European MFA Targeted by Russian Hackers Using New Backdoors for Espionage

Published:

New Backdoors Discovered in European Ministry of Foreign Affairs Linked to Russian Cyberespionage Group

In a recent cybersecurity revelation, researchers have uncovered two new backdoors embedded within the infrastructure of a European Ministry of Foreign Affairs (MFA) and its diplomatic missions. Slovakian cybersecurity firm ESET identified these backdoors, named “LunarWeb” and “LunarMail,” and attributed them to the Turla cyberespionage group, believed to have ties to Russian interests.

Turla, operating since at least 2004 and possibly earlier, is known for targeting high-profile entities such as governments and diplomatic organizations in Europe, Central Asia, and the Middle East. The group has previously breached significant organizations like the US Department of Defense and the Swiss defense company RUAG.

The LunarWeb backdoor infiltrates servers covertly, using HTTP(S) communication while mirroring legitimate traffic patterns to avoid detection. It employs steganography to embed commands within innocuous images, evading detection mechanisms effectively.

On the other hand, LunarMail embeds itself within Outlook workstations, blending in with email communications to spy on victims. It collects information and communicates with a command and control server through the Outlook Messaging API to receive instructions. LunarMail can write files, create processes, take screenshots, and more, all while concealing commands within email attachments using steganography.

The initial access vectors of the Turla hackers are suspected to involve vulnerabilities or spearphishing campaigns. The compromised entities were primarily associated with a European MFA, indicating a strategic intrusion. The researchers noted varying degrees of sophistication in the compromises, suggesting multiple individuals were involved in developing and operating these tools.

Overall, the discovery of these backdoors highlights the ongoing threat posed by state-sponsored cyber actors, with Russian-aligned groups like Turla being a significant concern for cybersecurity experts.

Related articles

Recent articles