) October 29, 2020
Turla is an elite cyber-espionage threat group with suspected links to Russia's FSB intelligence agency. The group, also known as Venomous Bear, KRYPTON, Snake, and Waterbug and Group 88, has been active since 2007 and is known for its custom-made tools that it uses to launch targeted attacks against foreign government entities, embassies and militaries.
The ComRAT backdoor is one of Turla's oldest weapons. It came to light in 2008 after hackers used it to breach Pentagon's network and steal data from it. The first version of ComRAT showed worm capabilities by spreading through removable drives. Since then, the malware has seen a number of updates, with new versions discovered by researchers in 2014 and 2017.
The US cyber security experts say they have also identified the Zebrocy backdoor being used to compromise systems installed at ministries of foreign affairs and embassies from Central Asia and Eastern Europe.
"Two Windows executables identified as a new variant of the Zebrocy backdoor were submitted for analysis," .
"The file is designed to allow a remote operator to perform various functions on the compromised system."
Zebrocy has long been associated with the APT 28 group, which is also referred as Fancy Bear, Sofacy, STRONTIUM and Sednit by independent security researchers. The group is thought to be working under the control of the Russian Main Intelligence Directorate (GRU).
CISA is now advising users and admins to take all appropriate steps to strengthen the security posture of their organisation's systems.
"Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts," the advisory said.
The latest warning from US Cyber Command about Russia-backed cyberespionage campaign comes a day after the agency warned of and two weeks after Norway accused Russia of being responsible for the cyber attack that targeted Norwegian parliament's email systems in August.
"Based on the information available to the government it is our assessment that Russia stood behind this activity" Foreign Minister Ine Eriksen Soreide said.
Earlier this year, a report by Norway's military intelligence agency also claimed that Russia was conducting so-called influence operations to weaken public trust in the government and election processes.
Just last week, the European Union also slapped over their involvement in cyber attacks that targeted Germany's parliament in 2015.
The attack affected the German parliament's operations for many days, and enabled the theft of a significant amount of data, according to the EU.
The block also imposed sanctions on Russia's 85th Main Centre for Special Services for conducting cyber campaigns "with a significant effect constituting an external threat to the Union or its member states."
Also last week, the US Justice Department charged six intelligence officers at Russia's Main Centre for Special Technologies over a series of cyber attack, including NotPetya, targeting Spring 2017 French election, the 2018 Winter Olympic Games in South Korea, and other events in different countries.
The US Treasury has also imposing sanctions against a Russian research centre that enable Russian cyber actors to target and manipulate safety systems at industrial plants.