Who is Turla?

Snake, Venomous Bear, Uroburos, and WhiteBear are among the most common names given to Turla in the information security field. In the early to mid-2000s, this Russian-based organization specializing in espionage APT was active for several years.

Over the years, they developed and improved a massive arsenal of offensive weapons for use against targets in Europe, the United States, Ukraine, and other Arab countries.

Their C2 architecture often uses stolen web servers and hijacked satellite connections. In rare cases, the C2 server is not directly targeted. They hack the system within the targeted network using that network as a proxy. It forwards traffic to the C2 server responsible for the activity.

Many well-known malware programs, such as Crutch or Kazuar, are often associated with Turla. Researchers have recently linked Turla, which is a very advanced threat, to the Turla backdoor, which also appears to be an advanced threat. Some campaigns attributed to Turla cannot be clearly determined to be their own. However, the security industry has kept tabs on various Russian actors and technical evidence, including their operational strategies, tactics, and procedures (TTPs), over the years. It is generally easy to attribute the campaigns and toolkits used by this actor to these additional political interests.