Talos Intelligence, the commercial threat intelligence team of software provider Cisco, said on Tuesday (21 September) it had identified a previously undocumented backdoor targeting the Afghan government ahead of the pullout of Western forces from the country in late August.
Talos identified through forensic analysis a ‘second-chance’ backdoor that it considers “with moderate confidence” as belonging to the Russian hacking group Turla. Besides Afghanistan, Talos identified the same malware also in the United States and Germany.
The backdoor was installed in infected machines in case the main malware was identified and removed. The spyware went under the name of an existing Windows service, managing to pass undetected by anti-malware systems. The backdoor allowed the intruder to upload, download or execute files.
Turla is a well-known Russian-based collective focused on espionage. It is believed to be connected with many high-level operations during the last two decades.
Despite being notorious and closely monitored by the security industry, it was able to employ this backdoor unnoticed for almost two years.
“In this case it was Turla, but it speaks to a larger trend. Regardless of the sophistication level of the attacker, lightweight access is the key to maximizing value. We are seeing these types of lightweight backdoors or remote access trojans being dropped in the hopes of maximizing the value from the compromise,” a Talos spokesperson explained.
“This is an ongoing investigation, and we will share additional details as they come to light,” the spokesperson added.
[Edited by Zoran Radosavljevic and Frédéric Simon]