Skip to content

Two-decade-long history of the Turla hacking group

  • by
  • 8 min read

Photo: StepanPopov / Shutterstock.com

State-sponsored hacker groups have always been at the forefront of global cyber warfare. Be it the North Korean Lazarus, Chinese APT31, or the Russian Sandworm group.

However, one of the most notorious state-sponsored threat actors is named Turla. In May, it was reported that the United States Justice Department dismantled one of the longest-running cyber operations run by a covert unit within the Russian Federal Security Service (FSB). This unit is Center 16, for whom Turla works.

Turla uses many top-tier rootkits such as Snake, Venomous Bear, WhiteBear, Uroburos, and Group 88.

As per Wired, Turla has operated for at least 25 years and is still going strong. Turla has been the first cyber group to target the United States under the hacking campaign Moonlight Maze.

Turla, considered an Advanced Persistence Threat (APT) in the cyber world, has a history of attacking, disappearing for a few years, and returning with a bang. The group has been known to target high-profile organisations such as the US Pentagon and various government as well as defence contractor agencies in Europe

Their constant degradation of the techniques makes the group more dangerous, ranging from worms transferred via a USB to satellite-based hacking. The group is also known to use other hacking groups’ help in its campaigns. Let us look at the various campaigns by the Turla group over the years.

Operation Moonlight Maze

In 1998, the federal agents stumbled upon a mysterious group of hackers who had infiltrated the networks of the US defence forces, including the Navy, Air Force, NASA, the Department of Energy, the Environment Protection Agency, and several universities, among others.

It’s estimated that the hackers’ total loot could be likened to a stack of papers three times the height of the Washington Monument.

According to the FBI, the hackers relied on a tool known as Loki2, which the hackers fine-tuned and used even in 2016, two decades after Moonlight Maze.

Agent.btz

This operation was conducted in 2008, and the target was the United States Defence Department. The National Security Agency (NSA) discovered the malware in the DOD’s US Central Command’s network. What’s interesting is that this network had no connections to the internet.

This means that someone physically inserted the malware-laden USB drive into the computers of the DOD. The malware rapidly spread and copied itself to multiple computers, infecting the whole network.

This data breach woke the Pentagon from deep slumber, and the United States revamped the military’s cybersecurity infrastructure in an operation called Buckshot Yankee. It also led to the creation of US Cyber Command, an organisation working hand-in-glove with the NSA.

In 2014, Kaspersky researchers found connections such as identical log files and encryption keys between Agent.btz and Turla’s other malware known as Snake, further confirming that the USB worm was indeed the work of Turla.

Satellite communication hacking

Russia's failed space mission and what's going on at the iss

It’s not that Turla was focused mainly on the United States; by the mid-2010s, the group had already targeted many countries around the globe. In 2014, researchers discovered a campaign where Turla used a watering hole technique to lure its victims.

But the real deal came in 2015 when Turla shocked the world by hijacking satellite communications and pilfering victims’ data from outer space. Kaspersky’s researcher Stefan Tanase revealed that Turla hackers would mimic an authentic satellite internet subscriber’s IP addresses on a command-and-control server in the same geographic region as that subscriber.

Subsequently, they would transmit their stolen data from the compromised computers to this IP address, causing the data to be routed via satellite to the subscriber. The genius of this system lay in the fact that, since the satellite broadcasted the data across the entire region, an antenna connected to Turla’s command-and-control server could intercept it. Consequently, those tracking Turla had no way of pinpointing the precise location of the computer receiving the data within the region. And all this was done with an annual budget of less than $1,000.

After this shocking campaign, Turla added new tools to its arsenal in 2018, namely Neuron and Nautilus, which, alongwith the Snake rootkit, target Windows. In August 2018, Turla was involved in a backdoor campaign aimed at infiltrating sensitive information from the offices of European governments.

Hijacking OilRig’s infrastructure

In the world of hacking, it’s not uncommon for cybercriminals to employ false flags, utilising the tools and methods of another hacker group to obfuscate their tracks. In 2019, Turla effectively hijacked OilRig’s infrastructure, which is an Iranian group.

