Ask Western cybersecurity intelligence analysts who their “favorite” group of foreign state-sponsored hackers – the enemy they can’t help but admire and thoughtfully study – and most won’t name any of the hacking groups who work for China or North Korea. Not China’s APT41, with its brazen supply chain attacks, nor the North Korean Lazarus hackers pulling off massive cryptocurrency attacks. Most wouldn’t even point to Russia’s notorious Sandworm hacker group, despite the military unit’s unprecedented blackout cyberattacks against power grids or malicious self-replicating code.
Instead, connoisseurs of computer intrusion tend to name a more insidious group of cyberspies that, in various forms, have quietly infiltrated Western networks longer than any other: a group that known as Turla.
Last week, the US Department of Justice and the FBI announced that they had dismantled an operation by Turla—also known by names like Venomous Bear and Waterbug—that had infected computers in more than 50 countries. with a piece of malware known as Snake, which the US agencies described as the “primary spy tool” of Russia’s FSB intelligence agency. By infiltrating Turla’s network of hacked machines and sending the malware a command to remove itself, the US government caused a serious setback to Turla’s worldwide surveillance campaigns.
But in its announcement—and in court documents filed to implement the operation—the FBI and DOJ went ahead, officially confirming for the first time reporting from a group of German journalists last year that revealed that Turla worked in the FSB’s Center 16 group in Ryazan, outside Moscow. It also explains Turla’s remarkable longevity as a premier cyberspying outfit: An affidavit filed with the FBI says Turla’s Snake malware has been in use for nearly 20 years.
In fact, Turla has likely been operating for at least 25 years, said Thomas Rid, a professor of strategic studies and cybersecurity historian at Johns Hopkins University. He points to evidence that Turla—or at least a sort of proto-Turla that could be the group we know today—conducted the first-ever cyberspying operation by an intelligence agency targeting the US, a hacking campaign over the years known as Moonlight Maze.
Because of that history, the group was perfectly able to bounce back, Rid said, even after the FBI’s latest destruction of its toolkit. “Turla is really the quintessential APT,” Rid said, using the abbreviation for “advanced persistent threat,” a term used in the cybersecurity industry for elite state-sponsored hacking groups. hack. “Its equipment is very sophisticated, it’s stealthy, and it’s ongoing. A quarter-century speaks for itself. In fact, it is enemy number one. “
Throughout its history, Turla has repeatedly disappeared into the shadows over the years, only to reappear within well-protected networks including those of the US Pentagon, defense contractors, and government agencies. in Europe. But more than its longevity, it’s Turla’s ever-evolving technical expertise—from USB worms, to satellite-based hacking, to hijacking other hackers’ infrastructure -which distinguishes it for 25 years, said Juan Andres Guerrero-Saade, a principal researcher of the threat. of the security firm SentinelOne. “You look at Turla, and there are so many phases where, oh my god, they’re doing this amazing thing, they’re pioneering this other thing, they’re trying a clever technique that’s never been done before and scaling it and implementing it,” said Guerrero-Saade. “They are both innovative and pragmatic, and this makes them a very special APT group to track.”