Russian-Linked Turla Group Unveils TinyTurla-NG Backdoor in Targeted Campaign Against Polish NGOs
In December 2023, a new backdoor named TinyTurla-NG, associated with the Russia-linked threat actor Turla, was discovered in a campaign targeting Polish non-governmental organizations.
Cisco Talos reported that TinyTurla-NG functions as a “last chance” backdoor, similar to its predecessor, TinyTurla. This backdoor, used when other unauthorized access methods fail, was observed in intrusions since at least 2020, primarily targeting the U.S., Germany, and Afghanistan.
Turla, also known by various aliases including Iron Hunter and Venomous Bear, is linked to the Russian Federal Security Service (FSB). Recent activities include targeting the defense sector in Ukraine and Eastern Europe with a new .NET-based backdoor named DeliveryCheck, alongside upgrades to its long-standing second-stage implant, Kazuar.
The campaign utilizing TinyTurla-NG, which ran from December 18, 2023, to January 27, 2024, appeared highly targeted toward specific organizations in Poland. Compromised WordPress sites were used as command-and-control (C2) endpoints, facilitating instructions execution via PowerShell or Command Prompt. The backdoor also deployed PowerShell scripts called TurlaPower-NG to exfiltrate key material from password databases of popular password management software.
The campaign’s compartmentalized nature, with few compromised websites and samples contacting each other, made it difficult to establish relationships between samples and C2 infrastructure, hindering efforts to trace the origins effectively. Despite the focused targeting on Polish organizations, the full extent of the campaign’s reach remains uncertain.
This revelation coincided with reports from Microsoft and OpenAI indicating that Russian nation-state actors are exploring generative AI tools, including large language models like ChatGPT, to understand satellite communication protocols, radar imaging technologies, and seek assistance with scripting tasks. This suggests a broader trend of adversaries leveraging advanced technologies for intelligence gathering and operational purposes.
In summary, the emergence of TinyTurla-NG underscores ongoing threats from state-affiliated actors like Turla, with evolving tactics and tools aimed at specific targets. The sophistication of these actors, combined with their interest in leveraging AI, highlights the need for continued vigilance and cybersecurity measures to counter emerging threats effectively.
