Turla threat actor group: An insight into the threat group’s cyber-espionage activities

• Turla is also known as Snake, Venomous Bear, Group 88, Waterbug, WRAITH, Uroburos, Pfinet, TAG_0530, KRYPTON, Hippo Team, Pacifier APT, Popeye, SIG23, and Iron Hunter.
• This threat group primarily targets government entities, militaries, and embassies.

Turla threat group is a Russian-based cyber-espionage group that has been active for a decade. Turla is also known as Snake, Venomous Bear, Group 88, Waterbug, WRAITH, Uroburos, Pfinet, TAG_0530, KRYPTON, Hippo Team, Pacifier APT, Popeye, SIG23, and Iron Hunter.

This threat group primarily targets the government, militaries, and embassies. Embassies in Europe, Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all victims of Turla cyber attacks.

Turla’s attacks

• In 2008, the threat group launched an attack on the US Central Command.
• In 2012, the office of the prime minister of a former Soviet Union member country was infected by the Turla threat group.
• In 2014, a Swiss technology company, RUAG was breached by the threat group.
• In early 2017, the Russian-linked cyber-espionage group infected diplomatic, scientific, journalistic and recreational websites with malicious code.
• The cyber-espionage group also targeted G20 attendees including politicians, policy makers, and journalists in April 2017.
• Turla threat group is responsible for the cyber attack on Germany’s government computer network in March 2018.
• Germany’s Federal Foreign Office and the Federal College of Public Administration have also been victims of Turla attacks.
• The threat has also targeted several U.S. government agencies, think tanks, and businesses.

Malware and hacking tools

The malware used by the threat group includes Gazer, KopiLuwak JavaScript payload, ICEDCOFFEE, Carbon backdoor, Moonlight Maze, Mosquito backdoor, Mimikatz, Outlook backdoor, and LightNeuron backdoor.

Sharing code with Zebrocy group

Turla threat group was spotted sharing malware code and targets with the Zebrocy threat group. Both groups are known for targeting government research and military organizations, focusing heavily on Central Asia.

Turla attacks rival group infrastructure

In June 2019, researchers reported that the Turla threat group used OilRig aka APT34’s infrastructure in one of its recent attack campaigns.

• In the first campaign, the threat group used a backdoor known as Neptun along with using OilRig’s infrastructure.
• In the second campaign, Turla used Meterpreter, a publicly available backdoor along with two other backdoors.
• In the third campaign, it deployed a custom Remote Procedure Call (RPC) backdoor which used bits of code from a tool known as PowerShellRunner.