Turla APT group is sending out invites to a real G20 event in Hamburg, targeting politicians, policy makers and other experts for the purposes of espionage.
The attackers are targeting organisations and individuals who could be attending a real G20 event in Hamburg. Image: IStock
A Russian hacking group is conducting a cyber espionage campaign against politicians, policy makers and journalists ahead of a G20 task force meeting.
The attackers are attempting to distribute a variant of the KopiLuwak backdoor Trojan to these G20 attendees, for the purposes of reconnaissance and as a staging post for more advanced attackers, say researchers at Proofpoint.
Turla, a well-known advanced persistent threat (APT) group, is believed to be behind the attacks.
Security professionals believe the group is state-sponsored and works to further the aims of the Russian government - although President Vladimir Putin claims the country doesn't hack others, despite accusations of interference in the United States Presidential election.
The group previously abused satellites to cover their tracks and have attempted to distribute malware in the comments section of Britney Spears' Instagram page.
Now the group is attempting to spread the backdoor dropper to its G20 targets using spear-phishing emails containing a 'Save the Date' invitation for a G20 Task Force on the Digital Economy, which is set to take place in October.
The event is real, and the intended targets are individuals and organizations with an interest in the G20's Digital Economy Task Force, including diplomats, economics experts, and even the press.
The potentially stolen lure document used as part of the attack. Image: Proofpoint
Researchers say they're "moderately confident" the invite is legitimate, which may indicate "that an entity with access to the invitation was already compromised" -- meaning the document has been obtained via a separate, but related, hack.
Named Scr.js, the JS dropper puts the backdoor in place, in addition to setting up scheduled tasks in order to maintain the persistent threat. The backdoor communicates with what appear to be legitimate, but compromised, servers, acting as command and control for the malware.
The decoy document and its associated malware droppers were discovered by Proofpoint researcher Darien Huss, who discovered them on a public malware repository.
While no attacks using this dropper have so far been spotted in the wild, ultimately the campaign is designed to give attackers access to the PCs of very high profile targets associated the G20 taskforce, with the ability to monitor and steal what could be extremely sensitive information associated with governments and policy bodies.
In addition to infiltrating data, Kopiluwak is capable of downloading additional payloads and has the ability to execute arbitrary commands. Researchers say that for most Windows operating systems, the potential impact would be high, especially given the nature of those being targeted.
Proofpoint has notified CERT-Bund, the federal computer emergency response team of Germany, about the Turla campaign ahead of next month's Hamburg meeting.