SYMBOLCOMMON_NAMEaka. SYNONYMS

Turla  (Back to overview)

aka: Snake, VENOMOUS Bear, Group 88, Waterbug, WRAITH, Uroburos, Pfinet, TAG_0530, KRYPTON, Hippo Team, Pacifier APT, Popeye, SIG23, IRON HUNTER, MAKERSMARK, ATK13, G0010, ITG12, Blue Python

A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'


Associated Families

There are currently no families associated with this actor.


References
2022-07-19GoogleBilly Leonard
@online{leonard:20220719:continued:2a97da1, author = {Billy Leonard}, title = {{Continued cyber activity in Eastern Europe observed by TAG}}, date = {2022-07-19}, organization = {Google}, url = {https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag}, language = {English}, urldate = {2022-08-05} } Continued cyber activity in Eastern Europe observed by TAG
CyberAzov APT28 Callisto Ghostwriter Sandworm Turla
2020-12-02ESET ResearchMatthieu Faou
@online{faou:20201202:turla:7f8c935, author = {Matthieu Faou}, title = {{Turla Crutch: Keeping the “back door” open}}, date = {2020-12-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/}, language = {English}, urldate = {2020-12-08} } Turla Crutch: Keeping the “back door” open
Crutch Gazer Turla
2020-07-14TelsyTelsy
@online{telsy:20200714:turla:ef6592e, author = {Telsy}, title = {{Turla / Venomous Bear updates its arsenal: “NewPass” appears on the APT threat scene}}, date = {2020-07-14}, organization = {Telsy}, url = {https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/}, language = {English}, urldate = {2020-07-16} } Turla / Venomous Bear updates its arsenal: “NewPass” appears on the APT threat scene
NewPass Turla
2020SecureworksSecureWorks
@online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:turla:84132fe, author = {Cyber Operations Tracker}, title = {{Turla}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/turla}, language = {English}, urldate = {2019-12-20} } Turla
Turla
2019MITREMITRE ATT&CK
@online{attck:2019:turla:6c3dec8, author = {MITRE ATT&CK}, title = {{Group description: Turla}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0010/}, language = {English}, urldate = {2019-12-20} } Group description: Turla
Turla
2018-11-22nccgroupBen Humphrey
@online{humphrey:20181122:turla:de7f30a, author = {Ben Humphrey}, title = {{Turla PNG Dropper is back}}, date = {2018-11-22}, organization = {nccgroup}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/}, language = {English}, urldate = {2019-11-21} } Turla PNG Dropper is back
Uroburos Turla
2018-08-22Bleeping ComputerIonut Ilascu
@online{ilascu:20180822:turla:b3753aa, author = {Ionut Ilascu}, title = {{Turla Outlook Backdoor Uses Clever Tactics for Stealth and Persistence}}, date = {2018-08-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/}, language = {English}, urldate = {2019-12-20} } Turla Outlook Backdoor Uses Clever Tactics for Stealth and Persistence
Turla
2018-05-22ESET ResearchESET Research
@online{research:20180522:turla:358ccf7, author = {ESET Research}, title = {{Turla Mosquito: A shift towards more generic tools}}, date = {2018-05-22}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/}, language = {English}, urldate = {2019-11-14} } Turla Mosquito: A shift towards more generic tools
Mosquito Turla
2018-01-22ZDNetDanny Palmer
@online{palmer:20180122:this:cce88e0, author = {Danny Palmer}, title = {{This hacking gang just updated the malware it uses against UK targets}}, date = {2018-01-22}, organization = {ZDNet}, url = {https://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/}, language = {English}, urldate = {2020-01-13} } This hacking gang just updated the malware it uses against UK targets
Turla
2017-08-30Kaspersky LabsGReAT
@online{great:20170830:introducing:80a9653, author = {GReAT}, title = {{Introducing WhiteBear}}, date = {2017-08-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/introducing-whitebear/81638/}, language = {English}, urldate = {2019-12-20} } Introducing WhiteBear
