Russian cyber groups spy on European diplomats

Russian cyber groups spy on European diplomats

Experts from ESET have discovered two previously unknown malicious tools that attacked the European Ministry of Foreign Affairs and its diplomatic missions abroad for cyber espionage.

Given the similarities between tactics, techniques, and procedures, ESET researchers attribute this activity to the Russian cyber spy group Turla, which primarily targets government and diplomatic organizations in Europe, Central Asia, and the Middle East.

Launching backdoors

The attackers deployed backdoors with the names LunarWeb and LunarMail in the diplomatic mission. In another attack, LunarWeb was deployed in three diplomatic missions of a European country in the Middle East within minutes of each other. It is likely that the attackers had prior access to the domain controller of the Ministry of Foreign Affairs and used it to further spread to devices of related institutions on the same network.

The LunarWeb threat collects and intercepts information from the system, such as computer and operating system data, a list of running processes, services, and installed security products. In addition, the tool can perform operations on files and processes, as well as run commands. During the first launch, the LunarMail backdoor collects email addresses from the recipients’ sent email messages. LunarMail can also create a new process and take screenshots.

The stolen credentials help Russian cybercriminals spread the threat online.

“We observed varying degrees of sophistication during the infection, such as installing on a compromised server to avoid detection by security programs, contrasted with coding errors and different backdoor coding styles. This suggests that multiple people were likely involved in the development and use of these tools,” said Filip Jurcako, ESET researcher.

LunarWeb, розгорнутий на серверах, використовує HTTP(S) для зв’язку з командним сервером та імітує легітимні запити

What backdoors do

LunarWeb, deployed on servers, uses HTTP(S) to communicate with the command server and simulate legitimate requests. Whereas LunarMail, deployed on workstations, uses email messages to connect. Both backdoors use a technique where commands are hidden in images to avoid detection.

The recovered components associated with the installation and the activity of the attackers indicate that the initial infection occurred through phishing and the unauthorized use of misconfigured network monitoring software and Zabbix applications. In addition, the attackers already had access to the network, using stolen credentials to further propagate through the network, and took steps to compromise the server without raising suspicion. In another attack, ESET researchers discovered an older malicious Word document, likely from a phishing email.

It is worth noting that the Turla group, also known as Snake, has been active since at least 2004. Turla, believed to be part of Russia’s FSB, is known for its attacks on the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014.

To prevent such attacks and detect any malicious activity in a timely manner, organizations should ensure strong cyber defense, for example, with ESET PROTECT Elite, a comprehensive threat prevention, detection, and response (XDR) solution.


Please enter your comment!
Please enter your name here