Risk Management

Who is Turla, What Just Happened, and Why Does it Matter for Your Company?

Background 

Last month, the FBI infiltrated and neutralized the notorious Snake malware used heavily by Turla group. Turla is a hacking group that is part of the Russian domestic intelligence service, which commonly expands its purview into the broader region and adversarial countries as well. Turla is most famous for the 1996-1999 Moonlight Maze operation, attacks on G20 Summit attendees, NATO computer hacks, and many other strategically targeted attacks. Obviously, Turla is in no way the “new kid on the block” as, according to an affidavit by the FBI, its “Snake malware had been in use for nearly 20 years.” 

Turla is commonly understood as two separate entities: the group working for the FSB and a separate group focused on cyber espionage. The FSB is a Russian domestic intelligence agency but they are often credited for operations outside of Russian borders. Snake is arguably the most notorious of their tools making this FBI takedown all the more important. 

What Happened

The malware itself is complex and lacks the presence of bugs common with code so complicated. This makes Snake extremely stable and difficult to detect within a system. The malware uses a P2P network that connects computers around the world. Within this architecture, each computer serves as a relay node which helps to hide any operational traffic. Snake can run on implants for Windows, MacOS, and Linux operating systems. This is one of the longest running malware tools in history. The FBI’s court-authorized neutralization of Snake was called Operation Medusa. Operation Medusa used a tool called “Perseus” to turn the malware against itself which caused it to self-destruct in all infected computers. This malware has been a plague on the world for almost 20 years. 

Why This is Important to Your Company?

Data protection is extremely important to organizations in any sector. Failure to adequately protect yourself against malicious cyber actors can lead to data breaches, increased financial risk, disruptions to business continuity, non-compliance to legal requirements, and reputational damage.. 

Turla is one of the most prolific malicious actors in the world and they have held this role for over 20 years. Just because this specific software has been taken out does not mean that Turla is gone for good; they will likely reappear with a vengeance in the not-too-distant future. Their most common points of attack have been spear phishing campaigns, minting authentication cookies, watering hole attacks, and exploiting software vulnerabilities. Their primary focus has been intelligence gathering and stealing sensitive information. Consortium Networks recommends that companies in Turla’s typical crosshairs use this opportunity to shore-up their security postures as Turla regroups.