ESET: Turla, Russian FSB-linked group, behind new European government network backdoors
Researchers at the Slovakia-based cybersecurity company ESET have uncovered two new backdoors, dubbed LunarWeb and LunarMail, which they believe were likely used by a Russian state-affiliated hacking group to infiltrate the foreign affairs ministry of an unnamed European country.
ESET’s technical analysis, released on Wednesday, attributed these cyber intrusions to Turla — a group “believed to be part of” the Russian Federal Security Service (FSB) and active “since at least 2004.”
“LunarWeb, deployed on servers, uses HTTP(S) for its C&C [command and control] communications and mimics legitimate requests, while LunarMail, deployed on workstations, is persisted as an Outlook add-in and uses email messages for its C&C communications,” the researchers wrote.
In cybersecurity, a backdoor is a technique that allows both authorized and unauthorized users to bypass standard security protocols and obtain high-level (root) access to a computer system, network, or software application. Once this access is gained, cybercriminals can use a backdoor to steal personal and financial information, deploy further malicious software, and hijack devices.
ESET malware analyst Filip Jurčacko added:
“We believe that the Lunar toolset has been used since at least 2020 and, given the similarities between the tools’ tactics, techniques, and procedures (TTPs) and past activities, we attribute these compromises to the infamous Russia-aligned cyberespionage group Turla, with medium confidence.”
As per the analysis, Turla mainly targets “high-profile entities such as governments and diplomatic organizations in Europe, Central Asia, and the Middle East.” The group is also “notorious for breaching major organizations, including the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014.” According to a report by cybersecurity publication The Record, the U.S. Justice Department last year wiped out the code behind a piece of the group’s espionage malware, called “Snake.”
The ESET researchers said they initially detected the LunarWeb backdoor deployed at a “diplomatic institution” of the unnamed European Ministry of Foreign Affairs. The researchers wrote:
“Notably, the attacker also included a second backdoor – which we named LunarMail – that uses a different method for command and control (C&C) communications. During another attack, we observed simultaneous deployments of a chain with LunarWeb at three diplomatic institutions of this MFA in the Middle East, occurring within minutes of each other.”
Recent Russian cyber operations in Europe have stirred diplomatic tensions. Last week, Germany temporarily recalled its ambassador from Russia following accusations of cyberattacks targeting critical infrastructure and a major political party. Also last week, the United Kingdom and Czechia summoned their respective Russian ambassadors to address concerns over alleged cyber activities and other suspected espionage operations.