TURLA (also known as Uroburos, Sanake, and Venomous Bear) is a sophisticated computer malware that is believed to have been developed by a state-sponsored hacking group operating out of Russia. He is suspected of being exploited by the Federal Security Service of the Russian Federation (FSB).
The malware is designed to infiltrate and compromise the computer systems of governments, military organizations, and other high-value targets.
Active since at least 1996, this intrusion set is suspected to have breached many US sensitive networks during a campaign dubbed “Moonlight Maze” from 1996 to 1999.
In 2008 Turla is suspected to have used a USB worm dubbed “Agent.BTZ” to breach the US Department of Defense most sensitive networks.
More recently in May 2022, Google’s Threat Analysis Group (TAG) published a report in which it exposes: the espionage campaigns carried out by Turla against institutions based in Eastern Europe and other institutions having played a role in the elaboration of economic sanctions against the Russian Federation.
Based on the data shared in this report, SEKOIA.IO researchers conducted an in-depth investigation of Turla’s infrastructure. You can view the survey by clicking here.
Depending on the goals of the attackers and the capabilities of the infected system, Turla can be used to :
- Steal sensitive data from infected systems, such as documents, emails, and other files.
- Establish a connection with a remote server, allowing the attackers to remotely control the infected system and issue commands.
- Execute a variety of actions on an infected system, such as installing additional malware, modifying system settings, and taking over system functions.
- Compromise other systems on the same network as the infected system, in order to spread the malware further and gain access to additional resources.
You can consult other topics available in our glossary below: