The Turla hacker group is up to its old tricks, but with an interesting new twist. Now, the group is using Britney Spears' Instagram account to cover its tracks.

The new tactic could make it more difficult for organizations to defend themselves against such attacks and for investigators to collect evidence after the fact.

Watering Hole Attack

The Turla group has been around for years, using a collection of hacking tools that are thought to have been developed by Russian intelligence agencies. The group mostly focuses on attacking governments, government officials, and diplomats, often using a technique known as a "watering hole" attack.

In a watering hole attack, the hacker doesn't attack the primary target directly. Instead, the technique relies on compromising a Web site that the target is likely to visit, similar to the way a lion might stalk a watering hole waiting for its prey to arrive. Turla is primarily interested in staking out embassy Web sites to trap its targets.

Once the intended victim accesses the compromised Web site, the hacker then attempts to redirect the individual to the hacker’s own command and control (C&C) infrastructure.

Turla has been doing this by inserting a snippet of JavaScript code into the watering hole Web site. Now, however, the group is using a technique that masks what the code is doing by making it appear as though the code is part of a legitimate service, such as Clicky, which provides real-time Web analytics.

But instead of accessing the tool mentioned in the code, it redirects the user to a C&C server, which then installs a fingerprinting script on the victim’s machine. A fingerprinting script is used to gather system information and send it back to the attacker’s C&C. It may also install a "super cookie" on the victim's machine to continue gathering information on the user's activities.

Turla Hits Firefox One More Time

The technique is being monitored by ESET, a software security company. ESET said in one of the examples of the watering hole attack that it was monitoring, researchers discovered that Turla appeared to have updated an old Firefox extension it had used previously to attack its victims.

The extension connects to its C&C using a URL. However, the URL for the C&C is not included anywhere in the extension itself. Instead, the extension is designed to look at an Instagram post. In the example reviewed by ESET, the extension visited a post on Britney Spears’ official Instagram account.

Once it accesses the account, it scans through the comments on the post, looking for a specific comment that contains a URL hidden within it. Once the URL is decoded, it takes the extension to a compromised server that Turla is known to use as a C&C.

ESET said the link it investigated has so far only been accessed a few times, leading the company to believe that the current attack is only a test run for something Turla has planned for later.