Turla

TURLA (also known as Uroburos, Sanake, and Venomous Bear) is a sophisticated computer malware that is believed to have been developed by a state-sponsored hacking group operating out of Russia. He is suspected of being exploited by the Federal Security Service of the Russian Federation (FSB).
The malware is designed to infiltrate and compromise the computer systems of governments, military organizations, and other high-value targets.
Active since at least 1996, this intrusion set is suspected to have breached many US sensitive networks during a campaign dubbed “Moonlight Maze” from 1996 to 1999.
In 2008 Turla is suspected to have used a USB worm dubbed “Agent.BTZ” to breach the US Department of Defense most sensitive networks.

The power of CTI during malware incident analysis replay with Glimps

Watch the replay

More recently in May 2022, Google’s Threat Analysis Group (TAG) published a report in which it exposes: the espionage campaigns carried out by Turla against institutions based in Eastern Europe and other institutions having played a role in the elaboration of economic sanctions against the Russian Federation.

Based on the data shared in this report, SEKOIA.IO researchers conducted an in-depth investigation of Turla’s infrastructure. You can view the survey by clicking here.
Depending on the goals of the attackers and the capabilities of the infected system, Turla can be used to :

Steal sensitive data from infected systems, such as documents, emails, and other files.
Establish a connection with a remote server, allowing the attackers to remotely control the infected system and issue commands.
Execute a variety of actions on an infected system, such as installing additional malware, modifying system settings, and taking over system functions.
Compromise other systems on the same network as the infected system, in order to spread the malware further and gain access to additional resources.

You can consult other topics available in our glossary below: Nobelium (APT29), APT31, SaaS SIEM, LuckyMouse, Roaming Mantis, Vice Society, Advanced Persistent threat, Cyber Threat Intelligence, XDR, SOAR, SIEM, SOC, EDR, CERT, STIX, IoC.

Others Terms

APT

APT27 (LuckyMouse, EmissaryPanda)

APT29 aka Nobelium, Cozy Bear

Others Terms

Calisto(COLDRIVER)

Calisto is a reputed threat actor close to Russia and also known as COLDRIVER.

Roaming Mantis(Roaming Mantis)

Roaming Mantis (Chinese intrusion set) is assessed to be a financially motivated group, with a history of targeting developed countries.

Échangez avec l’équipe

Vous souhaitez en savoir plus sur nos solutions de protection ?
Vous voulez découvrir nos produits de XDR et de CTI ?
Vous avez un projet de cybersécurité dans votre organisation ?
Prenez rendez-vous et rencontrons-nous !

Contactez-nous

Chat with our team !

Would you like to know more about our solutions ?
Do you want to discover our XDR and CTI products ?
Do you have a cyber security project in your organization ?
Make an appointment and meet us !

Contact us

Cookie	Duration	Description
__hssrc	session	This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Analytics".
cookielawinfo-checkbox-necessary	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".

Cookie	Duration	Description
__hssc	30 minutes	This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
pll_language	1 year	This cookie is set by Polylang plugin for WordPress powered websites. The cookie stores the language code of the last browsed page.

Cookie	Duration	Description
__hstc	1 year 24 days	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_gtag_UA_152945562_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
Inbound Converter	2 ans	This script communicates back to TechTarget which accounts, based on reverse IP lookup, have visited this website. The information that is transmitted includes: URL of page landed on, Timestamp of visit, IP Address
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	No description
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-others	1 year	No description
li_gc	2 years	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.