Turla Spy Group: Turla, one of Russia’s most sophisticated and tenacious cyber spy groups, is again at the center for its attacks on foreign diplomats and embassies this time through the use of local internet service providers in Moscow.
As per Microsoft Threat Intelligence, Turla under the codename “Secret Blizzard” is conducting ISP-level surveillance activities. The operation is suspected to be under the direct control of Russia’s Federal Security Service (FSB), the post-Soviet successor to the KGB.
FBI Surveillance and Long-Standing Operations
The FBI has been following Turla for years and broke up one of its long-standing malware networks in 2023. American authorities claim the group has been operating for almost twenty years, attacking governments, journalists, and international institutions.
Also known as Waterbug or Venomous Bear, Turla is a state-linked hacking collective believed to be headquartered in Russia. The group has been connected to at least 45 high-profile cyberattacks, including the 2014 German Bundestag attack, 2014 Ukrainian Parliament hacking, and France’s TV5 Monde hacking in 2015. Turla has also reportedly targeted organizations in the Middle East, especially in the energy sector.
Turla’s Tactics: A Cyber Espionage Toolbox
According to Forbes, Turla employs a variety of intrusion tactics, such as:
- Spear-phishing and watering hole assaults
- Living-off-the-land strategies with native system tools
- Satellite-based command-and-control (C2) infrastructure
- Public platforms like Google Drive and Dropbox for data exfiltration
- Easily accessible tools like Metasploit and PowerShell
The team is particularly famous for launching “second-stage” malware payloads that are triggered after the initial infiltration and install an hidden backdoor for sustained access and information theft, Forbes alleged in a previous report.
Next-Generation Threats: KRYPTON Malware and Audio Exfiltration
Turla is particularly hazardous because it employs sophisticated, next-generation tactics. Over the past few years, the gang has been seen using a distinctive malware known as “Turla” or “KRYPTON” to steal information from air-gapped computers that have no internet connection.
The malware also employs “audio exfiltration” to leak information through the computer speakers and microphones. The group is highly advanced and can remain stealth for extended periods of time. In 2014, for instance, Turla had a presence within a European government agency’s network for more than two years before it was discovered,” the Forbes report included.