This allowed Turla to intercept data that the Iranian hackers were pilfering and even issue their commands to the victim computers that the Iranians had compromised.

Turla heavily modified the Mimikatz tool for the campaign, setting up several backdoors.

In 2020. Turla hackers targeted Armenian websites, deploying the watering-hole technique. In May 2020, Turla again deployed Agent.btz to exfiltrate sensitive documents.

Turla ended 2020 by deploying a document stealer named Crutch that can read and write files and can automatically upload the files to Dropbox storage using the Wget utility for Windows.

This is an image of cyber security hacked breach

Taking over another threat actor

Moving to 2022, Turla showcased a different variant of its hacker-hijacking manoeuvre. Turla took control of a cybercriminal botnet to sift through its victims. A Ukrainian user unwittingly downloaded the Andromeda malware on his computer by plugging a USB drive. However, on closer examination, researchers found that this malware had downloaded two previously linked tools to Turla.

Turla had registered expired domains previously used by Andromeda’s original cybercriminal operators to control their malware. This allowed Turla to take control of these infections and comb through hundreds of them to identify targets of interest for espionage.

Turla’s operations disrupted

In May, the FBI disclosed that it had disrupted Turla’s network. The FBI that they leveraged a vulnerability within the encryption employed by Turla’s Snake malware and found the infected computers. Utilising its specially crafted tool named Perseus, the FBI successfully cleansed the Snake malware.

This was a big setback for Turla, who had been utilising Snake malware as early as 2003. Snake’s ability to clandestinely transmit data between victims within a peer-to-peer network has been a cornerstone of Turla’s espionage operations.

That didn’t deter the group. In July, the Computer Emergency Response Team of Ukraine disclosed that Turla was using Capibar malware combined with Kazuar backdoor for espionage attacks on Ukraine. Capibar was used for intelligence gathering, while Kazuar operated credential theft on military and diplomatic organisations.

In conclusion, the Turla group is one of the deadliest hacker groups operating out of Russian soil. What makes this group different is that it has performed operations with much sophistication and persistence. Moreover, the group has honed its techniques and will likely continue.

DateEvent
1998Operation Moonlight Maze: Turla infiltrated US defence forces, including the Navy, Air Force, NASA, and more, stealing a vast amount of data. They used a tool called Loki2.
2008Agent.btz: Turla targeted the US Defense Department, infecting its network via USB drives despite it being air-gapped from the internet. This incident prompted cybersecurity improvements and the creation of US Cyber Command.
2015Satellite communication hacking: Turla shocked the world by hijacking satellite communications to pilfer data from outer space, utilising a sophisticated method to remain untraceable.
2018Turla added new tools to its arsenal, including Neuron and Nautilus, focusing on targeting Windows systems. They also targeted European government offices.
2019Hijacking OilRig’s infrastructure: Turla hijacked the infrastructure of another hacking group, OilRig, an Iranian group, allowing them to intercept data and issue commands to the compromised systems.
2020Turla targeted Armenian websites with watering-hole attacks, deployed Agent.btz, and used a document stealer named Crutch.
2022Agent.btz: Turla targeted the US Defense Department, infecting its network via USB drives despite it being air-gapped from the internet. This incident prompted cybersecurity improvements and the creation of the US Cyber Command.
2023FBI disrupted Turla’s operations: The FBI disrupted Turla’s Snake malware network, using a tool called Perseus to cleanse infected machines. However, Turla continued its activities, targeting Ukraine with Capibar malware and Kazuar backdoor.

In the News: Windows 11 22H2 update: 150+ features, spotlight on Copilot

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

Related Reads

This is an image of wordpress featured 9924

Ad-fraud operation monetises piracy via WordPress plugins

Photo: koshiro k/shutterstock. Com

OpenAI’s o3 model scores lower than initially promised

  • by
  • AI, In News
This is an image of spyware on pc

Russian hosting provider abused for malware delivery

What is a hack? 9 different types of hackers you must know about

Kimsuky-linked APT campaign exploits RDP and MS Office flaws

This is an image of instagram featured

Meta expands AI-powered age verification on Instagram

This is an image of gmail featured 134

Google OAuth flaw exploited to bypass Gmail security filters

>