skip to Main Content

Cyber Espionage, Turla targets NATO-Europe with typosquatting

Turla targets NATO-Europe with typosquatting. Sekoia cybersecurity experts: The pro-Russia APT simulates the Baltic Defense College, the Austrian Economic Chamber and NATO’s JDAL platform for reconnaissance purpose

Turla has launched a reconnaissance and cyber espionage campaign against the Baltic Defense College, the Austrian Economic Chamber and NATO’s eLearning platform JDAL (Joint Advanced Distributed Learning). It has been unveiled by Sekoia cybersecurity experts who analyzed further the Google’s TAG discoveries about Russian APT campaigns in March 2022. According the researchers, the IPs shared by the TAG lead to the domains “baltdefcol.webredirect[.]org” and “wkoinfo.webredirect[.]org,” which respectively typo-squat “baltdefcol.org” and “wko.at.” Sekoia also noticed a third typo-squat domain, “jadlactnato.webredirect[.]org,” which attempts to pass as the e-learning portal of the NATO JDAL. The typosquatting domains are used to host the malicious Word document “War Bulletin 19.00 CET 27.04.docx”. It contains an embedded PNG (logo.png). The Word file does not contain any malicious macro or behavior, but communicates what type of Word application and which version is used by the victim. Furthermore, the APT gains access to the user’s IP address.

Back To Top