New backdoors on a European government's network appear to be Russian

Date: unknown


Two previously unknown backdoors likely deployed by a Russian state hacking group have been discovered compromising the foreign affairs ministry of a European country. 

Researchers with the Slovak cybersecurity firm ESET published a technical analysis on Wednesday of the backdoors, which they named LunarWeb and LunarMail.  

Because of technical similarities and past activity, they attributed the campaign with medium confidence to Turla, a hacking group believed to be connected to the Russian Federal Security Service (FSB) that has been around for decades. ESET did not specify the affected country. 

Turla mainly targets “high-profile entities such as governments and diplomatic organizations in Europe, Central Asia, and the Middle East.” Last year, the U.S. Justice Department wiped out the code behind a piece of the group’s espionage malware, called “Snake.” 

The ESET researchers initially detected the LunarWeb backdoor deployed at a “diplomatic institution” of the unnamed European ministry. 

“Notably, the attacker also included a second backdoor – which we named LunarMail – that uses a different method for command and control (C&C) communications,” they wrote. “During another attack, we observed simultaneous deployments of a chain with LunarWeb at three diplomatic institutions of this MFA in the Middle East, occurring within minutes of each other.” 

The researchers believe the backdoors have been deployed since at least early 2020. 

Russian hacking activity in Europe has been the source of recent controversy, with Germany recalling its ambassador to Russia last week due to alleged cyberattacks on critical infrastructure and a prominent political party. Also last week, the governments of the United Kingdom and Czechia summoned respective Russian ambassadors over alleged cyber activity and other purported espionage.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.