The cyberespionage group is believed to have been active for the past decade and has launched various campaigns against global targets iStock

A Russian-speaking cyberespionage group known as Turla used a stealthy backdoor malware dubbed Gazer to spy on embassies across the globe. The backdoor has been designed specifically to evade detection.

According to researchers at ESET, the Gazer backdoor malware has already infected numerous computers around the world and has been deployed in attacks against "governments and diplomats since at least 2016." The researchers say that the main targets of the Turla hackers were targets in Southeastern Europe as well as countries in the former Soviet Union.

"In the most recent example of the Gazer backdoor malware found by ESET's research team, clear evidence was seen that someone had modified most of its strings, and inserted phrases related to video games throughout its code. Don't be fooled by the sense of humor that the Turla hacking group are showing here, falling foul of computer criminals is no laughing matter," ESET researchers said in a blog.

Gazer's ability to remain persistently active in infected computers, allows Turla hackers to steal information from victims over a prolonged period of time. ESET researchers also said that they observed first stage backdoors like Skipper, which have previously been used in Turla campaigns, also being used alongside Gazer.

Meanwhile, researchers at Kaspersky Lab spotted a Turla campaign, dubbed WhiteBear, which focused on embassies and consulate operations between February to September 2016. Kaspersky Lab researchers said in a blog that "WhiteBear activity later shifted to include defense-related organizations into June 2017."

According to Kaspersky Lab researchers, the WhiteBear campaign targeted victims in Europe, South Asia, East Asia, Central Asia and South America.

"This intrusion set seems to be a more selective part of any of their diplomatic campaigns. We reported on "Epic Turla" and their large web site compromise/watering hole efforts several years ago, and this is a bit more focused on spearphishing," Kurt Baumgartner, principal security researcher at Kaspersky Lab told IBTimes UK.

"While the WhiteBear package is less technically advanced than some of the rootkit packages we have seen in the past, it is an advanced platform complete with modular design. It is less innovative for the group than their ICEDCOFFEE and Kopiluwak javascript tools, as it is closer to their Carbon, WhiteAtlas, and ComRAT variants. We suspect that they have been using stolen identities to acquire digital certificates for more than just WhiteBear," Baumgartner added.

Earlier in the month, Turla hackers targeted members of the G20 task force. The cyberespionage group is believed to have been active for the past decade and has launched various campaigns against global targets.

Kaspersky Lab researchers say that Turla remains one of the most "most prolific, longstanding, and advanced APT" they have come across. The recent campaigns indicate that the Turla hackers have continued to update their attack tools to go widen the scale of the attacks.


This article has been updated to include the insights and comments of Kaspersky Lab researcher Kurt Baumgartner on the Turla hackers' WhiteBear campaign.