You’ll never guess where Russian spies are hiding their control servers
A Russian-speaking hacking group that, for years, has targeted governments around the world is experimenting with a clever new method that uses social media sites to conceal espionage malware once it infects a network of interest.
According to a report published Tuesday by researchers from antivirus provider Eset, a recently discovered backdoor Trojan used comments posted to Britney Spears’s official Instagram account to locate the control server that sends instructions and offloads stolen data to and from infected computers. The innovation—by a so-called advanced persistent threat group known as Turla—makes the malware harder to detect because attacker-controlled servers are never directly referenced in either the malware or in the comment it accesses.
Turla is a Russian-speaking hacking group known for its cutting-edge espionage malware. In mid-2014, researchers from Symantec documented malware dubbed Wipbot that infiltrated the Windows-based systems of embassies and governments of multiple European countries, many of them former Eastern Bloc nations. A few months later, researchers at Kaspersky Lab discovered an extremely stealthy Linux backdoor that was used in the same campaign, a finding that showed it was much broader than previously believed. Turla has also been known to use satellite-based Internet connections to cover its tracks. In March, researchers observed Turla using what was then a zero-day vulnerability in Window to infiltrate European government and military computers.