Despite the increasing instability in Russia, the country’s cyberwarfare and cyberespionage operations continue to grow in size and complexity. One of the most significant cyberespionage actors in Russia’s vast arsenal is a group known as “Turla,” which is now recognized as one of the world’s most dangerous cybersecurity threats due to its sophistication, persistence and adaptability.

Turla–also known as Venomous Bear, WhiteBear, Snake, Uroburos, Group 88, Waterbug, Krypton, Makersmark, Iron Hunter, UNC4210, ATK13 and Pacifier APT–is a Russian state-sponsored advanced persistent threat (APT) group. It has operated since at least 2004, with heightened activity in mid-2015.

This threat actor has targeted a wide range of sectors across more than 50 countries worldwide, including governments, militaries, embassies and commercial organizations in the energy, pharmaceutical and education industries. Turla has demonstrated a high level of adaptability by evolving its tactics and extending its reach to various operating systems, including Windows, macOS, Linux and Android.

Commercial organizations need to understand Turla’s tactics and advanced capabilities, as this group will continue to pose a significant threat to the West.

The Link Between Turla and FSB

The U.S. government attributes Turla to a unit within Center 16 of the Russian Federal Security Service (FSB), which has subunits spread throughout Russia, mirroring the historical signals intelligence operations of the KGB during the Soviet era. FSB Centre 16 is responsible for cyber operations, including intercepting, decoding and processing electronic messages, as well as the technical penetration of foreign entities. Officially, it is titled Radio-Electronic Intelligence by Means of Communication or “Military Unit 71330.”

According to U.S. authorities, Turla primarily conducts daily operations from an FSB facility in Ryazan, Russia, with activity peaks aligning with the working hours of the FSB in Ryazan. The unit operates various elements of the Turla toolset, including Snake malware. In addition to developing malicious malware, these officers also conduct worldwide operations with it, exhibiting different operational characteristics from those launched from Moscow or other FSB sites.

High-Profile Attacks

Turla has been implicated in a number of prominent attacks over the last 15 years. The group first gained notoriety in 2008 when it successfully compromised the U.S. Department of Defense in a wide-ranging breach that lasted 14 months.

In more recent years, Turla has compromised many other high-level targets, including a 2014 breach of RUAG, a Swiss-based government-owned technology company specializing in aviation, space, and defense, and targeted attacks on attendees of the 2017 G20 summit, which included influential politicians, policymakers and journalists.

Turla’s activities escalated further in 2018 when it attacked Germany’s Federal Foreign Office and the Federal College of Public Administration. Turla targeted victims’ email inboxes by exploiting Microsoft Office’s Messaging Application Programming Interface (MAPI).

UK and U.S. intelligence agencies also discovered Turla was involved in another complex cyber espionage case in which they hijacked the C2 infrastructure of the Iranian-based group known as OilRig, or APT34.

Following the Russian invasion of Ukraine, we see the group increase its malicious cyberattack activity against Ukrainian infrastructure. In its recent attacks against Ukraine, Turla employed its malware variant known as ANDROMEDA.

Tactics Techniques and Procedures (TTPs)

The Turla group deploys various tactics, techniques and procedures (TTPs). Their malware is often complex and designed to avoid detection, indicating high sophistication and resources.

Turla is recognized for its various strategies to compromise networks, including spear phishing and watering hole attacks, zero-day exploits, backdoors and rootkits and even compromised satellite connections.

The group is known to have made frequent use of Metasploit. The group deploys second-stage malware, e.g., Carbon/Gazer/LightNeuron, to maintain persistence. They also frequently create user accounts for later use if they lose access to a compromised machine. The group is recognized for using distinct command and control (C2) infrastructure. They exfiltrate collected data through channels like HTTP, HTTPS and DNS.

The group primarily targets Windows but is also known to target macOS, Linux and Android. According to Google’s Threat Analysis Group (TAG), the group attacked Android for the first time in 2022 when it targeted a Ukrainian military unit. In this attack, Turla created a malicious application spread via hyperlinks shared on third-party messaging platforms.

Over the years, Turla has shown that it prioritizes OpSec above all else. The group will willingly remove itself from victim networks–losing control of machines and cleaning all traces of its activity–to prevent its advanced malware from being publicly exposed.

Turla’s tools are notable for their complexity, such as ComRAT, ANDROMEDA, LightNeuron, Epic Turla, Kazuar, Carbon Gazer, KopiLuwak, Mosquito, PlayFlash, TinyTurla, Crutch, SilentMoon, Uroburos, Mimikatz, Empire, etc.

The group is perpetually innovating, conforming to emerging conditions to maintain its stealth and crafting new malware for further operations.

Snake Operation

One of the most sophisticated tools used by Turla is Snake. On May 9, 2023, the Department of Justice announced the court-authorized disruption of the Snake malware network. Turla has leveraged the Snake malware to steal sensitive documents from hundreds of networks across a minimum of 50 countries for the past 20 years.

The global ensemble of computers compromised by the Snake malware operated as an underground peer-to-peer network, which uses compromised communication protocols engineered to hamper intelligence agencies’ detection, monitoring, and data-gathering efforts.

The FBI successfully neutralized all devices infected by the Snake malware within the U.S.

Outside U.S. borders, the agency is actively collaborating with local authorities, providing them with notifications about Snake infections in their respective jurisdictions and giving guidance on remediation. As detailed in legal documents, the FBI, through meticulous analysis of the Snake malware and its network, developed the ability to decrypt and decode Snake communications, as the U.S. Justice Department has revealed.

Continued Cybersecurity Threat

Turla has proven to be a potent cybersecurity threat, exhibiting sophistication, persistence and adaptability. Turla’s ability to continuously evolve its tactics and techniques is a crucial element that underscores its potency as a cyberthreat.

While the Snake malware shutdown was a significant victory against Turla’s activities, it’s important to remember that Turla is a well-resourced APT group with many other tools and tactics at its disposal, and the group’s threat hasn’t diminished. Turla has always been able to adapt and use various tools and techniques for its operations.