Russian hackers caught using hijacked PDF files to infiltrate G20 task force

Russian-speaking hackers with ties to a notorious cyber-espionage unit known as "Turla" have been sending booby-trapped PDF documents to individuals linked to an upcoming G20 task force meeting in Germany, security researchers revealed this week (17 August).

Hackers are using a sophisticated hacking tool in order to conduct reconnaissance – but experts have warned that the advanced software can also exfiltrate data and download files to an infected machine. The payload in use is known as "KopiLuwak", research suggested.

The malware component is being delivered via a "benign and possibly stolen decoy document" labelled "Save the Date", according to Proofpoint analysis.

It is targeting people linked to a "Digital Economy" task force, currently scheduled to take place on 23-24 October later this year in Hamburg, Germany.

The file appeared in mid-July, suggesting the advanced persistent threat (APT) activity is potentially ongoing.

Turla is "actively targeting participants and/or those with interest in the G20, including member nations, journalists and policymakers", Proofpoint said.

The culprits behind the Turla team remain a mystery – but its use of malware (and preferred targets) have been well-documented for nearly a decade. Kaspersky Lab, a Russian cybersecurity and anti-virus giant, previously branded it one of the most complex cyber threats in the world.

"The attackers use both direct spearphishing and watering hole attacks to infect their victims," Kaspersky Lab wrote in landmark research into the group back in 2014. It is known to target governments, embassies, military departments and pharmaceutical companies.

Proofpoint said the document in circulation was not publicly available, indicating that an entity with access to the invitations may have already been hacked. The Javascript backdoor reportedly communicates with what appears to be two compromised, but legitimate, domains.

"Despite the added capabilities [...] this backdoor is likely used as an initial reconnaissance tool and would probably be used as a staging point to deploy one of Turla's more fully featured implants," wrote Proofpoint researcher Darien Huss in a blog post.

"The high profile of potentially targeted individuals associated with the G20 and early reconnaissance nature of the tools involved bear further watching," he added.

"We also believe this backdoor will continue to be used in the future as suggested by the continued development of the backdoor itself as well as the new delivery mechanisms."

The company said that the relevant authorities in Germany had now been informed.