The Underground Historical past of Turla, Russia’s Most Ingenious Hacker Group
Ask Western cybersecurity intelligence analysts who their “favourite” group of overseas state-sponsored hackers is—the adversary they cannot assist however grudgingly admire and obsessively research—and most will not title any of the multitudes of hacking teams engaged on behalf of China or North Korea. Not China’s APT41, with its brazen sprees of provide chain assaults, nor the North Korean Lazarus hackers who pull off huge cryptocurrency heists. Most will not even level to Russia’s infamous Sandworm hacker group, regardless of the army unit’s unprecedented blackout cyberattacks in opposition to energy grids or harmful self-replicating code.
As a substitute, connoisseurs of laptop intrusion have a tendency to call a much more refined workforce of cyberspies that, in numerous kinds, has silently penetrated networks throughout the West for much longer than some other: a bunch generally known as Turla.
Final week, the US Justice Division and the FBI introduced that that they had dismantled an operation by Turla—additionally recognized by names like Venomous Bear and Waterbug—that had contaminated computer systems in additional than 50 nations with a chunk of malware generally known as Snake, which the US businesses described because the “premiere espionage instrument” of Russia’s FSB intelligence company. By infiltrating Turla’s community of hacked machines and sending the malware a command to delete itself, the US authorities dealt a critical setback to Turla’s international spying campaigns.
However in its announcement—and in court docket paperwork filed to hold out the operation—the FBI and DOJ went additional, and formally confirmed for the primary time the reporting from a bunch of German journalists final 12 months which revealed that Turla works for the FSB’s Heart 16 group in Ryazan, exterior Moscow. It additionally hinted at Turla’s unimaginable longevity as a prime cyberspying outfit: An affidavit filed by the FBI states that Turla’s Snake malware had been in use for almost 20 years.
In reality, Turla has arguably been working for at the very least 25 years, says Thomas Rid, a professor of strategic research and cybersecurity historian at Johns Hopkins College. He factors to proof that it was Turla—or at the very least a sort of proto-Turla that might turn into the group we all know at the moment—that carried out the first-ever cyberspying operation by an intelligence company focusing on the US, a multiyear hacking marketing campaign generally known as Moonlight Maze.
Provided that historical past, the group will completely be again, says Rid, even after the FBI’s newest disruption of its toolkit. “Turla is basically the quintessential APT,” says Rid, utilizing the abbreviation for “superior persistent menace,” a time period the cybersecurity trade makes use of for elite state-sponsored hacking teams. “Its tooling could be very subtle, it’s stealthy, and it’s persistent. 1 / 4-century speaks for itself. Actually, it’s adversary primary.”
All through its historical past, Turla has repeatedly disappeared into the shadows for years, solely to reappear inside well-protected networks together with these of the US Pentagon, protection contractors, and European authorities businesses. However much more than its longevity, it is Turla’s continuously evolving technical ingenuity—from USB worms, to satellite-based hacking, to hijacking different hackers’ infrastructure—that is distinguished it over these 25 years, says Juan Andres Guerrero-Saade, a principal menace researcher on the safety agency SentinelOne. “You take a look at Turla, and there are a number of phases the place, oh my god, they did this wonderful factor, they pioneered this different factor, they tried some intelligent approach that nobody had achieved earlier than and scaled it and applied it,” says Guerrero-Saade. “They’re each revolutionary and pragmatic, and it makes them a really particular APT group to trace.”