Talos Intelligence, the commercial threat intelligence team at software vendor Cisco, said Tuesday (Sept. 21) it had identified a previously undocumented back door targeting the Afghan government before Western troops are withdrawn from the country in late August .
Through forensic analysis, Talos identified a “second chance” back door, which it “viewed with moderate confidence” as belonging to the Russian hacker group Turla. In addition to Afghanistan, Talos has also identified the same malware in the US and Germany.
The backdoor was installed on infected computers in case the main malware was identified and removed. The spyware traded under the name of an existing Windows service and was able to pass unnoticed by anti-malware systems. The back door allowed the intruder to upload, download, or run files.
Turla is a well-known Russian collective focused on espionage. It is believed to have been associated with many high-level surgeries over the past two decades.
DeAlthough notorious and closely monitored by the security industry, it was able to use this backdoor unnoticed for almost two years.
“In this case it was Turla, but it suggests a bigger trend. Regardless of the attacker’s complexity, easy access is key to maximizing value. We see these types of light backdoors or remote access Trojans being dropped in hopes of maximizing the value of the compromise, ”said a Talos spokesman.
“This is an ongoing investigation and we will provide more details as they come to light,” added the spokesman.
[Edited by Zoran Radosavljevic and Frédéric Simon]