A project called Buckshot Yankee. It also led to the creation of the US Cyber Command, a sister organization of the NSA in charge of protecting DOD networks that today also serves as home to the country's most specialized cyberwar hackers. Years later, in 2014, researchers from the Russian cybersecurity company Kaspersky would point out technical connections between Agent.btz and the Turla malware that would become known as Snake. The spy malware, which Kaspersky then called Uroburos, or simply Turla, used the same file names for its log files and some of the same private keys for encryption as Agent.btz, the first evidence that the famous worm USB had actually been Turla's creation. 2015: Satellite Command and Control By the mid-2010s, Turla was already known to have hacked computer networks in dozens of countries around the world, often leaving a version of its Snake malware on victims' machines. In 2014 it was discovered that it used 'watering-hole' attacks, which plant malicious software on third-party websites that users visit with the aim of infecting their visitors. But in 2015, Kaspersky researchers discovered a Turla technique that would cement the group's reputation for sophistication and stealth: hijacking satellite communications to steal victims' data through outer space. In September of that year, Kaspersky researcher Stefan Tanase revealed that the Turla malware communicated with its command and control servers, the machines that send orders to infected computers and receive their stolen data, over internet connections. by hijacked satellite. According to Tanase, the Turla hackers spoofed the IP address of a genuine satellite Internet subscriber on a command and control server installed somewhere in the same region as that user. Then, they sent the stolen information from the hacked computers to that IP so that it was sent via satellite to the client, but in such a way that it was blocked by the recipient's firewall.
MOST VIEWED Mexico found "the greatest archaeological treasure" of recent decades on the path of the Mayan Train Mexico found "the greatest archaeological treasure" of recent decades on the path of the Mayan Train BY ANNA LAGOS Archa Phone Number List eologists find the remains of a baby about 3,000 years ago in a prehistoric cave in northern Mexico Archaeologists find the remains of a baby from about 3,000 years ago in a prehistoric cave in northern Mexico BY ANNA LAGOS The future of Formula 1® is sustainable fuels: Jenson Button The The future of Formula 1® is sustainable fuels: Jenson Button BY CNCC Time capsule on Spotify: what it is and how to create yours Time capsule on Spotify: what it is and how to create yours BY FERNANDA GONZÁLEZ However, like the satellite If it transmitted data from the sky to the entire region, an antenna connected to Turla's command and control server could also capture it, and no one monitoring the hacking group would have any way of knowing where in the region that computer might be located. According to Tanase, the entire system, brilliantly difficult to trace, costs less than a thousand dollars a year to operate. He described it in a blog post as something "exquisite." 2019: Taking advantage of Iran hackers Many hackers use 'false flags', implementing the tools or techniques of another hacking group to mislead investigators. In 2019, the NSA, the Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Center warned that Turla had gone much further: it had quietly taken over the infrastructure of another group of hackers to control their entire spy operation. In a joint advisory, the US and British agencies revealed that they had seen Turla not only deploy malware used by an Iranian group known as APT34 (or Oilrig) to sow confusion, but that the group had also managed to hijack the command system and control of the Iranians in some cases, gaining the ability to intercept data that the Iranian hackers had been stealing and even sending their own orders to victim computers that the Iranians had hacked. Those mechanisms significantly raised the bar for analysts trying to attribute any intrusion to a particular group of hackers, when in reality Turla or an equally twisted group could have been pulling the puppet strings from the shadows. "Avoid potential misattributions by remaining vigilant when examining activities that appear to originate from the Iranian APT," the CISA note then warned. “It could be the Turla group in disguise.” hacker illustration trojan virus The powerful virus that can take screenshots of your WhatsApp and extract your passwords is growing in Latam A cybersecurity team detected the beginning of a massive distribution campaign of the AgentTesla virus in Latin America.
2022: Botnet Hijacking Cybersecurity firm Mandiant reported earlier this year that it had detected Turla carrying out a variant of that hacking trick, this time taking over a cybercriminal botnet to exfiltrate his victims. In September 2022, Mandiant discovered that a user on a network in Ukraine had connected a USB drive to his computer and infected it with malware known as Andromeda, a decade-old banking Trojan. But when Mandiant looked closer, it discovered that that program had subsequently downloaded and installed two tools that Mandiant had previously linked to Turla. Russian spies, the company discovered, had registered expired domains that Andromeda's original administrators used to manage their malware, thus gaining the ability to control those infections. Then they searched, among hundreds of them, for those that could be of interest for espionage. That cunning attack had all the hallmarks of Turla: the use of USB drives to infect victims, as it had done with Agent.btz in 2008, but now combined with the resource of hijacking USB malware from another hacking group to take over its control, as it had carried out with Iranian hackers a few years before. However, Kaspersky researchers warned that the two tools found in the Ukrainian network that Mandiant had used to link the operation to Turla could actually be signs of a different group it calls Tomiris, perhaps a sign that Turla shares tools with another Russian state group, or that it is now evolving into multiple hacking teams. 2023: Beheaded by Perseus Last week, the FBI announced that it had struck back at Turla. Exploiting a weakness in the encryption used in Turla's Snake malware and remnants of code the agency had studied from infected computers, the bureau reported that it had learned not only to identify computers affected by Snake, but also to send an order to those machines that the software would interpret as an instruction to delete itself. Using a tool he developed called Perseus, he had purged Snake from victims' computers around the world. Along with CISA, the FBI also published an advisory detailing how Turla's Snake sends data over its own versions of the HTTP and TCP protocols to conceal its communications with other infected machines and with the group's command and control servers. That intervention will undoubtedly undo years of work for the Turla hackers, who have been using Snake to steal data from victims around the world since 2003, even before the Pentagon discovered Agent.btz. The malware's ability to send information covertly between victims in a peer-to-peer network (between collaborators) made it a key tool for Turla's espionage operations.