Nation-State Actor

Turla

Russia • Active since 1996

Turla is one of the oldest and most sophisticated Russian hacking teams, operating since the 1990s. They're so advanced they once hijacked satellite internet connections to hide their attacks. They've been known to hack other hacking groups and use their infrastructure. Their main targets are government agencies and embassies.

Overview

Turla is one of the most sophisticated and longest-operating threat groups, attributed to Russia's FSB intelligence service. Known for innovative techniques like hijacking satellite internet and hacking other threat groups' infrastructure, Turla primarily targets government and diplomatic entities for espionage.

Also Known As

Snake, Venomous Bear, KRYPTON, Secret Blizzard, Uroburos

Target Industries

Government, Diplomatic missions, Military, Research institutions, Media, Energy

Target Regions

Europe, Middle East, Central Asia, United States

Is your business exposed?

Tactics, Techniques & Procedures

  • Watering hole attacks
  • Satellite internet hijacking
  • Co-opting other APT infrastructure
  • Living-off-the-land techniques
  • Custom implant development

Known Tools & Malware

Snake/Uroburos, Kazuar, Capibar, Carbon, Mosquito, LightNeuron (Exchange backdoor)

Notable Campaigns

Agent.BTZ (2008)

Penetrated classified US military networks, leading to creation of US Cyber Command.

Satellite Turla (2015)

Hijacked satellite internet connections to receive data from infected computers.

Snake Infrastructure Takedown (2023)

FBI and partners disrupted Snake malware infrastructure used for 20 years.

MITRE ATT&CK Techniques

T1189, T1505.003, T1027, T1071, T1105

Defense Recommendations

  1. 1.

    Government entities: assume targeting and hunt for Turla indicators

  2. 2.

    Monitor for unusual satellite or long-distance network activity

  3. 3.

    Deploy advanced threat detection for sophisticated implants

  4. 4.

    Implement network segmentation for sensitive operations

  5. 5.

    Audit Exchange servers for LightNeuron indicators

Related Threat Actors

Apt29 Cozy Bear, Apt28 Fancy Bear, Sandworm

Is your business exposed?

Check if your company data is circulating on the dark web

Free scan • No credit card required

Privacy PolicyYour Privacy Choices