Some cyber-espionage outfits are so advanced that it takes months of sleuthing and digging through malware code to discover the ways they've carried out some of their hacks.
One such outfit is Turla, the codename given to a cyber-espionage group believed to be operating out of Russia, and which has been seen hitting targets that usually pose a political interest for the Russian state.
The group, active since 2007 but believed to have ties to cyber-espionage groups that were active in the 90s, was recently spotted hitting employees at embassies and consulates in post-Soviet states.
According to a 29-page report ESET published yesterday, Turla hackers have been using benign-looking Flash Player installers to deliver their code.
At first analysis, even if victims downloaded the files from sketchy sources, the file would connect to the actual Adobe domains and IP addresses to download and install the necessary files.
In spite of the legitimate-looking web traffic, employees at these embassies and consulates received a new backdoor trojan named Mosquito.
The attacks with the Mosquito backdoor have taken place since July 2016 and allowed the Turla group to siphon off important documents and infect the victim with additional malware.
ESET says it positively ruled out the scenario that Turla hackers somehow or someway managed to compromise Adobe's servers.
Something like this would have been noticed right away. Instead, ESET believes that Turla hackers might have shown off their creativity once more and moved the compromised vector further lower on the software supply chain.
ESET experts believe that Turla hackers were able to carry out a Man-in-the-Middle attack during the Adobe Flash Player installation process taking place on the victim's PC, by replaced the legitimate installer with their own, booby-trapped copy.
This allowed the file transfer to appear it came from Adobe's servers, but the actual files were switched somewhere in transit by the Turla hackers.
The point where the switcheroo took place is currently unknown, even to ESET researchers. They suspect four scenarios:
The most plausible scenario is option number three. This is because ISP-level MitM attacks have already taken place in the past.
Back in September 2017, ESET reported that an unknown cyber-espionage group compromised an ISP and switched the files downloaded by certain targets. Attackers replaced legitimate files for WhatsApp, Skype, Avast, WinRAR, VLC Player, and others with files infected with the FinFisher spyware suite.
ESET didn't attribute those attacks to any particular hacking group, but they provide the best explanation for the recent mysterious Turla hacks. It's relatively well-known now that cyber-espionage groups take inspiration from one another.
If Turla proves to be behind both attacks, it won't surprise anyone in the cyber-security community. If there's a group skilled and determined enough to carry out attacks of such complexity, then that group is Turla.
The group is famous for past hacks where it used satellites for delivering malware to remote areas of the globe, developed malware so advanced it had its own API, and used malware that hid its control mechanism inside Britney Spears' Instagram photostream.
This cyber-spying outfit ain't no slouch, has always been very active, and the recent attacks on embassies are consistent with two previous ESET and Kaspersky reports from August 2017.