Cybercrime , Cyberwarfare / Nation-State Attacks , Endpoint Security

Researchers: Spies Exploit Microsoft Exchange Backdoor

Turla Cyber Espionage Group's 5-Year Campaign Hit Three Targets, ESET Warns
Researchers: Spies Exploit Microsoft Exchange Backdoor

(This story has been updated.)

See Also: Webinar | 2023 OT Cybersecurity Year in Review: Lessons Learned from the Frontlines

A sophisticated nation-state spy network has quietly exploited a backdoor in Microsoft Exchange servers that gave attackers unprecedented access to the emails of at least three targets over five years, security firm ESET warns.

Since at least 2014, Turla, an advanced persistent threat group with suspected ties to the Russian government, has exploited malware called LightNeuron to gain access to Exchange servers, according to the ESET report released Tuesday. This backdoor allowed the spies to read, modify or block any emails passing through the targeted mail servers, ESET says.

The attackers also had the ability to compose new emails and send them under the names of legitimate users, the research shows. The targets of the attack included a ministry of foreign affairs in an Eastern European country, a regional diplomatic organization in the Middle East and an unknown Brazilian organization, ESET says.

The LightNeuron malware takes advantage of the Transport Agent functionality of Microsoft Exchange, which acts as a plug-in system for the Exchange server, Matthieu Faou, a malware researchers at ESET, tells Information Security Media Group. Unlike other APTs that use backdoors to monitor mail servers' activity, the LightNeuron malware is directly integrated into the work flow of Microsoft Exchange, Faou says.

"LightNeuron is very stealthy and uses a previously unseen persistence mechanism - a Transport Agent - making it hard to detect," Faou says. "Turla also deploys LightNeuron only against its most important targets. This malware is not highly prevalent in the wild, so it was able to stay under the radar for a long period of time. To our knowledge, this is the first malware specifically targeting Microsoft Exchange."

A Microsoft spokesperson told ISMG that since this was not a specific vulnerability in Exchange, the company did not have a comment.

A Sophisticated Operation

Turla, which is also known as Snake, has been operating for over a decade. Security researchers have published previous research tying the group and its tools to Russian intelligence.

List of LightNeuron targets (Source: ESET)

Turla, which is known for sophisticated operations and stealth, has previously launched cyberattacks in the United States using malware known as Agent.BTZ. More recently, Turla malware has been used against a Swiss defense firm (see: Swiss Defense Firm Hack Tied to 'Turla' Malware).

Other Turla activities include operators hijacking satellite internet links, according to Kasperky Lab. The group deploys sophisticated tools, including rootkits, other complex backdoors, and malware that helps it to pivot on a network, ESET reports.

The LightNeuron malware requires administrative privileges to be installed within the Exchange server. Once inside, the attackers have full control on the mail server, ESET's Faou says.

The ESET research into three specific attacks shows that the Turla group compromised one or several machines in the same network to gather the credentials to inject the malware. Faou says, however, that researchers could not determine how the initial attacks began.

"We were not able to retrieve the first infection method they used, but we noticed that the compromised organizations had other Turla backdoors, such as ComRAT, in their networks," Faou says. "LightNeuron is used when Turla operators want to stay persistent in a network for a long period of time without being easily noticed."

To stay hidden, Turla used steganographic PDF and JPG attachments to control the LightNeuron malware, the ESET research found. Steganography hides messages or information in plain sight, including within other data or images. It's a method that attackers have refined over the last several years (see: The Rise of Self-Concealing Steganography).

The use of steganography makes the incoming command-and-control emails from the group appear non-threatening, the ESET research shows. All this is designed to steal and monitor email traffic.

"The main goal is to monitor and steal emails for a long period of times - several months," Faou says. "It was also used to execute commands because using emails for command and control is stealthier than using HTTPs that is generally highly monitored by security teams."

By studying other malware used the Turla group used, the ESET researcher discovered the use of LightNeuron. It's possible that other victims have been targeted, but the ESET research only focused on the three unnamed targets mentioned in the new report.

Difficult to Remove

LightNeuron is not only difficult for IT and security teams to detect, but it's also extremely difficult to remove once it has been planted inside the network and the Exchange server, Faou says.

Simply cleaning LightNeuron from a network is not an easy task because removing the malicious files could break the email server. ESET has published a whitepaper on GitHub describing how to check for the malicious software and remove it from the network.

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.