As we continue our series of articles on state-sponsored cyberattack groups, we turn our focus to the Russia-affiliated Turla hacking group. In previous articles, we examined some of the biggest threats on the cyberattack scene, including APT10 and APT28 (also known as Fancy Bear). These notorious groups are a lurking presence, and Turla is no exception. Active for over a decade, the Turla hacking group is believed to be operating out of Russia and closely affiliated with the FSB, the Russian intelligence agency and successor to the KGB. It is also known by the names “Waterbug” and “Venomous Bear,” and has been linked to numerous high-profile cyberattacks on government agencies, embassies, and organizations around the world.
Turla has been linked to 45 high-profile attacks, including the German Bundestag in 2014, the Ukrainian Parliament in 2014, and the French TV5 Monde in 2015. The group also targets organizations in the Middle East, particularly in the energy sector. Turla’s use of sophisticated methods and its focus on government and diplomatic targets has led experts to believe the group is working on behalf of the Russian government, although this has yet to be definitively proven.
Methods of Mayhem
Turla is known for using a variety of tactics to compromise networks, including “living off the land” tactics, watering hole attacks, spear-phishing emails, and compromised satellite connections. The group also uses publicly available tools like Metasploit and PowerShell, as well as Command and Control (C2) infrastructure like Google Drive and Dropbox. One of Turla’s primary tactics is the use of “second-stage” malware, which is activated after a victim’s initial infection and used to establish a backdoor into the network. From there, the group can steal sensitive information and move laterally within the network to gain access to other systems.
Turla is especially dangerous due to its use of advanced, next-level tactics. In recent years,…