Researchers at cybersecurity company Kaspersky Lab published a report this week detailing a Russian hacker group’s attempts at taking a fingerprint of TLS-encrypted web traffic by modifying Chrome and Firefox web browsers.
According to Kaspersky, the group, called “Turla,” used a technique that involved patching browsers like Chrome and Firefox in order to modify their internal components. The goal is to change the way the browsers create HTTPS connections as well as “add a per-victim fingerprint for the TLS-encrypted web traffic that originates from the infected computers,” reads a report from ZDNet.
Kaspersky researchers said they identified targets in Russia and Belarus.
“We registered two initial infection schemes: Reductor spreads by either infecting popular software distributions (Internet Downloader Manager, WinRAR, etc. and, for at least one victim, through a popular warez website over HTTP); or its decryptor/dropper is spread using COMpfun’s ability to download files on already infected hosts,” the researchers explained.
ZDNet noted that this isn’t the first time Turla has modified a browser’s internal components.
“A January 2018 report from fellow cyber-security firm ESET revealed that Turla had compromised at least four ISPs before, in Eastern Europe and the former Soviet space, also with the purpose of tainting downloads and adding malware to legitimate files,” ZDNet reported.
“The group has previously installed a backdoored Firefox add-on in victims’ browsers back in 2015, which it used to keep an eye on the user’s web traffic,” the website added. “Patching Chrome and Firefox just to be able to track a victim’s HTTPS traffic while they’ve been kicked off a workstations fits with their previous pattern of highly clever hacks and techniques.”
Turla is believed to operate under the protection of the Russian government.