Russian Hackers Actively Targeting European NGO’s Systems

Turla, a threat actor with ties to Russia, compromised multiple systems of an unidentified European non-governmental organization with the intention of installing a backdoor known as TinyTurla-NG (TTNG).

In a new study released today, Cisco Talos stated that "as part of their preliminary post-compromise actions, the attackers compromised the first system, established persistence, and added exclusions to antivirus products running on these endpoints."

"Turla then opened additional channels of communication via Chisel for data exfiltration and to pivot to additional accessible systems in the network."

TinyTurla-NG was first documented by the cybersecurity company last month after it was found to be used in connection with a cyber attack targeting a Polish NGO working on improving Polish democracy and supporting Ukraine during the Russian invasion.

Utilizing TinyTurla-NG as a backdoor allows for the execution of custom-built Chisel tunneling software, follow-up reconnaissance, and the exfiltration of files of interest to a command-and-control (C2) server.

"Once the attackers have gained access to a new box, they will repeat their activities to create Microsoft Defender exclusions, drop the malware components, and create persistence," researchers from Talos warned.

Source: The Hacker News