Turla is a group of computer hackers that have been active since 2007. They’re known for using sophisticated and customized computer programs, also known as “malware,” to break into other people’s computers and steal sensitive information.
Turla has targeted a wide range of organizations, including governments, military organizations, academic institutions, technology companies, and even diplomatic institutions. Some of their most notable targets include the German Foreign Office, the European Union’s External Action Service, and the US State Department.
How does Turla operate?
To gain access to these targets, Turla uses a variety of advanced techniques. For example, they often use “spear phishing” emails to trick people into clicking on a link or opening an attachment that contains their malware. Once the malware is installed on a victim’s computer, it can be used to steal sensitive information, such as passwords, login credentials, and personal documents.
Turla is known for using highly sophisticated and customized malware, which can be difficult to detect and remove. One of their most well-known malware tools is called “Snake” or “Uroburos.” This malware is a highly advanced rootkit that is capable of hiding its presence on an infected system by hooking into the operating system at a low level. Another tool used by Turla is called “Carbon,” which is a backdoor that allows the attacker to remotely control an infected system.
What malware does Turla use?
Snake/Uroburos
This is a highly advanced rootkit that was first discovered in 2014. It is designed to be extremely stealthy and can hide its presence on an infected system by hooking into the operating system at a low level. It is also highly modular, meaning that it can be customized and expanded with additional functionality as needed.
Carbon
This is a backdoor that allows the attacker to remotely control an infected system. It was first discovered in 2016 and has been linked to attacks against a variety of targets, including government agencies and diplomatic institutions. Carbon is typically delivered via spear-phishing emails or through the exploitation of vulnerabilities in software.
Kazuar
This is a remote access trojan (RAT) that was first discovered in 2017. It is used by Turla to gain remote access to infected systems and can be controlled via a command and control (C2) server. Kazuar is capable of a wide range of malicious activities, including keylogging, screen capturing, and file exfiltration.
HyperStack
This is a modular malware framework that was first discovered in 2018. It is designed to be highly flexible and can be customized with a variety of different modules to perform specific malicious activities. HyperStack is typically delivered via spear-phishing emails or through the exploitation of vulnerabilities in software.
Crutch
This is a modular malware framework that was first discovered in 2019. It is similar to HyperStack in that it is highly modular and can be customized with a variety of different modules. Crutch has been used by Turla to target a variety of organizations, including government agencies and military organizations.
Who has Turla targeted?
Turla has targeted a wide range of organizations and entities, but some of its most notable targets have included:
- Government agencies: Turla has targeted a number of government agencies in Europe, the Middle East, and South America. These include the German Foreign Office, the Swiss defense ministry, and the Ministry of Foreign Affairs of a Middle Eastern country.
- Diplomatic institutions: Turla has also targeted a number of diplomatic institutions, including the European Union’s External Action Service and the US State Department. In 2016, Turla was linked to a cyber espionage campaign against the French presidential candidate Emmanuel Macron’s campaign.
- Military organizations: Turla has targeted military organizations in Europe and the Middle East. In 2019, the group was linked to an attack on the Ministry of Defense of a European country.
- Academic and research institutions: Turla has also targeted academic and research institutions, including universities in the United States, Europe, and South America. In 2018, Turla was linked to an attack on a research institution in Germany.
- Technology companies: Turla has targeted technology companies in Europe, Asia, and North America. In 2017, the group was linked to an attack on a satellite communications company based in Europe.
It’s worth noting that Turla’s targets have been diverse, and the group’s activities have not been limited to a particular region or sector. The group has demonstrated a high degree of adaptability and flexibility in its targeting, and it continues to pose a significant threat to organizations around the world.
