A series of covert backdoor implants were secretly installed over the last year on dozens of computers used by embassies and foreign ministries across Southeast Europe and former Soviet states, according to new research published by cybersecurity firm ESET.
The malicious software was sent to victims through targeted phishing emails and allowed for a skilled group of hackers to remotely spy on foreign government officials and collect intelligence.
Some cybersecurity firms believe the hacking group exposed by ESET, known as Turla, is connected to Russian intelligence services. The backdoor used by Turla has been codenamed Gazer.
ESET describes Gazer as a stealthy and complex hacking tool that is difficult to detect. The implant receives encrypted code from an external server, which can execute commands either directly through the infected machine or via another computer on a shared network. In addition, ESET found evidence that Turla leverages a virtual file system in the Windows registry to evade antivirus defenses after they’ve deployed Gazer.
Jean Ian Boutin, a senior malware researcher with ESET, said that while the number of infected computers isn’t believed to be very large, the operation appears to be focused on “targeted attacks” against “high value targets.”
“What we see is only a subset of attacks going on,” said Boutin. “We are still seeing new samples, we received new versions just a couple of weeks ago.”
A backdoor implant is typically one part of a hacker’s toolkit, used to upload other malicious files and maintain access on a system. The program is only installed after a computer has already been compromised, leading to additional capabilities and in some cases, wider access to other systems.
“Once [a backdoor] is on a system, it will reach out to its command and control server and can execute all kinds of attacks,” said Boutin. “It can execute new binaries so it can be used to install additional malware or additional tools to do lateral movement, it can also be used to fetch information from [other] systems … It really gives you total access to the system.”
Turla is known for spying on political and civil society organizations. The group is commonly referred to as an APT, or advanced persistent threat.
A variety of different governmental organizations based in the Balkan Peninsula have already been affected.
“Usually what [Turla] will do is send spear phishing emails and then install a first stage backdoor which is usually something a bit simpler so the functionalities aren’t that advanced. They’re using this to do some recon on the victim. If it’s interesting, they’ll push out a second stage backdoor and so Gazer is the second stage backdoor,” explained Boutin. “It’s meant to be more stealthy and is meant to be more persistent on the system.”
Turla, Boutin told CyberScoop, went to great lengths to keep Gazer from being discovered. A tool of this quality is typically expensive and difficult to engineer, experts say.
“We saw them really trying to change any type of data or strings — the binaries — so we lose track of them, we see they fight back to modify the backdoors so it’s harder to stop and harder to find. In terms of complexity of tools used by Turla, it’s quite high,” said Boutin.
He added, “I would rank the Turla tools very high in terms of complexity compared to other APTs but of course some other groups use these techniques as well.”