The Russian cyberespionage group referred to as Turla turned notorious in 2008 because the hackers behind agent.btz, a virulent piece of malware that unfold by US Department of Defense methods, gaining widespread entry by way of contaminated USB drives plugged in by unsuspecting Pentagon staffers. Now, 15 years later, the identical group seems to be making an attempt a brand new twist on that trick: hijacking the USB infections of different hackers to piggyback on their infections and stealthily select their spying targets.

Today, cybersecurity agency Mandiant revealed that it has discovered an incident wherein, it says, Turla’s hackers—widely believed to work in the service of Russia’s FSB intelligence agency—gained entry to sufferer networks by registering the expired domains of practically decade-old cybercriminal malware that unfold by way of contaminated USB drives. As a end result, Turla was capable of take over the command-and-control servers for that malware, hermit-crab type, and sift by its victims to seek out ones worthy of espionage concentrating on.

That hijacking method seems designed to let Turla keep undetected, hiding inside different hackers’ footprints whereas combing by an unlimited assortment of networks. And it reveals how the Russian group’s strategies have advanced and grow to be way more refined over the previous decade and a half, says John Hultquist, who leads intelligence evaluation at Mandiant. “Because the malware already proliferated through USB, Turla can leverage that without exposing themselves. Rather than use their own USB tools like agent.btz, they can sit on someone else’s,” Hultquist says. “They’re piggybacking on other people’s operations. It’s a really clever way of doing business.”

Mandiant’s discovery of Turla’s new method first got here to gentle in September of final yr, when the corporate’s incident responders discovered a curious breach of a community in Ukraine, a rustic that’s grow to be a major focus of all Kremlin intel companies after Russia’s catastrophic invasion final February. Several computer systems on that community had been contaminated after somebody inserted a USB drive into one in every of their ports and double-clicked on a malicious file on the drive that had been disguised as a folder, putting in a chunk of malware referred to as Andromeda.

Andromeda is a comparatively frequent banking trojan that cybercriminals have used to steal victims’ credentials since as early as 2013. But on one of many contaminated machines, Mandiant’s analysts noticed that the Andromeda pattern had quietly downloaded two different, extra fascinating items of malware. The first, a reconnaissance software referred to as Kopiluwak, has been beforehand utilized by Turla; the second piece of malware, a backdoor referred to as Quietcanary that compressed and siphoned rigorously chosen information off the goal pc, has been used solely by Turla prior to now. “That was a red flag for us,” says Mandiant menace intelligence analyst Gabby Roncone.

When Mandiant regarded on the command-and-control servers for the Andromeda malware that had began that an infection chain, its analysts noticed that the area used to manage the Andromeda pattern—whose title was a vulgar taunt of the antivirus trade—had really expired and been reregistered in early 2022. Looking at different Andromeda samples and their command-and-control domains, Mandiant noticed that at the least two extra expired domains had been reregistered. In whole, these domains related to a whole lot of Andromeda infections, all of which Turla may type by to seek out topics worthy of their spying.