Threat Actor: Turla; aka "IRON HUNTER", "Group 88", "Belugasturgeon", "Waterbug", "WhiteBear", "Snake", "Krypton", "Venomous Bear"
Date of Activity: ~2007-Present
Area of Operations: Global Hacking Operations primarily focusing on European targets.
Turla is a sophisticated hacking group that has been active since at least 2007. It is believed to be sponsored by the Russian government, and its primary targets are government agencies and diplomatic organizations of former Soviet countries and NATO members in Europe. It is assessed that Turla is connected to the Federal Security Service (FSB).
Turla is known for using a combination of custom malware and off-the-shelf tools to infiltrate its targets and steal sensitive data. This includes phishing campaigns, open-source tools, custom implants, zero-day exploits, and the use of sophisticated communication and Signals Intelligence systems. One of its most notable campaigns, which was uncovered in 2014, involved the use of satellite uplinks to exfiltrate data from infected computers.
In recent years, Turla has been observed using various tactics to avoid detection and maintain access to compromised networks. These tactics include using encrypted communication channels, code obfuscation, and the use of proxies to hide the group's identity. As of January 2023, Turla actors have been compromising and targeting Ukrainian government and critical infrastructure as well as ‘re-gifting’ old malware and C2 servers to launch attacks.
Despite the efforts of law enforcement agencies and security researchers to disrupt Turla's operations, the group continues to be a major threat to government and diplomatic organizations around the world.
• Nation-state tool set; to include exploits, implants, and RATs
• Sophisticated Social engineering
• The creation of fake organizations and brands to evoke legitimacy
• Supply-chain interdiction and attacks
• Human enabled access
• Credential stuffing and re-use
• Implementing satellite, encrypted communications, and integrated intelligence systems
• Co-opting internet facing infrastructure