Turla

Description

Turla APT, also known as Secret Blizzard, is a Russian state-sponsored advanced persistent threat group linked to the Federal Security Service (FSB). Active since at least 2004, the group specializes in cyber espionage operations targeting governments, diplomats, and military entities worldwide. Turla has demonstrated the ability to develop advanced tools and employ sophisticated methods, including leveraging the infrastructure and tools of other threat actors to obscure attribution.

One of their most notable operations took place in 2015 when Turla pioneered a technique to hijack satellite internet connections to issue malware commands while concealing their location. In 2018, the group conducted a campaign targeting European Ministries of Foreign Affairs and diplomatic missions using their custom malware, Lunar.

From December 2022 to mid-2024, Turla APT infiltrated the command-and-control (C2) servers of the SideCopy and Transparent Tribe threat actors. This access allowed them to penetrate networks associated with various Afghan government entities. They deployed custom malware to conduct espionage activities while also acquiring valuable intelligence from these APT groups. In another campaign, they leveraged the Amadey botnet—typically associated with cybercrime operations—to deploy their custom Tavdig backdoor on devices linked to the Ukrainian military.

Objectives

• Intelligence Gathering

• Espionage

• Surveillance

• Disruption and Sabotage

Known Infection Vectors

• Spear Phishing Emails
• Watering Hole Attacks
• Exploitation of Vulnerabilities
• USB Devices
• Supply Chain Attacks

References

Turla (MITRE)
https://attack.mitre.org/groups/G0010/

Use the 2023 MITRE ATT&CK® Evaluations Results for Turla to Inform EDR Buying Decision
https://www.fortinet.com/content/dam/fortinet/assets/white-papers/pov-mitre-attack-turla-edr-buying-decisions.pdf