Andy GreenbergTurla, a hacker group linked to Russia's FSB, has been re-registering expired domains to take control of banking trojans other hackers infected computers with via USB drives—according to Mandiant—then sifting the infections to find targets for espionage.
Turla is infamously clever when it comes to this kind of thing, going as far back as the agent.btz USB worm it infected DoD computers with in 2008. Fifteen years later, as @Johnhultquist says, it's piggybacking on other hackers' USB malware instead, a much stealthier trick.
joeziehmer@agreenberg @[email protected] wonder if that’s how they’ve been blackmailing various elected officials in the United States and elsewhere. As China eyes restoring lost historical lands all of it becomes more and more desperate for Putin and the FSB.
Taylor Murchison 
@agreenberg @Johnhultquist
My lord, a snappin turla
https://youtube.com/shorts/75XNKJQQoCc?feature=shares
My lord, a snappin turla
https://youtube.com/shorts/75XNKJQQoCc?feature=shares
My lord! A snapping turla. Wow! 😂
Martijn Grooten@agreenberg didn't the NSA do the expired C&C domain registration too?
@martijn_grooten oh yeah? I don’t know that story. This is also a trick sometimes used by defenders to sinkhole botnets though right?
Dan Goodin@agreenberg @martijn_grooten Martijn is right:
"Perhaps most costly to the attackers was their failure to renew some of the domains used by these servers. Out of the 300 or so domains used, about 20 were allowed to expire. Kaspersky quickly registered the domains and, over the past ten months, has used them to "sinkhole" the command channels, a process in which researchers monitor incoming connections from Equation Group-infected machines."
@dangoodin @agreenberg I do recall that the Snowden leaks showed the NSA piggybacked on botnet infrastructure, for easy access and plausible deniability. I'm not 100% sure if it was through registering expired C&C domains though.