Gazer Turla White Bear
2017-08-21Trend MicroTrend Micro
@online{micro:20170821:cyberespionage:db82222, author = {Trend Micro}, title = {{Cyberespionage Group Turla Deploys Backdoor Ahead of G20 Task Force Summit}}, date = {2017-08-21}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summit}, language = {English}, urldate = {2019-11-29} } Cyberespionage Group Turla Deploys Backdoor Ahead of G20 Task Force Summit
Turla
2017-08ESET ResearchGazing at Gazer, Turla’s new second stage backdoor
@techreport{gazer:201708:gazing:b454362, author = {Gazing at Gazer and Turla’s new second stage backdoor}, title = {{Gazing at Gazer Turla’s new second stage backdoor}}, date = {2017-08}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf}, language = {English}, urldate = {2020-01-08} } Gazing at Gazer Turla’s new second stage backdoor
Turla
2017-06-07engadgetMallory Locklear
@online{locklear:20170607:russian:65a8aed, author = {Mallory Locklear}, title = {{Russian malware link hid in a comment on Britney Spears' Instagram}}, date = {2017-06-07}, organization = {engadget}, url = {https://www.engadget.com/2017/06/07/russian-malware-hidden-britney-spears-instagram/}, language = {English}, urldate = {2020-01-08} } Russian malware link hid in a comment on Britney Spears' Instagram
Turla
2017-05-03Palo Alto Networks Unit 42Brandon Levene, Robert Falcone, Tyler Halfpop
@online{levene:20170503:kazuar:b869345, author = {Brandon Levene and Robert Falcone and Tyler Halfpop}, title = {{Kazuar: Multiplatform Espionage Backdoor with API Access}}, date = {2017-05-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/}, language = {English}, urldate = {2020-01-09} } Kazuar: Multiplatform Espionage Backdoor with API Access
Turla
2017-04-03Kaspersky LabsNikolay Pankov
@online{pankov:20170403:moonlight:6ce6041, author = {Nikolay Pankov}, title = {{Moonlight Maze: Lessons from history}}, date = {2017-04-03}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/blog/moonlight-maze-the-lessons/6713/}, language = {English}, urldate = {2020-01-09} } Moonlight Maze: Lessons from history
Turla
2017-03-30ESET ResearchESET Research
@online{research:20170330:carbon:928505a, author = {ESET Research}, title = {{Carbon Paper: Peering into Turla’s second stage backdoor}}, date = {2017-03-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/}, language = {English}, urldate = {2019-11-14} } Carbon Paper: Peering into Turla’s second stage backdoor
Cobra Carbon System Turla
2016-06-30BitdefenderBitdefender
@techreport{bitdefender:20160630:pacifier:642af11, author = {Bitdefender}, title = {{Pacifier APT}}, date = {2016-06-30}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf}, language = {English}, urldate = {2020-01-08} } Pacifier APT
Gazer Turla
2016-05-23Reporting and Analysis Centre for Information Assurance MELANISpecialist Staff
@online{staff:20160523:technical:07ea0f3, author = {Specialist Staff}, title = {{Technical Report about the Malware used in the Cyberespionage against RUAG}}, date = {2016-05-23}, organization = {Reporting and Analysis Centre for Information Assurance MELANI}, url = {https://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical-reports/technical-report_apt_case_ruag.html}, language = {English}, urldate = {2020-01-05} } Technical Report about the Malware used in the Cyberespionage against RUAG
Turla
2016-01-13Yie
@online{yie:20160113:russian:1a011c6, author = {Yie}, title = {{Russian group behind 2013 Foreign Ministry hack}}, date = {2016-01-13}, url = {https://yle.fi/uutiset/osasto/news/russian_group_behind_2013_foreign_ministry_hack/8591548}, language = {English}, urldate = {2019-11-22} } Russian group behind 2013 Foreign Ministry hack
Turla
2015-11FireEyeFireEye
