27 May 2022

Russia-linked Turla APT caught spying on entities in Austria, Estonia


Russia-linked Turla APT caught spying on entities in Austria, Estonia

The Russia-linked state-backed hacking group Turla has been observed targeting the Austrian Economic Chamber, the Baltic Defense College (BALTDEFCOL), and a NATO platform for cyber-espionage purposes, a new report from the cybersecurity company Sekoia reveals.

Established in 1999 by Estonia, Latvia and Lithuania, BALTDEFCOL is a center for strategic research, which provides military education and conferences to high-rank officers from the founding states as well as allies like NATO, EU and other European countries including Ukraine.

“The strategic role BALTDEFCOL may have in Baltic military strategy against Russia, could be reasons for Turla targeting this institution for espionage purposes,” the researchers say.

The Austrian Economic Chamber (Wirtschaftskammer Österreich, WKO) functions as the federal parent organization for the nine State Chambers and 110 trade associations for different industries within Austria's system of economy. The organization’s involvement in decision-making, including economic sanctions, and administrative procedures may be the reason for Russian espionage operations through Turla’s phishing campaign.

Austria has maintained a neutral stance concerning the sanctions against Russia, and voted to reject sanctions against Russian oil and gas, as well as refused to send weapons to Ukraine.

The cyber-espionage campaign was discovered during the investigation into two malicious domains previously linked to the ongoing Turla campaigns by Google’s Threat Analysis Group (TAG). The IP addresses shared by TAG point to the domains “baltdefcol.webredirect[.]org” and “wkoinfo.webredirect[.]org,” which respectively typo-squat “baltdefcol.org” and “wko.at.”

The researchers also discovered a third domain jadlactnato.webredirect[.]org, typosquatting of NATO Joint Advanced Distributed Learning e-learning platform, which provides education and training to NATO-military and governmental or NATO official.

These domain were used host a malicious Microsoft Word document named “War Bulletin 19.00 CET 27.04.docx.”

“These documents request the PNG file thanks to a remote file inclusion defined in the file /word/_rels/document.rels.xml. It is quite interesting that the request to the file is performed via the HTTP protocol and not an SMB inclusion. Therefore, this campaign does not leverage any malicious code but has been used for reconnaissance purposes only,” Sekoia noted.

“Thanks to the HTTP request done by the document to its own controlled server, the attacker can get the version and the type of Word application used by the victim – which can be an interesting info to send a tailored exploit for the specific Microsoft Word version.”

Cybersecurity Help statement on the critical situation in Ukraine

On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024