Russia’s Turla group goes trolling with code labeled “TrumpTower”

Kaspersky found that the group also referred to 'Rocket Man,' apparently a reference to Kim Jong Un.

It’s a common practice: Researchers digging through malware find legitimate clues that point to its authors or data that are false flags meant to throw researchers off the right path.

In the case of the Turla hacking group, which is reportedly tied to Russia’s FSB intelligence service, it is unclear why the group decided to name one of its code strings “TrumpTower” or another “RocketMan!” – presumably a reference to U.S. President Donald Trump’s nickname for North Korean dictator Kim Jong Un.

Regardless of whether or not Turla was trolling, it’s clear to researchers from cybersecurity company Kaspersky that the new code was built for an ongoing hacking campaign aimed at a narrow set of unnamed government organizations. To deliver the malicious code to its targets, Turla used legitimate software downloaders, such as tools to evade internet censorship, that were infected with a “dropper” to install the malware.

While not saying where the targeting occurred, Kaspersky researchers on Monday published a set of Turla attack data meant to warn the cybersecurity community about the activity. That included a malware module that was used to deliver a JavaScript trojan long associated with Turla. The hackers are also using several compromised WordPress websites to communicate with their malware, Kaspersky researchers said.


Despite the recognizable names of their code strings, Turla has taken steps to keep its latest activity from being detected, the researchers said. For example, the attackers used a Windows system registry to store encrypted data that the malware could use at a later time.

Turla has been active in the last year and half, targeting at least 13 organizations across 10 countries, Symantec, another cybersecurity, said last month.

“[Turla] still follows a high-profile political agenda and now developers have broadened their arsenal of tools and spreading techniques,” a Kaspersky researcher told CyberScoop.

“The campaign was targeted, so there are only a few targets,” the researcher added, declining to disclose details of where the targeting occurred.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts