Like an infectious late-90s teen pop hit, Russian outfit Turla has been making its presence felt across the globe.
Except, Turla isn’t the name of a pop group. And, unlike a windows-down summertime pop hit, Turla’s presence is supposed to be inconspicuous and undetected.
That’s because Turla is actually the name of a clandestine group of hackers suspected to have ties to the Russian government (don’t they all?), with a history of targeting sovereign governments, diplomatic officials, and high-ranking statesmen. But the latest target of the hackers’ so-called “watering hole” campaign has not been a nation state’s security apparatus or an official envoy’s email server, but the fans of complicated pop icon, Britney Spears.
“Watering Hole” Attacks
A “watering hole” attack is a type of APT (Advanced Persistent Threat) attack, the nature of which is characterized by an unauthorized user illegally accessing a network. Rather than aggressively crashing or damaging the network, an APT is used to quietly navigate the network undetected and pilfer data for an extended period of time.
The purpose of Turla’s watering hole techniques in particular, according to ESET’s WeLiveSecurity website, is to “compromise websites that are likely to be visited by targets of interest.” This is achieved by “[redirecting] potentially interesting victims to their [Command & Control] infrastructure.” This is done by tricking users into downloading a “backdoor”—which might come in the form of a phoney word document or web browser extension—and thus allowing the hackers a conduit through which to transfer data from the victim’s computer or network to the looters’ C&C.
However, as BoingBoing points out, the Command & Control systems that intercept such stolen data tend to be vulnerable: “Anti-malware researchers like to reverse engineer malicious code, discover the C&C server’s address, and then shut it down or blacklist it from corporate routers.” When this happens the operation is successfully wiped out, meaning the hackers will have to rebuild their operation from square one.
The Britney Spears Operation
In order to minimize the vulnerability of its C&C, hackers try increasingly sophisticated and complex ways of deploying their “backdoors.” And Turla, however oddly, decided the comment section of a photo posted on Britney Spears’ Instagram page would be a perfect location to test the latest version of their malware.
The “backdoor,” in the case Turla’s most recent project, is a fraudulent Firefox extension that, according to ESET, uses a Bitly (aka bit.ly) URL as the path to its C&C domain. But you’ll notice in the image above that the URL itself isn’t found anywhere on the infected Instagram page. Instead, the hackers used a fake Instagram account to post encrypted comments under the image that hide the URL. The malware (that deceptive Firefox extension), in this case, was programmed to scan the comments section, identify the encryption, and convert the encrypted message to the Bitly URL whose destination would be the Turla “watering hole.”
This method, Gizmodo notes, is significant in that it’s “a stealthy way of making sure that the C&C can be changed without having to change the malware. If the attackers want to create a new meetup, they just have to delete the comment and put in a new one with the same hash value.”
So does Turla believe that the “…Baby One More Time” diva is harbouring some compromising US intelligence of nefarious geopolitical interest to hostile foreign powers? Probably not. But the clever exploitation of social media by hackers that this case demonstrates speaks to the increasing difficulty of protecting ourselves against malware.