Cyber Threat Actor: Turla
| Actor Type | Location | Known Incidents |
Nation State
|
Russia
|
11 incidents |
|---|
Profile
Turla, also known as Snake, Venomous Bear and Waterbug, is a threat actor that has been publicly linked to Russian state‑sponsored intelligence services, with multiple sources attributing its activity to the FSB, GRU and SVR. The actor’s known aliases reflect its long‑running espionage focus and its observed use of both custom and publicly available tools against governmental, military, diplomatic and related targets across Europe and the Caucasus. Observed targeting includes defense ministries, foreign affairs ministries, embassies, defense contractors, NATO‑related organizations, NGOs, think tanks and journalists, with operations observed in the Baltics, Eastern Europe, Armenia, Artsakh, Switzerland, the Czech Republic, Austria and Ukraine. Public attributions consistently describe the actor’s strategic objective as espionage, emphasizing the collection of sensitive governmental, military and diplomatic information rather than financial gain or disruptive sabotage.
The group’s tactics, techniques and procedures repeatedly feature spear‑phishing and credential‑phishing campaigns, watering‑hole compromises that inject malicious JavaScript to deliver fake Adobe Flash updates, and brute‑force attacks on email infrastructure. Initial access is often achieved through social engineering lures that prompt victims to download malicious installers bundled with legitimate software, as seen in the Armenian watering‑hole operations that used evercookie‑based tracking and iframes to profile visitors before serving the fake update. Once inside a network, Turla employs fileless malware that leverages legitimate Windows components, modular spy tool suites that can dynamically adapt to defenses, and persistent mechanisms such as scheduled tasks. The actor’s toolkit includes the Snake malware family, the Skipper backdoor, the .NET‑based NetFlash downloader and its Python‑based PyFlash payload, as well as the X‑Agent framework used in Czech and Swiss intrusions. Command‑and‑control communication is frequently conducted over HTTP with custom encryption, and the group has demonstrated the ability to replace older tools with newer variants to evade detection.
Notable operations attributed to Turla include a 2022 credential‑phishing campaign that targeted defense and cybersecurity organizations in the Baltics and Eastern Europe alongside APT28 and Coldriver; a 2020 fileless malware intrusion against the Austrian Foreign Ministry that used legitimate Windows processes to deploy a modular spy suite; a 2019 watering‑hole campaign that compromised several Armenian government and diplomatic sites, delivering fake Adobe Flash updates and deploying Skipper, NetFlash and PyFlash for espionage; a 2016 breach of the Swiss defense contractor RUAG that exposed personal data of special forces personnel and federal employees; and a series of 2016 intrusions into the Czech Ministry of Foreign Affairs and Ministry of Defense involving spearphishing, brute‑force attempts and the X‑Agent malware. Earlier, in 2012, the Snake malware was used in a cyber‑espionage effort against the Ukrainian prime minister’s office and multiple European embassies. These incidents collectively illustrate Turla’s persistent focus on gathering intelligence from high‑value governmental and military targets through a blend of social engineering, custom malware and stealthy persistence mechanisms.
