ESET warning over ISP-level compromises in new Russian Turla campaign

Attackers appear to download legitimate Adobe Flash Player from Adobe and Akamai IP addresses

Russian state cyber spies have perfected a technique of tricking targets into downloading what appears to be completely legitimate copies of insecure Adobe software from the Adobe websites at the same time as planting malware on their PCs.

That's according to a new report by security firm ESET, examining Russia's Turla cyber-espionage group.

"For years, Turla has relied, among other impersonations, on fake Flash installers to compromise victims. This kind of attack vector does not require highly sophisticated exploits but rather depends
on tricking the user into installing the fake program.

From the endpoint's perspective, the remote IP address belongs to Akamai

"In recent months, we have observed a strange, new behaviour, leading to compromise by one of Turla's backdoors. Not only is it packaged with the real Flash installer, but it also appears to be downloaded from adobe.com.

"From the endpoint's perspective, the remote IP address belongs to Akamai, the official content delivery network used by Adobe to distribute their legitimate Flash installer.

"After digging a bit more, we realized that the fake Flash installers, including the MacOS installer for Turla's backdoor 'Snake' — whether or not they were downloaded from adobe.com URLs — were performing a GET request to get.adobe.com URLs to exfiltrate some sensitive information about the newly compromised machine. Again, according to our telemetry, the IP address was a legitimate IP address used by Adobe."

The report examines the techniques used by Turla, which is believed to have operated since at least 2007.

Fake Adobe Flash Player installers - and Adobe-related exploits - are among the organisation's most popular tools for hacking, claim the authors.

When victims - predominately located among the states of the former Soviet Union, but not Russia - download the files, they can still link up to legitimate Adobe domains. As a result, cyber attackers can use this channel to access and install official-looking resources with ease, although it is actually malware.

The clues, suggest ESET point not to a compromise of Adobe or Akamai, but one of four possible scenarios:

  1. A PC or server on the network of targeted organisations that has been hijacked and used as part of a 'man in the middle' attack;
  2. A compromised network gateway at the targeted organisation so that incoming and outgoing traffic can be intercepted;
  3. A compromised internet service provider - a tactic used in FinFisher surveillance campaigns, according to ESET; and,
  4. A Border Gateway Protocol (BGP) hijack re-routing traffic to Turla Group-controlled server.

This last attack vector would almost certainly alert Adobe to the attack, suggests ESET.

Intriguingly (or worryingly), perhaps, ESET suggest that an ISP-level compromise is most likely.

"The BGP hijacking and the MitM attack at the ISP level are far more complex than the others. Thus, we believe it is more probable the Turla group has a custom tool installed on local gateways of the impacted organizations, allowing them to intercept and modify the traffic even before it exits the intranet," it concludes.