Turla, a Russian state-sponsored hacking gang, was seen targeting the Austrian Economic Chamber, the Baltic Defense College, and a NATO platform in a new reconnaissance effort. Sekoia, a cybersecurity firm, made the revelation after building on prior findings by Google’s TAG, which has been carefully watching Russian hackers this year.
In late March 2022, Google issued a warning regarding coordinated Russian-based threat group activities, and in May, they discovered two Turla domains being employed in continuing efforts. Sekoia followed up on this information and found that Turla had targeted an Austrian federal agency as well as a military institution in the Baltic area.
Turla is a Russian-language cyber-espionage threat organization with extensive links to the Russian Federation’s FSB agency. It has been active since at least 2014, affecting a wide range of organizations in several nations. They’ve already deployed backdoors on Microsoft Exchange servers throughout the world, hijacked the infrastructure of other APTs to conduct espionage in the Middle East, and carried out watering hole operations against Armenian targets. Turla was recently detected deploying many backdoors and remote access trojans against EU governments, embassies, and primary research institutions.
The IPs shared by Google’s TAG, as per Sekoia, connect to the domains “baltdefcol.webredirect[.]org” and “wkoinfo.webredirect[.]org,” which are typosquatting “baltdefcol.org” and “wko.at,” respectively. The primary aim, BALTDEFCOL, is a military college in Estonia that is jointly administered by Estonia, Latvia, and Lithuania and serves as a hub for Baltic strategic and operational research.
The institution also hosts seminars attended by high-ranking NATO and European commanders. Therefore, it is of particular importance to Russia given the continuing crisis in Ukraine and tensions along the Russian border. WKO (Wirtschaftskammer sterreich) is an Austrian Federal Economic Chamber that advises governments on legislation and economic sanctions across the world.
Regarding the sanctions on Russia, Austria has taken a neutral approach. On the other hand, Turla would like to be among the first to know if anything changes in that regard. Sekoia also discovered a third typo-squat domain, “jadlactnato.webredirect[.]org,” which pretends to be the NATO Joint Advanced Distributed Learning platform’s e-learning portal.
The typosquatting domains are hosting a malicious Word document called “War Bulletin 19.00 CET 27.04.docx,” which may be accessed in various directories of these websites. The embedded PNG (logo.png) in this file is obtained when the document is loaded. Sekoia believes the PNG is used for reconnaissance because the Word file has no harmful macros or behavior.
“Thanks to the HTTP request done by the document to its own controlled server, the attacker can get the version and the type of Word application used by the victim – which can be an interesting info to send a tailored exploit for the specific Microsoft Word version,” explains Sekoia’s report. Turla also obtains the victim’s IP address, which will be useful in subsequent rounds of the attack.