@techreport{fireeye:201511:pinpointing:03765ec, author = {FireEye}, title = {{PINPOINTING TARGETS: Exploiting Web Analytics to Ensnare Victims}}, date = {2015-11}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf}, language = {English}, urldate = {2020-01-08} } PINPOINTING TARGETS: Exploiting Web Analytics to Ensnare Victims
witchcoven Turla
2015-09-09Kaspersky LabsStefan Tanase
@online{tanase:20150909:satellite:b8728d5, author = {Stefan Tanase}, title = {{Satellite Turla: APT Command and Control in the Sky}}, date = {2015-09-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/}, language = {English}, urldate = {2019-12-20} } Satellite Turla: APT Command and Control in the Sky
Satellite Turla Turla
2015-09-09Kaspersky LabsStefan Tanase
@online{tanase:20150909:satellite:7f8b3ed, author = {Stefan Tanase}, title = {{Satellite Turla: APT Command and Control in the Sky}}, date = {2015-09-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/}, language = {English}, urldate = {2019-12-20} } Satellite Turla: APT Command and Control in the Sky
Turla
2015-02-11FIRST TbilisiAndrzej Dereszowski
@techreport{dereszowski:20150211:turladevelopment:98e2483, author = {Andrzej Dereszowski}, title = {{Turla-development & operations}}, date = {2015-02-11}, institution = {FIRST Tbilisi}, url = {https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf}, language = {English}, urldate = {2020-01-06} } Turla-development & operations
Turla
2014-12-09ThreatpostMichael Mimoso
@online{mimoso:20141209:linux:67f8948, author = {Michael Mimoso}, title = {{Linux Modules Connected to Turla APT Discovered}}, date = {2014-12-09}, organization = {Threatpost}, url = {https://threatpost.com/linux-modules-connected-to-turla-apt-discovered/109765/}, language = {English}, urldate = {2019-11-26} } Linux Modules Connected to Turla APT Discovered
Turla
2014-12-08Kaspersky LabsKurt Baumgartner, Costin Raiu
@online{baumgartner:20141208:penquin:afd9ae5, author = {Kurt Baumgartner and Costin Raiu}, title = {{The ‘Penquin’ Turla}}, date = {2014-12-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/67962/the-penquin-turla-2/}, language = {English}, urldate = {2019-12-20} } The ‘Penquin’ Turla
Turla
2014-08-07Kaspersky LabsGReAT
@online{great:20140807:epic:ba080b6, author = {GReAT}, title = {{The Epic Turla Operation}}, date = {2014-08-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-epic-turla-operation/65545/}, language = {English}, urldate = {2019-12-20} } The Epic Turla Operation
Turla
2014-08-07The GuardianTom Brewster
@online{brewster:20140807:sophisticated:5f484c8, author = {Tom Brewster}, title = {{Sophisticated 'Turla' hackers spying on European governments, say researchers}}, date = {2014-08-07}, organization = {The Guardian}, url = {https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec}, language = {English}, urldate = {2020-01-05} } Sophisticated 'Turla' hackers spying on European governments, say researchers
Turla
2014-08-07Kaspersky LabsGReAT
@online{great:20140807:epic:f8b0803, author = {GReAT}, title = {{The Epic Turla Operation}}, date = {2014-08-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/65545/the-epic-turla-operation/}, language = {English}, urldate = {2021-07-02} } The Epic Turla Operation
Cobra Carbon System Uroburos Wipbot Turla
2014circl.luCIRCL
@online{circl:2014:tr25:97f9b0e, author = {CIRCL}, title = {{TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos}}, date = {2014}, organization = {circl.lu}, url = {https://www.circl.lu/pub/tr-25/}, language = {English}, urldate = {2020-07-01} } TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos
Cobra Carbon System Uroburos Turla
2010-08-25The New York TimesBrian Knowlton
@online{knowlton:20100825:military:dc8aa06, author = {Brian Knowlton}, title = {{Military Computer Attack Confirmed}}, date = {2010-08-25}, organization = {The New York Times}, url = {https://www.nytimes.com/2010/08/26/technology/26cyber.html}, language = {English}, urldate = {2019-11-29} } Military Computer Attack Confirmed
Turla

Credits: MISP Project