It’s a common practice: Researchers digging through malware find legitimate clues that point to its authors or data that are false flags meant to throw researchers off the right path.
In the case of the Turla hacking group, which is reportedly tied to Russia’s FSB intelligence service, it is unclear why the group decided to name one of its code strings “TrumpTower” or another “RocketMan!” – presumably a reference to U.S. President Donald Trump’s nickname for North Korean dictator Kim Jong Un.
Regardless of whether or not Turla was trolling, it’s clear to researchers from cybersecurity company Kaspersky that the new code was built for an ongoing hacking campaign aimed at a narrow set of unnamed government organizations. To deliver the malicious code to its targets, Turla used legitimate software downloaders, such as tools to evade internet censorship, that were infected with a “dropper” to install the malware.
Despite the recognizable names of their code strings, Turla has taken steps to keep its latest activity from being detected, the researchers said. For example, the attackers used a Windows system registry to store encrypted data that the malware could use at a later time.
Turla has been active in the last year and half, targeting at least 13 organizations across 10 countries, Symantec, another cybersecurity, said last month.
“[Turla] still follows a high-profile political agenda and now developers have broadened their arsenal of tools and spreading techniques,” a Kaspersky researcher told CyberScoop.
“The campaign was targeted, so there are only a few targets,” the researcher added, declining to disclose details of where the targeting occurred.