Waterbug
Image: Tanguy Sauvin via Unsplash/The Record

Russia’s Turla hackers target Ukraine’s defense with spyware

This article was updated at 3:58 p.m. on July 19.

The Russian hacking group Turla is attacking Ukrainian defense forces with spying malware, according to new research from the country’s computer emergency response team (CERT-UA).

Turla, a cyberespionage group also known by the names Waterbug and Venomous Bear, is closely affiliated with the FSB Russian intelligence agency. The group has been linked to numerous high-profile cyberattacks, including on the German Bundestag and the Ukrainian Parliament in 2014.

In a report published on Wednesday, CERT-UA said it had observed the group targeting Ukrainian defense forces with Capibar and Kazuar spyware.

What makes Capibar special is that it compromises Microsoft Exchange servers using a PowerShell tool to turn a legitimate server into a malware control center. To inject the malware into the victim's system, hackers send emails with malicious attachments. When these attachments are opened, they trigger a PowerShell command.

Under certain circumstances, a “highly advanced and multi-functional backdoor” known as Kazuar is downloaded onto compromised computers. This backdoor is capable of extracting sensitive authentication information, including passwords, bookmarks, cookies, and databases from services like KeePass, Azure, Google Cloud, and Amazon Web Services.

Among the emails that CERT-UA has received for analysis, there are fake utility bills that appear to be sent from Ukrainian energy companies.

The threat actor aims to exfiltrate files containing messages from the popular Signal desktop messaging app, which would allow the actor to read private Signal conversations, as well as documents, images, and archive files on targeted systems, according to Microsoft Threat Intelligence.

CERT-UA did not disclose how effective the use of Turla’s spyware was and how many victims it infected. The agency has been tracking the group since 2022.

Last year, the Google-owned cybersecurity firm Mandiant spotted Turla taking over a cybercriminal botnet to get into its victims' systems. Researchers discovered that a user in Ukraine had inserted a USB drive into their computer, inadvertently infecting it with an outdated banking trojan called Andromeda.

The malware subsequently downloaded and installed two tools Mandiant had previously tied to Turla.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.